Instructions for Signature Verification of a Binary Image

In this example we verify a signature of a Ghaf package. These steps can be applied to any Ghaf package. Notice that sometimes the binary image and the signature file are in sd-image directory.

Step-by-step instructions:

  • Download and extract the package in an empty directory

    mkdir verify-sig
    cd verify-sig
    wget https://ghafreleasesstorage.z16.web.core.windows.net/ghaf-24-12/files/x86_64-linux.lenovo-x1-carbon-gen11-debug.tar
    tar -xf *.tar
    cd x86_64-linux.lenovo-x1-carbon-gen11-debug
    
  • Verify the signature

     nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --cert INT-Ghaf-Devenv-Image --path disk1.raw.zst --sigfile disk1.raw.zst.sig  
                                            

Example output of successful signature verification

 [karim@nixos:~/verify-sig/x86_64-linux.lenovo-x1-carbon-gen11-debug]$ nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --cert INT-Ghaf-Devenv-Image --path disk1.raw.zst --sigfile disk1.raw.zst.sig 
 Signature verification result: {'message': 'Signature Verification Result', 'is_valid': True}