This is quite unusual but the demands on our time are growing and it'd help me immensely if you could aim me towards the methods that:
- verifies the firmware.xml.gz file
- verifies the contents of firmware.inf and firmware.metainfo.xml files within the cab files
Please do also switch to SHA-256 or SHA-512, both in whatever explicit checks you're using and in the GnuPG signatures. (gpg --list-packets < foo.gpg.asc | grep digest -- 2 is SHA-1, 8 is SHA-256, 10 is SHA-512)
We recently switched APT to requiring SHA-512 signatures and I think firmware updates deserve parity with software updates.
Hi Richard, thanks for the reply.
This is quite unusual but the demands on our time are growing and it'd help me immensely if you could aim me towards the methods that:
- verifies the firmware.xml.gz file
- verifies the contents of firmware.inf and firmware. metainfo. xml files within the cab files
Please do also switch to SHA-256 or SHA-512, both in whatever explicit checks you're using and in the GnuPG signatures. (gpg --list-packets < foo.gpg.asc | grep digest -- 2 is SHA-1, 8 is SHA-256, 10 is SHA-512)
We recently switched APT to requiring SHA-512 signatures and I think firmware updates deserve parity with software updates.
Thanks