From 023888d8a3b22066404d6460f764bdfda0f6e82c Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Thu, 20 Jun 2024 04:40:32 +0900 Subject: [PATCH] docs/composefs: Fix reference to `ostree sign` Signed-off-by: Daiki Ueno --- docs/composefs.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/composefs.md b/docs/composefs.md index af954402..139d2d26 100644 --- a/docs/composefs.md +++ b/docs/composefs.md @@ -51,7 +51,7 @@ covering the composefs fsverity digest with a signature. ### Signatures If a commit is signed with an Ed25519 private key (see `ostree ---sign`), and `composefs.keyfile` is specified in `prepare-root.conf`, +sign`), and `composefs.keyfile` is specified in `prepare-root.conf`, then the initrd will find the commit being booted in the system repo and validate its signature against the public key. It will then ensure that the composefs digest being booted has an fs-verity digest @@ -63,7 +63,7 @@ to use it with transient keys. This is done like this: * Generate a new keypair before each build * Embed the public key in the initrd that is part of the commit. * Ensure the initrd has a `prepare-root.conf` with `[composefs] enabled=signed`, and either use `keypath` or inject `/etc/ostree/initramfs-root-binding.key`; for more see `man ostree-prepare-root` - * After committing, run `ostree --sign` with the private key. + * After committing, run `ostree sign` with the private key. * Throw away the private key. When a transient key is used this way, that ties the initrd with the