mirror of
https://github.com/ostreedev/ostree.git
synced 2024-10-26 08:55:19 +03:00
docs/composefs: Fix reference to ostree sign
Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
parent
f280b1216b
commit
023888d8a3
@ -51,7 +51,7 @@ covering the composefs fsverity digest with a signature.
|
||||
### Signatures
|
||||
|
||||
If a commit is signed with an Ed25519 private key (see `ostree
|
||||
--sign`), and `composefs.keyfile` is specified in `prepare-root.conf`,
|
||||
sign`), and `composefs.keyfile` is specified in `prepare-root.conf`,
|
||||
then the initrd will find the commit being booted in the system repo
|
||||
and validate its signature against the public key. It will then ensure
|
||||
that the composefs digest being booted has an fs-verity digest
|
||||
@ -63,7 +63,7 @@ to use it with transient keys. This is done like this:
|
||||
* Generate a new keypair before each build
|
||||
* Embed the public key in the initrd that is part of the commit.
|
||||
* Ensure the initrd has a `prepare-root.conf` with `[composefs] enabled=signed`, and either use `keypath` or inject `/etc/ostree/initramfs-root-binding.key`; for more see `man ostree-prepare-root`
|
||||
* After committing, run `ostree --sign` with the private key.
|
||||
* After committing, run `ostree sign` with the private key.
|
||||
* Throw away the private key.
|
||||
|
||||
When a transient key is used this way, that ties the initrd with the
|
||||
|
Loading…
Reference in New Issue
Block a user