3 ucert is a signature-chaining wrapper around usign using libubox blob and blobmsg.
5 ## a few words about security
6 ucert inherits all its cryptographic properties from the underlying usign implementation which as such wasn't meant to be used in such a way.
7 To maintain a high cryptographic standard, it is likely that further optimization of the signed payload format (reduce known-plaintext by normalization, add salts in case usign doesn't, ...) has to be carried out.
11 Usage: ucert <command> <options>
13 -A: append signature (needs -c and -x)
15 -I: issue cert and revoker (needs -c and -p and -s)
16 -R: process revoker certificate (needs -c and -P)
17 -V: verify (needs -c and -p|-P, may have -m)
19 -c <file>: certificate file
20 -m <file>: message file (verify only)
21 -p <file>: public key file
22 -P <path>: public key directory (verify only)
23 -q: quiet (do not print verification result, use return code only)
24 -s <file>: secret key file (issue only)
25 -x <file>: signature file
31 # create root keypair (which never leaves airgap)
32 usign -G -p capubkey -s caseckey
33 # create delegate keypair
34 usign -G -p pubkey -s seckey
35 # create ca-signed delegate cert (and revoker)
36 ucert -I -p pubkey -s caseckey -c newcert
38 # eg. on buildbot worker
39 # got newcert and seckey from airgap
41 usign -S -m message.bin -s seckey -x message.bin.sig
42 # create cert for message
43 cp newcert message.bin.ucrt
44 ucert -A -c message.bin.ucrt -x message.bin.sig
47 ucert -V -P /etc/opkg/keys -m message.bin -c message.bin.ucrt && echo message.bin verified successfully