Commit Graph

6 Commits

Author SHA1 Message Date
Richard Hughes
d5aab65f30 Use Jcat files in firmware archives and for metadata
A Jcat file can be used to store GPG, PKCS-7 and SHA-256 checksums for multiple
files. This allows us to sign a firmware or metadata multiple times (perhaps
by the OEM and also then the LVFS) which further decentralizes the trust model
of the LVFS.

The Jcat format was chosen as the Microsoft catalog format is nonfree and not
documented. We also don't want to modify an existing .cat file created from WU
as this may make it unsuitable to use on Windows.

More information can be found here: https://github.com/hughsie/libjcat
2020-03-23 19:55:12 +00:00
Richard Hughes
af14073522 Allow applying all releases to get to a target version
Some hardware does not handle upgrading from version 1.2.2 to 1.2.4 and instead
needs to be upgraded from 1.2.2->1.2.3->1.2.4 so that on-device metadata can be
migrated correctly.

Add a new per-device flag `install-all-releases` which causes the daemon to not
skip directly to the newest release. This is designed to be set from a quirk
file.

This can obviously only be used for devices that can apply firmware "live" and
thus do not need a reboot or system shutdown to actually apply the firmware.
This also needs the cabinet archive to ship multiple versions of the firmware,
and for the metainfo.xml file to refer to multiple release objects.
2020-01-07 15:33:12 +00:00
Richard Hughes
2ec78d68db Add support for HWID requirements
In the latest version of the LVFS you can restrict the firmware to a specific
machine type, for instance a specific baseboard vendor. This is the same as
done in Microsoft Update using the CHID mechanism.

This commit adds support for the <hardware> requires type, although it needs to
be built against appstream-glib 0.7.4 to be supported and/or tested.
2017-11-03 23:42:57 +00:00
Richard Hughes
7403dc505f Optionally use GnuTLS to verify PKCS7 certificates
We can use this as an alternative for GPG. No PKCS7 certificates are currently
installed by fwupd and it's expected that the LVFS will still only provide GPG
detached signatures.

If an OEM distributor wants to sign firmware with a PKCS7 and the corresponding
certificate is provided then the firmware will be marked as valid.

Only firmware shipping with a .p7b file will use the PKCS7 functionality,
similarly remote metadata validation will default to GPG unless Keyring=pkcs7
is specified in the config file.
2017-08-14 09:42:48 +01:00
Richard Hughes
41cbe2aab3 Add a firmware builder
This runs a script inside the firmware archive to generate firmware specific to
the machine. This uses bubblewrap to protect the local machine.
2017-08-09 10:33:39 +01:00
Richard Hughes
57746cb839 Add the Meson build system as an alternate to autotools
Automake and autoconf are impossible to fully understand and Meson now provides
everything we need for a much smaller, faster, and more understandable build.

See http://mesonbuild.com/ for more information.
2017-04-12 16:35:18 +01:00