This means we return an error when encountering a rollback attack. This can
currently be performed by providing the old metadata and old signature when
calling into UpdateMetadata.
We can use this as an alternative for GPG. No PKCS7 certificates are currently
installed by fwupd and it's expected that the LVFS will still only provide GPG
detached signatures.
If an OEM distributor wants to sign firmware with a PKCS7 and the corresponding
certificate is provided then the firmware will be marked as valid.
Only firmware shipping with a .p7b file will use the PKCS7 functionality,
similarly remote metadata validation will default to GPG unless Keyring=pkcs7
is specified in the config file.
Although it's convenient that you can just log in as root and add another
trusted key, it makes the selinux developers unhappy. Use a private keystore
in /var/lib/fwupd/gnupg to avoid the possibility of a somehow hacked fwupd
being able to export the root gpg secrets if any happened to exist.
If you've trusted keys other than the LVFS for metadata or firmware you'll need
to re-import them into this new location.
See b7f12bd377
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1303531
691e02d652 [fu_keyring_setup] added a signing
server and configured to not have interactive pin entry
[gpgme_set_pinentry_mode]
This signing server was reverted in 5c35abb1a5
but the non-interactive pin entry setting for gpgme remained.
This functionality was only added in gnupg 2.1. If not running on gnupg 2.1
gpgme will give silent errors when importing keys. The silent errors were
fixed in 0.7.0 in c5e8921dfd. Unfortunately
that makes an implicit dependency on gnupg 2.1 to use fwupd.
This commit will allow older gnupg versions (< 2.1) to continue to work without
negative implications for fwupd.
This allows a vendor to upload a single file that targets different versions of
the same hardware. If this feature is used, the metainfo.xml files *must* have
something like <checksum target="content" filename="firmware2.rom"/> inside the
latest <release> tag.
