From f2db9e0de6934f3533449056eadd646784833d1f Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Mon, 30 Sep 2019 17:10:15 +0300 Subject: meta-integrity: fix documentation Signed-off-by: Dmitry Eremin-Solenikov --- meta-integrity/README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index ad17c05..32365e9 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -110,14 +110,15 @@ default, the sample keys are used for the purpose of development and demonstration. Please ensure you know what your risk is to use the sample keys in your product, because they are completely public. -If sample keys are used, the private IMA key is installed as /etc/keys/x509_ima.key. +Private keys are not installed into the target image. If you understand your +risks, you can copy them to your target file system or to an external storage. -A typical signing command is as following: +If you do so, a typical signing command is as following: - # evmctl ima_sign --hashalgo sha256 --key /etc/keys/x509_ima.key --pass= /path/to/file + # evmctl ima_sign --hashalgo sha256 --key path/to/x509_ima.key --pass= /path/to/file or - # evmctl ima_sign --hashalgo sha256 --key /etc/keys/x509_ima.key --pass= -r /path/to/directory + # evmctl ima_sign --hashalgo sha256 --key /path/to/x509_ima.key --pass= -r /path/to/directory The following command can be used to verify a file's IMA signature with specified certificate: -- cgit v1.2.3-54-g00ecf