0

We started with openssl dgst to sign and verify packages successfully. Then we thought we should do a timestamped signatures. That's when the process is bit unclear.

We used the openssl ts commands to independently produce and verify signatures with timestamps. The outcome is the .tsr and we can verify that. But, how the organization's identity is proved here unless we sign with org specific private key? Where is this step?

Its unclear how we combine everything together to produce one single signature file that we customers can verify for identity and timestamp. How we bundle up all the public certs thats required to verify.

Should we be using the openssl cms to do some merging and manipulation?

Please clarify as soon as possible.

Progress P
  • 1
  • 1
    OpenSSL based signatures may be useful for some scripts used e.g. internally in a company or deployment system but if you aim for customers the common standard for signing/verifying is OpenPGP. It is signatures, key verification and verification is standardized. – Robert Apr 28 '22 at 16:20
  • Thank you Robert, we evaluated PGP as well, but openssl was chosen as a tool to use as our customers wanted to use openssl for verifying signatures. – Progress P Apr 29 '22 at 04:54

0 Answers0