EOS images from release 4.28.0 on are in SWIM3.0 format (SWI Modular).
Such images contain modules that can be used to instantiate multiple images: the classic image that works on all switches, as well as optimized images for devices with a small flash. With the multiple images, there are also multiple signatures, thus the update to this tool.
Images are optimized on the fly during download via the "install source" cli command, in which case one of the "inner" signature will become the top signature (the image is sort of "decapsulated").
Because of the need for multiple signatures, the existing prepare/sign mechanism was not practical and was modified.
If a signing key is provided on the command line, no difference, we just use it to sign all images, and will add a null-signature into each of them firsts (and replace any already present signature by force).
But if no such key is provided, instead of printing a litany of digests (one per sub-image) and asking for them all to be signed before proceeding with the next step, we assume there is a binary called 'swi-signing-service' that can be given the digest and will return the signature. An example signing server script is provided (nothing glorious, uses a local key).
That is, starting with 4.28.0 images, there is no "swi prepare", only a "swi sign".
If the image is a pre 4.28.0 image, the "swi prepare" stage is still required as before.
Here are example usages:
With a local signing key provided on command-line
-------------------------------------------------
> swi-signature sign EOS.swi /etc/swi-signing/signing.crt /etc/swi-signing/root.crt --key /etc/swi-signing/signing.key
Optimizations in EOS.swi: Default Sand-4GB Strata-4GB
Default sha256: a3276b9976bb2471838dc95fbd2a38dcf1e7e5510bcfa8dfe0f0eff8b935a709
Sand-4GB sha256: 4d0d23293eaecc7f55e7ee9776b0c250bef1a335e1b4ea28ef4eea989eb917f9
Strata-4GB sha256: 520cbde6d60d1089bfbc95d9086c47ce4a6fc0399a5b8a29fc6c1bd95c7d029a
Adding signature files to EOS.swi: Default.signature Sand-4GB.signature Strata-4GB.signature
EOS.swi sha256: 913eb842e408ceddea914543230c9e13ff63e360fc6a6735ef9c0c1571209fb3
SWI/X file EOS.swi successfully signed and verified.
> verify-swi EOS.swi --CAfile /etc/swi-signing/root.crt
Optimizations in EOS.swi: Default Sand-4GB Strata-4GB
Default: SWI/X verification successful.
Sand-4GB: SWI/X verification successful.
Strata-4GB: SWI/X verification successful.
SWI/X verification successful.
Using the signing server (no key provided on command-line)
----------------------------------------------------------
> which swi-signing-service
/usr/local/bin/swi-signing-service
> swi-signature sign EOS.swi /etc/swi-signing/signing.crt /etc/swi-signing/root.crt
Optimizations in EOS.swi: Default Sand-4GB Strata-4GB
Default.swi sha256: 780bb2154f5ae75b4f43d72c5e3859bf73ed1c68c578f4a526aac681f94fe016
Sand-4GB.swi sha256: ac8da1ecc9058b90cb66a0192e7ac878efaa9ad2bc7a52bd1c584b16ca68bd7d
Strata-4GB.swi sha256: cdbecdce8450df37f6dba48c631a84ef1cab116a219c27ff432b484566d796b8
Adding signature files to EOS.swi: Default.signature Sand-4GB.signature Strata-4GB.signature
EOS.swi sha256: 24c96413165d13c7b702aa75ff23d7264526be44f00d3bd4aee403c66ab905aa
SWI/X file EOS.swi successfully signed and verified.
> verify-swi EOS.swi --CAfile /etc/swi-signing/root.crt
Optimizations in EOS.swi: Default Sand-4GB Strata-4GB
Default: SWI/X verification successful.
Sand-4GB: SWI/X verification successful.
Strata-4GB: SWI/X verification successful.
SWI/X verification successful.
Legacy image (non modular)
===========================
With local signing key provided
-------------------------------
> swi-signature sign EOS.swi /etc/swi-signing/signing.crt /etc/swi-signing/root.crt --key /etc/swi-signing/signing.key
EOS.swi sha256: edf05da38ca66e0eb95f7fc910b46cb00feba9765ccf460587881a6f40e609a1
SWI/X file EOS.swi successfully signed and verified.
> verify-swi EOS.swi --CAfile /etc/swi-signing/root.crt
SWI/X verification successful.
Using the signing server (no key provided)
------------------------------------------
> swi-signature sign EOS.swi /etc/swi-signing/signing.crt /etc/swi-signing/root.crt
EOS.swi sha256: abb8ca2bdadc39b7cd26648eafcf827a0af0674fcf37f80861959bd6b6e989af
SWI/X file EOS.swi successfully signed and verified.
> verify-swi EOS.swi --CAfile /etc/swi-signing/root.crt
SWI/X verification successful.