Signatures are represented as actions just as all other manifest content is represented as actions. Since manifests contain all the package metadata (such as file permissions, ownership, and content hashes), a signature action that validates that the manifest has not be altered since it was published is an important part of system validation.
The signature actions form a tree that includes the delivered binaries such that complete verification of the installed software is possible.
A signature action has the following form:
signature hash_of_certificate algorithm=signature_algorithm \ value=signature_value \ chain="hashes_of_certificates_needed_to_validate_primary_certificate" \ version=pkg_version_of_signature
The payload and chain attributes represent the packaging hash of the PEM (Privacy Enhanced Mail) files, containing the x.509 certificates which can be retrieved from the originating repository. The payload certificate is the certificate that verifies the value in value. The value is the signed hash of the message text of the manifest, prepared as discussed below.
The other certificates presented need to form a certificate path that leads from the payload certificate to the trust anchors.
Two types of signature algorithms are supported:
The first type of signature algorithm is the RSA group of algorithms. An example of an RSA signature algorithm is rsa-sha256. The string after the hyphen (sha256 in this example) specifies the hash algorithm to use to change the message text into a single value that the RSA algorithm can use.
The second type of signature algorithm is compute the hash only. This type of algorithm exists primarily for testing and process verification purposes and presents the hash as the signature value. A signature action of this type is indicated by the lack of a payload certificate hash. This type of signature action is verified if the image is configured to check signatures. However, its presence does not count as a signature if signatures are required. The following example shows a hash-only signature action:
signature algorithm=hash_algorithm value=hash \ version=pkg_version_of_signature