Package Signature

Application package signature enables operator to ensure that the an app package is valid and the one installed on the device is obtained from a trusted source. If Application package signature validation is turned ON in a platform then only signed applications can be deployed.

Sign an application

Once an application is ready to be packaged, developer can create a signed package using ioxclient tool. Here is an example usage of the command. ioxclient uses private key to sign the manifest file and also includes user public certificate as part of the package.

bash$ ioxclient package --rsa-key key.pem --certificate cert.pem .
...
Generated package manifest at  package.mf
Signed the package and the signature is available at package.cert
Generating IOx Package..
Package generated at ./package.tar
bash$

 --rsa-key,      -k  Use this option to specify a RSA private key in PEM format to sign the package
 --certificate, -c  Use this option to specify a x509 client certificate in PEM format to be included in signed package		         

Trust anchor

Trust anchor CA chain certificate and revocation list are obtained from CA authority issuing the certificate. And put all the CA chains and revocation list into a file called "ca-chain.cert.pem". Then create a metadata text file (info.txt) with details about the trust anchor and bundle these two files as tar package. Trust anchor is used to validate against the certificate in the application. Before installing signed application, developer needs to ensure that trust anchor is installed on the device. Below snippet shows the content of trust anchor tar package.

ca-chain.cert.pem:  PEM formatted file containing trusted CA chain and revocation list.
info.txt:           Contains metadata of the trust anchor archive. Can be used to track the 
                    version of trust anchor on the device.