Re: [PATCH v2 15/17] crypto: concatenate fit development certificate with private key

[Sascha Hauer <s.hauer@pengutronix.de>]

On Mon, Nov 03, 2025 at 12:41:14PM +0100, Jonas Rebmann wrote:
> Hi Sascha,
> 
> On 2025-11-03 11:08, Sascha Hauer wrote:
> > On Tue, Oct 28, 2025 at 07:03:20PM +0100, Jonas Rebmann wrote:
> > > Merge the exemplary keys copied in from [1] into a single pem file,
> > > in a manner similar to test/self/development_rsa2048.pem for consistency
> > > and to reduce clutter a bit.
> > > 
> > > While at it, rename them from "fit-" to "snakeoil-" as they are not only
> > > used for fit, but also for tlv integration tests, and to indicate more
> > > clearly that these are publicly known keys.
> > 
> > Should we rather keep the "fit" name and add another key for tlv
> > integration tests?
> 
> I'd rather not add more 'compromised' keys to the repo. What would be
> the gain?

My thinking was that with this we could make sure that during tests
actually a key from the desired keyring is used.

> 
> I think naming it snakeoil gives it the warning it deserves. We should
> make it hard for anyone to confuse our CI/Development keys with their
> production keys.

Indeed. I just don't like the term "snakeoil" here.

>From wikipedia:

"Snake oil" is a term used to describe deceptive marketing, health care fraud, or a scam.

We don't do anything like this here. We're not trying to sell snake oil.

I am open for something like "testing" or "development".

Also we might want to add a runtime message like:

"WARNING: This barebox binary contains well known keys and is unsecure"

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |