From: Antonio Alvarez Feijoo Date: Thu, 23 Apr 2026 13:39:29 +0000 (+0200) Subject: man: clarify that /etc/verity.d only parses certificates with the .crt extension X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dfa5aa07b5637cb9a9f46d7908c964217940a073;p=thirdparty%2Fsystemd.git man: clarify that /etc/verity.d only parses certificates with the .crt extension Exposed in the dracut testsuite while adding tests for sysexts: ``` [ 2.972948] localhost (sd-merge)[510]: Validation of dm-verity signature failed via the kernel, trying userspace validation instead: Required key not available [ 2.972993] localhost (sd-merge)[510]: Skipping file '/etc/verity.d/dracut.pem', suffix is not '.crt'. [ 2.973045] localhost (sd-merge)[510]: No userspace dm-verity certificates found. ``` --- diff --git a/man/kernel-command-line.xml b/man/kernel-command-line.xml index 0ad3c9c772f..83544b36064 100644 --- a/man/kernel-command-line.xml +++ b/man/kernel-command-line.xml @@ -711,8 +711,8 @@ systemd.allow_userspace_verity= Takes a boolean argument. Controls whether disk images that are Verity protected may - be authenticated in userspace signature checks via /etc/verity.d/ (and related - directories) public key drop-ins, or whether in-kernel signature checking only. Defaults to + be authenticated in userspace signature checks via /etc/verity.d/*.crt (and + related directories) public key drop-ins, or whether in-kernel signature checking only. Defaults to on. diff --git a/man/systemd-mountfsd.service.xml b/man/systemd-mountfsd.service.xml index 7cc607c4c5c..2e623a27281 100644 --- a/man/systemd-mountfsd.service.xml +++ b/man/systemd-mountfsd.service.xml @@ -45,7 +45,7 @@ /usr/lib/ it is assumed to be trusted. If the disk image contains a Verity enabled disk image, along with a signature - partition with a key in the kernel keyring or in /etc/verity.d/ (and related + partition with a key in the kernel keyring or in /etc/verity.d/*.crt (and related directories) the disk image is considered trusted.