From dfa5aa07b5637cb9a9f46d7908c964217940a073 Mon Sep 17 00:00:00 2001 From: Antonio Alvarez Feijoo Date: Thu, 23 Apr 2026 15:39:29 +0200 Subject: [PATCH] man: clarify that /etc/verity.d only parses certificates with the .crt extension Exposed in the dracut testsuite while adding tests for sysexts: ``` [ 2.972948] localhost (sd-merge)[510]: Validation of dm-verity signature failed via the kernel, trying userspace validation instead: Required key not available [ 2.972993] localhost (sd-merge)[510]: Skipping file '/etc/verity.d/dracut.pem', suffix is not '.crt'. [ 2.973045] localhost (sd-merge)[510]: No userspace dm-verity certificates found. ``` --- man/kernel-command-line.xml | 4 ++-- man/systemd-mountfsd.service.xml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/man/kernel-command-line.xml b/man/kernel-command-line.xml index 0ad3c9c772f..83544b36064 100644 --- a/man/kernel-command-line.xml +++ b/man/kernel-command-line.xml @@ -711,8 +711,8 @@ systemd.allow_userspace_verity= Takes a boolean argument. Controls whether disk images that are Verity protected may - be authenticated in userspace signature checks via /etc/verity.d/ (and related - directories) public key drop-ins, or whether in-kernel signature checking only. Defaults to + be authenticated in userspace signature checks via /etc/verity.d/*.crt (and + related directories) public key drop-ins, or whether in-kernel signature checking only. Defaults to on. diff --git a/man/systemd-mountfsd.service.xml b/man/systemd-mountfsd.service.xml index 7cc607c4c5c..2e623a27281 100644 --- a/man/systemd-mountfsd.service.xml +++ b/man/systemd-mountfsd.service.xml @@ -45,7 +45,7 @@ /usr/lib/ it is assumed to be trusted. If the disk image contains a Verity enabled disk image, along with a signature - partition with a key in the kernel keyring or in /etc/verity.d/ (and related + partition with a key in the kernel keyring or in /etc/verity.d/*.crt (and related directories) the disk image is considered trusted. -- 2.47.3