A firmware mirroring tool that creates LVFS-compatible repositories by fetching and converting firmware from hardware vendors (Dell and HPE).
Firmirror automates the process of:
- Fetching firmware catalogs from vendor sources
- Downloading firmware packages
- Converting vendor-specific formats to LVFS/fwupd AppStream metadata
- Building CAB packages compatible with fwupd
- Maintaining a LVFS-compatible metadata index
- Multi-vendor Support: Currently supports Dell DSU and HPE SDR repositories
- Incremental Processing: Tracks processed firmware to avoid re-downloading
- Pluggable Storage: Abstract storage interface supporting local filesystem, with ability to add cloud storage (S3, GCS, etc.)
- Metadata Signing: Support for signing LVFS metadata using JCAT format with X.509 certificates
- Go 1.19 or higher
fwupdtoolcommand-line tooljcat-toolfor signature
go build -o firmirror ./cmd/firmirror.goA multi-stage Dockerfile is available:
docker build -t firmirror .
docker run -v /output:/output firmirror refresh /output --dell.enableGlobal Flags:
--help Show help
Refresh Command:
<out-dir> Output directory for firmware and metadata
Dell Flags:
--dell.enable Enable Dell firmware mirroring
--dell.machines-id Comma-separated list of System IDs (e.g., 0C60,0C61)
HPE Flags:
--hpe.enable Enable HPE firmware mirroring
--hpe.gens Comma-separated list of generations (e.g., gen10,gen11)
Signature Flags:
--sign.certificate Path to certificate file for signing metadata (.pem or .crt)
--sign.private-key Path to private key file for signing metadata (.pem or .key)
# Mirror Dell firmware for specific machine types
./firmirror refresh /output/dir \
--dell.enable \
--dell.machines-id=0C60,0C61
# Mirror HPE firmware for specific generations
./firmirror refresh /output/dir \
--hpe.enable \
--hpe.gens=gen10,gen11
# Mirror both vendors
./firmirror refresh /output/dir \
--dell.enable \
--dell.machines-id=0C60 \
--hpe.enable \
--hpe.gens=gen10/output/dir/
├── firmware1.bin.cab # CAB packages
├── firmware2.bin.cab
├── ...
├── metadata.xml.zst # Compressed LVFS metadata
├── metadata.xml.zst.jcat # JCAT signature file
└── metadata.xml # Uncompressed metadata (temporary)
Firmirror supports signing the LVFS metadata using the JCAT (JSON Catalog) format, which is compatible with fwupd's signature verification.
- JCAT File Creation: After compressing the metadata (metadata.xml.zst), a corresponding .jcat file is created
- Checksums: The JCAT file always includes SHA256 checksums for integrity verification
- Digital Signature: If certificate and private key are provided, the metadata is signed using PKCS#7 format
- Storage: Both the compressed metadata and its .jcat signature file are stored together
- X.509 certificate in PEM or CRT format
- Private key in PEM or KEY format
- The certificate should be trusted by the systems that will verify the metadata
# Generate a private key
contrib/makecert.sh
# Use with firmirror
./firmirror refresh /output/dir \
--dell.enable \
--sign.certificate=cert.pem \
--sign.private-key=key.pemFor production use, obtain certificates from a trusted Certificate Authority.