dissect: check that roothash in signature matches before selecting partition

If there are multiple verity sig partitions (e.g.: sysupdate and A/B
scheme), dissection will simply pick the last sig partition it encounters,
as no checks are done on the content (like for the usr/root and verity data).

Check that the JSON content matches the requested roothash, if any.

Before:

sda: /usr/lib/udev/rules.d/90-image-dissect.rules:34 IMPORT{builtin}="dissect_image probe": Importing properties from results of builtin command "dissect_image probe".
Dissecting esp partition with label esp and UUID b80070bd-ea4f-49ea-94ab-41a4e4125f80.
Dissecting usr-verity-sig partition with label ParticleOS_27.178_verity_sig and UUID a6d47959-39f7-4686-99b0-660b301d1488.
Dissecting usr-verity partition with label ParticleOS_27.178_verity and UUID d7acad57-995d-297d-bf6c-a58821dcd28a.
Dissecting usr partition with label ParticleOS_27.178 and UUID f5b6aff5-945d-946e-faf4-d482c07f9968.
Dissecting usr-verity-sig partition with label ParticleOS_118.26_verity_sig and UUID c9151ec9-3264-434a-8f42-7b125432d676.
Dissecting usr-verity partition with label ParticleOS_118.26_verity and UUID 88fa8c85-8161-ea32-bf4a-fc8df18d27ae.
Partition UUID '88fa8c85-8161-ea32-bf4a-fc8df18d27ae' does not match expected UUID 'f5b6aff5-945d-946e-faf4-d482c07f9968' derived from usr verity hash, ignoring.
Dissecting usr partition with label ParticleOS_118.26 and UUID 52df1859-e144-348d-2cb1-8d6440254719.
Partition UUID '52df1859-e144-348d-2cb1-8d6440254719' does not match expected UUID 'f5b6aff5-945d-946e-faf4-d482c07f9968' derived from usr verity hash, ignoring.
Dissecting swap partition with label ParticleOS-swap and UUID 7fe77f77-32fb-4957-8c1e-6c04bd2e435f.
Dissecting root partition with label ParticleOS-root and UUID a5c89fc4-e92c-4e83-913f-8c866b94592e.
Dissecting home partition with label ParticleOS-home and UUID 25885d07-baa2-4992-b6aa-56813aa70cef.
Found for designator root: encrypted+unprotected+unused.
Found for designator usr: verity+signed+encrypted+unprotected+unused.
Found for designator home: encrypted+unprotected+unused.
Found for designator srv: absent.
Found for designator esp: encrypted+unprotected+unused.
Found for designator xbootldr: absent.
Found for designator swap: encrypted+unprotected+unused.
Found for designator root-verity: absent.
Found for designator usr-verity: encrypted+unprotected+unused.
Found for designator root-verity-sig: absent.
Found for designator usr-verity-sig: encrypted+unprotected+unused.
Found for designator tmp: absent.
Found for designator var: absent.
Probed fstype 'btrfs' on partition /dev/sda9.
Probed fstype 'erofs' on partition /dev/sda4.
Probed fstype 'btrfs' on partition /dev/sda10.
Probed fstype 'swap' on partition /dev/sda8.
Root hash in signature JSON data (52df1859e144348d2cb18d644025471988fa8c858161ea32bf4afc8df18d27ae) doesn't match configured hash (f5b6aff5945d946efaf4d482c07f9968d7acad57995d297dbf6ca58821dcd28a).
sda: Failed to load verity signature data from image: Invalid argument

After:

Dissecting usr-verity-sig partition with label ParticleOS_27.178_verity_sig and UUID a6d47959-39f7-4686-99b0-660b301d1488.
Dissecting usr-verity partition with label ParticleOS_27.178_verity and UUID d7acad57-995d-297d-bf6c-a58821dcd28a.
Dissecting usr partition with label ParticleOS_27.178 and UUID f5b6aff5-945d-946e-faf4-d482c07f9968.
Dissecting usr-verity-sig partition with label ParticleOS_118.26_verity_sig and UUID c9151ec9-3264-434a-8f42-7b125432d676.
Root hash in signature JSON data (52df1859e144348d2cb18d644025471988fa8c858161ea32bf4afc8df18d27ae) doesn't match configured hash (f5b6aff5945d946efaf4d482c07f9968d7acad57995d297dbf6ca58821dcd28a).
Dissecting usr-verity partition with label ParticleOS_118.26_verity and UUID 88fa8c85-8161-ea32-bf4a-fc8df18d27ae.
Partition UUID '88fa8c85-8161-ea32-bf4a-fc8df18d27ae' does not match expected UUID 'f5b6aff5-945d-946e-faf4-d482c07f9968' derived from usr verity hash, ignoring.
Dissecting usr partition with label ParticleOS_118.26 and UUID 52df1859-e144-348d-2cb1-8d6440254719.
Partition UUID '52df1859-e144-348d-2cb1-8d6440254719' does not match expected UUID 'f5b6aff5-945d-946e-faf4-d482c07f9968' derived from usr verity hash, ignoring.
<...>
  ID_DISSECT_PART2_DESIGNATOR=usr-verity-sig
  ID_DISSECT_PART3_ARCHITECTURE=x86-64
  ID_DISSECT_PART3_DESIGNATOR=usr-verity
  ID_DISSECT_PART4_ARCHITECTURE=x86-64
  ID_DISSECT_PART4_DESIGNATOR=usr
  ID_DISSECT_PART4_HAS_VERITY=1
  ID_DISSECT_PART4_HAS_VERITY_SIG=1
  ID_DISSECT_PART4_ROOTHASH=f5b6aff5945d946efaf4d482c07f9968d7acad57995d297dbf6ca58821dcd28a
  ID_DISSECT_PART4_ROOTHASH_SIG=<...>
  ID_DISSECT_PART4_VERITY_DEVICE=/dev/disk/by-diskseq/9-part3
  ID_DISSECT_PART4_VERITY_SIG_DEVICE=/dev/disk/by-diskseq/9-part2

Fixes https://github.com/systemd/systemd/issues/39655

po/de.po

@@ -9,14 +9,15 @@
 # Christian Wehrli <christian@chw.onl>, 2021.
 # Christian Kirbach <christian.kirbach@gmail.com>, 2023.
 # Jarne Förster <fedora@mymailclient.de>, 2024.
-# Weblate Translation Memory <noreply-mt-weblate-translation-memory@weblate.org>, 2024.
+# Weblate Translation Memory <noreply-mt-weblate-translation-memory@weblate.org>, 2024, 2025.
 # Anselm Schueler <mail@anselmschueler.com>, 2024.
+# Marcel Leismann <tiixrigjekfv@use.startmail.com>, 2025.
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2025-07-23 15:38+0100\n"
-"PO-Revision-Date: 2024-12-30 22:38+0000\n"
+"PO-Revision-Date: 2025-11-11 11:42+0000\n"
-"Last-Translator: Ettore Atalan <atalanttore@googlemail.com>\n"
+"Last-Translator: Marcel Leismann <tiixrigjekfv@use.startmail.com>\n"
 "Language-Team: German <https://translate.fedoraproject.org/projects/systemd/"
 "main/de/>\n"
 "Language: de\n"
@@ -24,7 +25,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.9.2\n"
+"X-Generator: Weblate 5.14.3\n"
 
 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@@ -163,9 +164,8 @@ msgstr ""
 "Benutzers notwendig."
 
 #: src/home/org.freedesktop.home1.policy:83
-#, fuzzy
 msgid "Activate a home area"
-msgstr "Einen persönlichen Bereich anlegen"
+msgstr "Einen persönlichen Bereich aktivieren"
 
 #: src/home/org.freedesktop.home1.policy:84
 msgid "Authentication is required to activate a user's home area."
@@ -175,15 +175,13 @@ msgstr ""
 
 #: src/home/org.freedesktop.home1.policy:93
 msgid "Manage Home Directory Signing Keys"
-msgstr ""
+msgstr "Die Signierschlüssel des Benutzerverzeichnisses verwalten"
 
 #: src/home/org.freedesktop.home1.policy:94
-#, fuzzy
-#| msgid "Authentication is required to manage system services or other units."
 msgid "Authentication is required to manage signing keys for home directories."
 msgstr ""
-"Legitimierung ist notwendig für die Verwaltung von Systemdiensten und "
+"Legitimierung ist notwendig für die Verwaltung von Signierschlüsseln von "
-"anderen Einheiten."
+"Benutzerverzeichnissen."
 
 #: src/home/pam_systemd_home.c:336
 #, c-format
@@ -191,7 +189,7 @@ msgid ""
 "Home of user %s is currently absent, please plug in the necessary storage "
 "device or backing file system."
 msgstr ""
-"Der persönliche Ordner von %s ist nicht verfügbar. Bitte hängen Sie das "
+"Das Benutzerverzeichnis von %s ist nicht verfügbar. Bitte hängen Sie das "
 "benötigte Speichermedium oder Dateisystem ein."
 
 #: src/home/pam_systemd_home.c:341
@@ -208,7 +206,7 @@ msgstr "Passwort: "
 #: src/home/pam_systemd_home.c:355
 #, c-format
 msgid "Password incorrect or not sufficient for authentication of user %s."
-msgstr "Passwort nicht korrekt oder unzureichend um %s zu authentifizieren."
+msgstr "Falsches Passwort oder unzureichende Authentifizierung für Nutzer %s."
 
 #: src/home/pam_systemd_home.c:356
 msgid "Sorry, try again: "
@@ -229,16 +227,16 @@ msgstr ""
 
 #: src/home/pam_systemd_home.c:381
 msgid "Sorry, reenter recovery key: "
-msgstr "Entschuldigung, bitte Wiederherstellungsschlüssel erneut eingeben: "
+msgstr "Bitte Wiederherstellungsschlüssel erneut eingeben: "
 
 #: src/home/pam_systemd_home.c:401
 #, c-format
 msgid "Security token of user %s not inserted."
-msgstr "Sicherheitstoken für %s nicht eingesteckt."
+msgstr "Sicherheitstoken für Benutzer %s nicht eingesteckt."
 
 #: src/home/pam_systemd_home.c:402 src/home/pam_systemd_home.c:405
 msgid "Try again with password: "
-msgstr "Erneut mit Passwort probieren: "
+msgstr "Bitte noch einmal mit Passwort versuchen: "
 
 #: src/home/pam_systemd_home.c:404
 #, c-format
@@ -246,8 +244,8 @@ msgid ""
 "Password incorrect or not sufficient, and configured security token of user "
 "%s not inserted."
 msgstr ""
-"Passwort falsch oder unzureichend und konfigurierter Sicherheitstoken für %s "
+"Passwort falsch oder unzureichend und konfigurierter Sicherheitstoken für "
-"nicht eingesteckt."
+"Benutzer %s nicht eingesteckt."
 
 #: src/home/pam_systemd_home.c:424
 msgid "Security token PIN: "
@@ -386,7 +384,7 @@ msgstr ""
 
 #: src/hostname/org.freedesktop.hostname1.policy:51
 msgid "Get product UUID"
-msgstr "Die Produkte-UUID erhalten"
+msgstr "Produkt UUID erhalten"
 
 #: src/hostname/org.freedesktop.hostname1.policy:52
 msgid "Authentication is required to get product UUID."
@@ -594,8 +592,8 @@ msgstr "Nicht angemeldetem Benutzer die Ausführung von Programmen erlauben"
 #: src/login/org.freedesktop.login1.policy:129
 msgid "Explicit request is required to run programs as a non-logged-in user."
 msgstr ""
-"Legitimierung ist erforderlich, damit nicht angemeldete Benutzer Programme "
+"Eine explizite Anfrage ist notwendig, um Programme als nicht angemeldeter "
-"ausführen dürfen."
+"Benutzer auszuführen."
 
 #: src/login/org.freedesktop.login1.policy:138
 msgid "Allow non-logged-in users to run programs"
@@ -648,7 +646,7 @@ msgid ""
 "Authentication is required to power off the system while other users are "
 "logged in."
 msgstr ""
-"Legitimierung ist zum Herunterfahren des Systems notwendig, während andere "
+"Legitimierung ist notwendig, um das System herunterzufahren, während andere "
 "Benutzer angemeldet sind."
 
 #: src/login/org.freedesktop.login1.policy:191
@@ -719,17 +717,15 @@ msgstr ""
 
 #: src/login/org.freedesktop.login1.policy:257
 msgid "Halt the system while an application is inhibiting this"
-msgstr ""
+msgstr "Das System herunterfahren, während eine Anwendung dies verhindert"
-"Das System in den Ruhezustand versetzen, während eine Anwendung wünscht dies "
-"zu verhindern"
 
 #: src/login/org.freedesktop.login1.policy:258
 msgid ""
 "Authentication is required to halt the system while an application is "
 "inhibiting this."
 msgstr ""
-"Legitimierung ist zum Versetzen des System in den Ruhezustand notwendig, "
+"Legitimierung ist notwendig, um das System in den Ruhezustand zu versetzen, "
-"während eine Anwendung wünscht dies zu verhindern."
+"während eine Anwendung dies verhindert."
 
 #: src/login/org.freedesktop.login1.policy:268
 msgid "Suspend the system"
@@ -792,8 +788,8 @@ msgstr ""
 #: src/login/org.freedesktop.login1.policy:321
 msgid "Hibernate the system while an application is inhibiting this"
 msgstr ""
-"Das System in den Ruhezustand versetzen, während eine Anwendung wünscht dies "
+"Das System in den Ruhezustand versetzen, während eine Anwendung dies "
-"zu verhindern"
+"verhindert"
 
 #: src/login/org.freedesktop.login1.policy:322
 msgid ""
@@ -873,7 +869,6 @@ msgid "Set a wall message"
 msgstr "Nachricht an alle einstellen"
 
 #: src/login/org.freedesktop.login1.policy:397
-#, fuzzy
 msgid "Authentication is required to set a wall message."
 msgstr "Legitimierung ist zum Einstellen einer Nachricht an alle notwendig."
 
@@ -964,20 +959,15 @@ msgstr ""
 "Containers erforderlich."
 
 #: src/machine/org.freedesktop.machine1.policy:106
-#, fuzzy
-#| msgid "Create a local virtual machine or container"
 msgid "Register a local virtual machine or container"
-msgstr "Lokale virtuelle Maschinen oder Container erstellen"
+msgstr "Lokale virtuelle Maschinen oder Container registrieren"
 
 #: src/machine/org.freedesktop.machine1.policy:107
-#, fuzzy
-#| msgid ""
-#| "Authentication is required to create a local virtual machine or container."
 msgid ""
 "Authentication is required to register a local virtual machine or container."
 msgstr ""
-"Legitimierung ist zum Erstellen einer lokalen virtuellen Maschine oder eines "
+"Legitimierung ist für die Registrierung einer lokalen virtuellen Maschine "
-"Containers erforderlich."
+"oder eines Containers erforderlich."
 
 #: src/machine/org.freedesktop.machine1.policy:116
 msgid "Manage local virtual machine and container images"
@@ -1109,7 +1099,8 @@ msgstr "Der DHCP-Server sendet Nachricht zum erzwungenen Erneuern"
 
 #: src/network/org.freedesktop.network1.policy:144
 msgid "Authentication is required to send force renew message."
-msgstr "Legitimierung ist zum Einstellen einer Nachricht an alle notwendig."
+msgstr ""
+"Legitimierung ist zum Versenden einer Zwangserneuerungsnachricht notwendig."
 
 #: src/network/org.freedesktop.network1.policy:154
 msgid "Renew dynamic addresses"
@@ -1189,7 +1180,7 @@ msgstr "Einen DNS-SD-Dienst registrieren"
 
 #: src/resolve/org.freedesktop.resolve1.policy:23
 msgid "Authentication is required to register a DNS-SD service."
-msgstr "Legitimierung ist zum Anmelden eines DNS-SD-Dienstes notwendig"
+msgstr "Legitimierung ist zum Anmelden eines DNS-SD-Dienstes notwendig."
 
 #: src/resolve/org.freedesktop.resolve1.policy:33
 msgid "Unregister a DNS-SD service"
@@ -1197,7 +1188,7 @@ msgstr "Einen DNS-SD-Dienst deregistrieren"
 
 #: src/resolve/org.freedesktop.resolve1.policy:34
 msgid "Authentication is required to unregister a DNS-SD service."
-msgstr "Legitimierung ist zum Deregistrieren eines DNS-SD-Dienstes notwendig."
+msgstr "Legitimierung ist zum Abmelden eines DNS-SD-Dienstes erforderlich."
 
 #: src/resolve/org.freedesktop.resolve1.policy:132
 msgid "Revert name resolution settings"
@@ -1219,37 +1210,35 @@ msgstr "Legitimierung ist zum Abonnieren von Abfrageergebnissen erforderlich."
 
 #: src/resolve/org.freedesktop.resolve1.policy:154
 msgid "Subscribe to DNS configuration"
-msgstr ""
+msgstr "DNS Konfiguration abonnieren"
 
 #: src/resolve/org.freedesktop.resolve1.policy:155
-#, fuzzy
-#| msgid "Authentication is required to subscribe query results."
 msgid "Authentication is required to subscribe to DNS configuration."
-msgstr "Legitimierung ist zum Abonnieren von Abfrageergebnissen erforderlich."
+msgstr "Legitimierung ist zum Abonnieren der DNS-Konfiguration erforderlich."
 
 #: src/resolve/org.freedesktop.resolve1.policy:165
 msgid "Dump cache"
-msgstr ""
+msgstr "Cache leeren"
 
 #: src/resolve/org.freedesktop.resolve1.policy:166
 msgid "Authentication is required to dump cache."
-msgstr ""
+msgstr "Legitimierung ist zum Leeren des Caches notwendig."
 
 #: src/resolve/org.freedesktop.resolve1.policy:176
 msgid "Dump server state"
-msgstr ""
+msgstr "Serverstatus verwerfen"
 
 #: src/resolve/org.freedesktop.resolve1.policy:177
 msgid "Authentication is required to dump server state."
-msgstr ""
+msgstr "Legitimierung ist zum Verwerfen des Serverstatus erforderlich."
 
 #: src/resolve/org.freedesktop.resolve1.policy:187
 msgid "Dump statistics"
-msgstr ""
+msgstr "Statistik verwerfen"
 
 #: src/resolve/org.freedesktop.resolve1.policy:188
 msgid "Authentication is required to dump statistics."
-msgstr ""
+msgstr "Legitimierung ist zum Verwerfen der Statistiken notwendig."
 
 #: src/resolve/org.freedesktop.resolve1.policy:198
 msgid "Reset statistics"
@@ -1265,7 +1254,7 @@ msgstr "Auf Systemaktualisierungen prüfen"
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:36
 msgid "Authentication is required to check for system updates."
-msgstr "Legitimierung ist zum Prüfen auf Systemaktualisierungen notwendig."
+msgstr "Legitimierung ist zum Prüfen auf Systemaktualisierungen erforderlich."
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:45
 msgid "Install system updates"
@@ -1274,7 +1263,7 @@ msgstr "Systemaktualisierungen installieren"
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:46
 msgid "Authentication is required to install system updates."
 msgstr ""
-"Legitimierung ist zum Installieren von Systemaktualisierungen notwendig."
+"Legitimierung ist zum Installieren von Systemaktualisierungen erforderlich."
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:55
 msgid "Install specific system version"
@@ -1371,22 +1360,18 @@ msgstr ""
 "(unit)« notwendig."
 
 #: src/core/dbus-unit.c:620
-#, fuzzy
-#| msgid ""
-#| "Authentication is required to send a UNIX signal to the processes of '$"
-#| "(unit)'."
 msgid ""
 "Authentication is required to send a UNIX signal to the processes of "
 "subgroup of '$(unit)'."
 msgstr ""
-"Legitimierung ist zum Senden eines UNIX-Signals an die Prozesse von »$"
+"Legitimierung ist zum Senden eines UNIX-Signals an die Prozesse der "
-"(unit)« notwendig."
+"Untergruppe »$(unit)« notwendig."
 
 #: src/core/dbus-unit.c:648
 msgid "Authentication is required to reset the \"failed\" state of '$(unit)'."
 msgstr ""
 "Legitimierung ist zum Zurücksetzen des Status »fehlgeschlagen« von »$(unit)« "
-"notwendig"
+"notwendig."
 
 #: src/core/dbus-unit.c:678
 msgid "Authentication is required to set properties on '$(unit)'."

src/shared/dissect-image.c

@@ -568,6 +568,83 @@ static void dissected_partition_done(DissectedPartition *p) {
         *p = DISSECTED_PARTITION_NULL;
 }
 
+static int acquire_sig_for_roothash(
+                int fd,
+                uint64_t partition_offset,
+                uint64_t partition_size,
+                void **ret_root_hash,
+                size_t *ret_root_hash_size,
+                void **ret_root_hash_sig,
+                size_t *ret_root_hash_sig_size) {
+
+        int r;
+
+        assert(fd >= 0);
+        assert(!!ret_root_hash == !!ret_root_hash_size);
+        assert(!!ret_root_hash_sig == !!ret_root_hash_sig_size);
+
+        if (partition_offset == UINT64_MAX || partition_size == UINT64_MAX)
+                return -EINVAL;
+
+        if (partition_size > 4*1024*1024) /* Signature data cannot possible be larger than 4M, refuse that */
+                return log_debug_errno(SYNTHETIC_ERRNO(EFBIG), "Verity signature partition is larger than 4M, refusing.");
+
+        _cleanup_free_ char *buf = new(char, partition_size+1);
+        if (!buf)
+                return -ENOMEM;
+
+        ssize_t n = pread(fd, buf, partition_size, partition_offset);
+        if (n < 0)
+                return -ENOMEM;
+        if ((uint64_t) n != partition_size)
+                return -EIO;
+
+        const char *e = memchr(buf, 0, partition_size);
+        if (e) {
+                /* If we found a NUL byte then the rest of the data must be NUL too */
+                if (!memeqzero(e, partition_size - (e - buf)))
+                        return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature data contains embedded NUL byte.");
+        } else
+                buf[partition_size] = 0;
+
+        _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
+        r = sd_json_parse(buf, 0, &v, /* reterr_line= */ NULL, /* reterr_column= */ NULL);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to parse signature JSON data: %m");
+
+        sd_json_variant *rh = sd_json_variant_by_key(v, "rootHash");
+        if (!rh)
+                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature JSON object lacks 'rootHash' field.");
+
+        _cleanup_free_ void *root_hash = NULL;
+        size_t root_hash_size;
+        r = sd_json_variant_unhex(rh, &root_hash, &root_hash_size);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to parse root hash field: %m");
+
+        sd_json_variant *sig = sd_json_variant_by_key(v, "signature");
+        if (!sig)
+                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature JSON object lacks 'signature' field.");
+
+        _cleanup_free_ void *root_hash_sig = NULL;
+        size_t root_hash_sig_size;
+        r = sd_json_variant_unbase64(sig, &root_hash_sig, &root_hash_sig_size);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to parse signature field: %m");
+
+        if (ret_root_hash) {
+                *ret_root_hash = TAKE_PTR(root_hash);
+                *ret_root_hash_size = root_hash_size;
+        }
+
+        if (ret_root_hash_sig) {
+                *ret_root_hash_sig = TAKE_PTR(root_hash_sig);
+                *ret_root_hash_sig_size = root_hash_sig_size;
+        }
+
+        return 0;
+}
+
 #if HAVE_BLKID
 static int diskseq_should_be_used(
                 const char *whole_devname,
@@ -1159,6 +1236,32 @@ static int dissect_image(
                                 rw = false;
 
                         } else if (type.designator == PARTITION_ROOT_VERITY_SIG) {
+                                if (verity && verity->root_hash) {
+                                        _cleanup_free_ void *root_hash = NULL;
+                                        size_t root_hash_size;
+
+                                        r = acquire_sig_for_roothash(
+                                                        fd,
+                                                        start * 512,
+                                                        size * 512,
+                                                        &root_hash,
+                                                        &root_hash_size,
+                                                        /* ret_root_hash_sig= */ NULL,
+                                                        /* ret_root_hash_sig_size= */ NULL);
+                                        if (r < 0)
+                                                return r;
+                                        if (memcmp_nn(verity->root_hash, verity->root_hash_size, root_hash, root_hash_size) != 0) {
+                                                if (DEBUG_LOGGING) {
+                                                        _cleanup_free_ char *found = NULL, *expected = NULL;
+
+                                                        found = hexmem(root_hash, root_hash_size);
+                                                        expected = hexmem(verity->root_hash, verity->root_hash_size);
+
+                                                        log_debug("Root hash in signature JSON data (%s) doesn't match configured hash (%s).", strna(found), strna(expected));
+                                                }
+                                                continue;
+                                        }
+                                }
 
                                 check_partition_flags(node, pflags,
                                                       SD_GPT_FLAG_NO_AUTO | SD_GPT_FLAG_READ_ONLY);
@@ -1202,6 +1305,32 @@ static int dissect_image(
                                 rw = false;
 
                         } else if (type.designator == PARTITION_USR_VERITY_SIG) {
+                                if (verity && verity->root_hash) {
+                                        _cleanup_free_ void *root_hash = NULL;
+                                        size_t root_hash_size;
+
+                                        r = acquire_sig_for_roothash(
+                                                        fd,
+                                                        start * 512,
+                                                        size * 512,
+                                                        &root_hash,
+                                                        &root_hash_size,
+                                                        /* ret_root_hash_sig= */ NULL,
+                                                        /* ret_root_hash_sig_size= */ NULL);
+                                        if (r < 0)
+                                                return r;
+                                        if (memcmp_nn(verity->root_hash, verity->root_hash_size, root_hash, root_hash_size) != 0) {
+                                                if (DEBUG_LOGGING) {
+                                                        _cleanup_free_ char *found = NULL, *expected = NULL;
+
+                                                        found = hexmem(root_hash, root_hash_size);
+                                                        expected = hexmem(verity->root_hash, verity->root_hash_size);
+
+                                                        log_debug("Root hash in signature JSON data (%s) doesn't match configured hash (%s).", strna(found), strna(expected));
+                                                }
+                                                continue;
+                                        }
+                                }
 
                                 check_partition_flags(node, pflags,
                                                       SD_GPT_FLAG_NO_AUTO | SD_GPT_FLAG_READ_ONLY);
@@ -3661,44 +3790,13 @@ int dissected_image_load_verity_sig_partition(
         DissectedPartition *p = m->partitions + ds;
         if (!p->found)
                 return 0;
-        if (p->offset == UINT64_MAX || p->size == UINT64_MAX)
-                return -EINVAL;
 
-        if (p->size > 4*1024*1024) /* Signature data cannot possible be larger than 4M, refuse that */
+        _cleanup_free_ void *root_hash = NULL, *root_hash_sig = NULL;
-                return log_debug_errno(SYNTHETIC_ERRNO(EFBIG), "Verity signature partition is larger than 4M, refusing.");
+        size_t root_hash_size, root_hash_sig_size;
 
-        _cleanup_free_ char *buf = new(char, p->size+1);
+        r = acquire_sig_for_roothash(fd, p->offset, p->size, &root_hash, &root_hash_size, &root_hash_sig, &root_hash_sig_size);
-        if (!buf)
-                return -ENOMEM;
-
-        ssize_t n = pread(fd, buf, p->size, p->offset);
-        if (n < 0)
-                return -ENOMEM;
-        if ((uint64_t) n != p->size)
-                return -EIO;
-
-        const char *e = memchr(buf, 0, p->size);
-        if (e) {
-                /* If we found a NUL byte then the rest of the data must be NUL too */
-                if (!memeqzero(e, p->size - (e - buf)))
-                        return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature data contains embedded NUL byte.");
-        } else
-                buf[p->size] = 0;
-
-        _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
-        r = sd_json_parse(buf, 0, &v, /* reterr_line= */ NULL, /* reterr_column= */ NULL);
         if (r < 0)
-                return log_debug_errno(r, "Failed to parse signature JSON data: %m");
+                return r;
-
-        sd_json_variant *rh = sd_json_variant_by_key(v, "rootHash");
-        if (!rh)
-                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature JSON object lacks 'rootHash' field.");
-
-        _cleanup_free_ void *root_hash = NULL;
-        size_t root_hash_size;
-        r = sd_json_variant_unhex(rh, &root_hash, &root_hash_size);
-        if (r < 0)
-                return log_debug_errno(r, "Failed to parse root hash field: %m");
 
         /* Check if specified root hash matches if it is specified */
         if (verity->root_hash &&
@@ -3711,16 +3809,6 @@ int dissected_image_load_verity_sig_partition(
                 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Root hash in signature JSON data (%s) doesn't match configured hash (%s).", strna(a), strna(b));
         }
 
-        sd_json_variant *sig = sd_json_variant_by_key(v, "signature");
-        if (!sig)
-                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature JSON object lacks 'signature' field.");
-
-        _cleanup_free_ void *root_hash_sig = NULL;
-        size_t root_hash_sig_size;
-        r = sd_json_variant_unbase64(sig, &root_hash_sig, &root_hash_sig_size);
-        if (r < 0)
-                return log_debug_errno(r, "Failed to parse signature field: %m");
-
         free_and_replace(verity->root_hash, root_hash);
         verity->root_hash_size = root_hash_size;