Add wrapper script for easy signing of firmware

Thought I might as well put this is in the repo since I use it very often.

Change-Id: Iecbb2340dce1522b15aab8eefb3b2c346cb7c24f

BUG=none
TEST=manually signed an image.

Review URL: http://codereview.chromium.org/6698014

1 files changed, 47 insertions, 0 deletions

diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh
new file mode 100755
index 00000000..1d20e10c
--- /dev/null
+++ b/scripts/image_signing/sign_firmware.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Wrapper script for re-signing a firmware image.
+
+# Determine script directory
+SCRIPT_DIR=$(dirname $0)
+
+# Abort on error.
+set -e
+
+FIRMWARE_VERSION=1
+
+if [ $# -ne 3 ]; then
+  cat<<EOF
+Usage: $0 <input_firmware> <key_dir> <output_firmware>
+
+Signs <input_firmware> with keys in <key_dir> and outputs signed firmware to 
+<output_firmware>.
+EOF
+  exit 1
+fi
+
+IN_FIRMWARE=$1
+KEY_DIR=$2
+OUT_FIRMWARE=$3
+
+temp_fw=$(mktemp)
+trap "rm ${temp_fw}" EXIT
+
+# Replace the root and recovery key in the Google Binary Block of the firmware.
+gbb_utility -s \
+  --rootkey=${KEY_DIR}/root_key.vbpubk \
+  --recoverykey=${KEY_DIR}/recovery_key.vbpubk \
+  ${IN_FIRMWARE} ${temp_fw}
+
+# Resign the firmware with new keys
+${SCRIPT_DIR}/resign_firmwarefd.sh ${temp_fw} ${OUT_FIRMWARE} \
+  ${KEY_DIR}/firmware_data_key.vbprivk \
+  ${KEY_DIR}/firmware.keyblock \
+  ${KEY_DIR}/dev_firmware_data_key.vbprivk \
+  ${KEY_DIR}/dev_firmware.keyblock \
+  ${KEY_DIR}/kernel_subkey.vbpubk \
+  ${FIRMWARE_VERSION}