Fail verification if the rootfs hash is empty.

This should let the signer catch errors where there are errors parsing verity output. And failing verification if rootfs hash verification is turned off for whatever reason. Change-Id: I1e3f239a5b6afab31accdd8f0a737b8685530e8d BUG=chrome-os-partner:3093, chrome-os-partner:3104 TEST=manually on a badly signed image (verification fails now) Review URL: http://codereview.chromium.org/6720043
author: Gaurav Shah <gauravsh@chromium.org> 2011-04-05 12:09:28 -0700
committer: Gaurav Shah <gauravsh@chromium.org> 2011-04-05 12:09:28 -0700
commit: c3fe59f72c95597a2d5becc8511e9d5eaf97c391 (patch)
tree: 2999464c32ae4cc2bb41106d74201036b05ad685
parent: 3514e5010b939cc59fd9df0aac8db4bf4a181da5 (diff)
download: vboot-c3fe59f72c95597a2d5becc8511e9d5eaf97c391.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 8b61f39f..7c0018c7 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -301,12 +301,17 @@ verify_image() {
   local expected_hash=$(get_hash_from_config "${new_kernel_config}")
   local got_hash=$(get_hash_from_config "${kernel_config}")
 
+  if [ -z "${expected_hash}" ]; then
+    echo "FAILED: RootFS hash is empty!"
+    exit 1
+  fi
   if [ ! "${got_hash}" = "${expected_hash}" ]; then
     cat <<EOF
 FAILED: RootFS hash is incorrect.
 Expected: ${expected_hash}
 Got: ${got_hash}
 EOF
+    exit 1
   else
     echo "PASS: RootFS hash is correct (${expected_hash})"
   fi
author	Gaurav Shah <gauravsh@chromium.org>	2011-04-05 12:09:28 -0700
committer	Gaurav Shah <gauravsh@chromium.org>	2011-04-05 12:09:28 -0700
commit	c3fe59f72c95597a2d5becc8511e9d5eaf97c391 (patch)
tree	2999464c32ae4cc2bb41106d74201036b05ad685
parent	3514e5010b939cc59fd9df0aac8db4bf4a181da5 (diff)
download	vboot-c3fe59f72c95597a2d5becc8511e9d5eaf97c391.tar.gz