image_signing: Add sha1sum of a key without loem keyset to VERSION.signer.

CL:866522 supported the case of loem and uni-build projects but not for
the project with one key only. After this CL, `gooftool finalize` can
refer to VERSION.signer in order to get correct firmware key hash from
recovery image. As the result, firmware_keys field can be removed from
HWID database.

BUG=chromium:763328
TEST=1) ~/trunk/src/platform/vboot_reference/scripts/image_signing/sign_official_build.sh
  recovery ./chromeos_10644.0.0_soraka_recovery_dev-channel_mp.bin
  ./src/platform/vboot_reference/tests/devkeys ./output.bin
2) verify output file - VERSION.signer.
BRANCH=None

Change-Id: I376cd7038c0fe1d5cc71cb39cbabeb5e79994407
Reviewed-on: https://chromium-review.googlesource.com/1051429
Commit-Ready: Marco Chen <marcochen@chromium.org>
Tested-by: Marco Chen <marcochen@chromium.org>
Reviewed-by: Marco Chen <marcochen@chromium.org>
Reviewed-by: C Shapiro <shapiroc@google.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 1c4a2958..78aee2dd 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -732,6 +732,11 @@ resign_firmware_payload() {
       sha1=$(vbutil_key --unpack "${key}" | grep sha1sum | cut -d" " -f9)
       echo "  ${model}: ${sha1}" >>"${signer_notes}"
     done
+  else
+    echo "List sha1sum of single key's signature:" >>"${signer_notes}"
+    key="${KEY_DIR}/root_key.vbpubk"
+    sha1=$(vbutil_key --unpack "${key}" | grep sha1sum | cut -d" " -f9)
+    echo "  root: ${sha1}" >>"${signer_notes}"
   fi
 
   new_shellball=$(make_temp_file)