diff options
| author | Marco Chen <marcochen@chromium.org> | 2018-01-15 13:05:59 +0800 |
|---|---|---|
| committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2018-01-22 19:14:07 +0000 |
| commit | bbd33ef5c3cc52d4fd52cd6cd7f30ff6f8588aa2 (patch) | |
| tree | a6790e3535ebfeaecb2c76c41e8b27c10325bffe | |
| parent | 281b6e35a70d7d77b7b8232d5915078de3001acd (diff) | |
| download | vboot-bbd33ef5c3cc52d4fd52cd6cd7f30ff6f8588aa2.tar.gz | |
image_signing: Add sha1sum of keys in keyset to VERSION.signer.
To record sha1sum of keys in keyset can help loem or unibuild projects to verify
1. whether rekey process is performed correctly during the factory
build.
2. whether HWID database is updated correctly.
BUG=chromium:763328
TEST=1) modify loem.ini to match what coral is.
2) ~/trunk/src/platform/vboot_reference/scripts/image_signing/sign_official_build.sh
recovery ./chromeos_10308.0.0_coral_recovery_dev-channel_mp-v4.bin
./src/platform/vboot_reference/tests/loemkeys ./output.bin
3) verify output file - VERSION.signer.
BRANCH=none
Change-Id: I80deadb04d9dc0eb66fc5ac45dce84e6f41f1a16
Signed-off-by: Marco Chen <marcochen@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/866522
Reviewed-by: Simon Glass <sjg@chromium.org>
(cherry picked from commit e0b3841863281a3fc3b188bfbab55d401fabdc73)
Reviewed-on: https://chromium-review.googlesource.com/879244
Reviewed-by: Shelley Chen <shchen@chromium.org>
Commit-Queue: Shelley Chen <shchen@chromium.org>
Tested-by: Shelley Chen <shchen@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index bba33e23..1bee36df 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -10,6 +10,7 @@ # # futility (from src/platform/vboot_reference) # vbutil_kernel (from src/platform/vboot_reference) +# vbutil_key (from src/platform/vboot_reference) # cgpt (from src/platform/vboot_reference) # dump_kernel_config (from src/platform/vboot_reference) # verity (from src/platform/verity) @@ -724,6 +725,14 @@ resign_firmware_payload() { local signer_notes="${shellball_dir}/VERSION.signer" echo "" >"$signer_notes" echo "Signed with keyset in $(readlink -f "${KEY_DIR}") ." >>"${signer_notes}" + if [[ -d "${shellball_keyset_dir}" ]]; then + echo "List sha1sum of all loem/model's signatures:" >>"${signer_notes}" + for key in "${shellball_keyset_dir}"/rootkey.*; do + model="${key##*.}" + sha1=$(vbutil_key --unpack "${key}" | grep sha1sum | cut -d" " -f9) + echo " ${model}: ${sha1}" >>"${signer_notes}" + done + fi new_shellball=$(make_temp_file) cp -f "${firmware_bundle}" "${new_shellball}" |