image_signing: Add sha1sum of the recovery key to VERSION.signer.

firmware_keys field in the HWID database also contains hash of recovery
key so need this information as well in order to deprecate firmware_keys
field.

BUG=chromium:763328
TEST=1) ~/trunk/src/platform/vboot_reference/scripts/image_signing/sign_official_build.sh
  recovery ./chromeos_10644.0.0_soraka_recovery_dev-channel_mp.bin
  ./src/platform/vboot_reference/tests/devkeys ./output.bin
2) verify output file - VERSION.signer.
BRANCH=None

Change-Id: If2be93723e95d46fc0546239695be27c3229275c
Reviewed-on: https://chromium-review.googlesource.com/1053334
Commit-Ready: Marco Chen <marcochen@chromium.org>
Tested-by: Marco Chen <marcochen@chromium.org>
Reviewed-by: Wei-Han Chen <stimim@chromium.org>
Reviewed-by: C Shapiro <shapiroc@google.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 78aee2dd..0f9bd50c 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -725,6 +725,11 @@ resign_firmware_payload() {
   local signer_notes="${shellball_dir}/VERSION.signer"
   echo "" >"$signer_notes"
   echo "Signed with keyset in $(readlink -f "${KEY_DIR}") ." >>"${signer_notes}"
+  # record recovery_key
+  key="${KEY_DIR}/recovery_key.vbpubk"
+  sha1=$(vbutil_key --unpack "${key}" | grep sha1sum | cut -d" " -f9)
+  echo "recovery: ${sha1}" >>"${signer_notes}"
+  # record root_key(s)
   if [[ -d "${shellball_keyset_dir}"  ]]; then
     echo "List sha1sum of all loem/model's signatures:" >>"${signer_notes}"
     for key in "${shellball_keyset_dir}"/rootkey.*; do