image_signing: change files sign_oci_container looks forstabilize-9517.Bfirmware-rowan-9516.B

Since we're packing containers in a format imageloader understands,
we need to consume imageloader's manifest and produce a signature
it knows to look for.

BRANCH=ToT
BUG=chromium:697645
TEST=package adb container, verify imageloader.sig.2 is present

Change-Id: Ied9cdacf1d448a094c1b171bc2bf3b2ae54eb517
Reviewed-on: https://chromium-review.googlesource.com/457102
Commit-Ready: Eric Caruso <ejcaruso@chromium.org>
Tested-by: Eric Caruso <ejcaruso@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

1 files changed, 19 insertions, 16 deletions

diff --git a/scripts/image_signing/sign_oci_container.sh b/scripts/image_signing/sign_oci_container.sh
index df3eb0fa..14ca3af8 100755
--- a/scripts/image_signing/sign_oci_container.sh
+++ b/scripts/image_signing/sign_oci_container.sh
@@ -10,12 +10,13 @@ load_shflags || exit 1
 DEFINE_string output "" \
   "Where to write signed output to (default: sign in-place)"
 
-FLAGS_HELP="Usage: ${PROG} [options] <input_container> <key_dir>
+FLAGS_HELP="Usage: ${PROG} [options] <input_image> <key_dir>
 
-Signs <input_container> with keys in <key_dir>.  Should have a config.json
-file in the OCI format.
+Signs <input_image> with keys in <key_dir>. Should have an imageloader.json
+file which imageloader can understand and will use to mount the squashfs
+image that provides the container's rootfs and OCI configuration.
 
-Input can be an unpacked container, or a CRX/ZIP file.
+Input can be an unpacked imageloader image, or a CRX/ZIP file.
 "
 
 # Parse command line.
@@ -25,7 +26,8 @@ eval set -- "${FLAGS_ARGV}"
 # Abort on error.
 set -e
 
-# Sign the directory holding OCI container(s).  We look for manifest.json files.
+# Sign the directory holding OCI container(s).  We look for an imageloader.json
+# file.
 sign_oci_container() {
   [[ $# -eq 3 ]] || die "Usage: sign_oci_container <input> <key> <output>"
   local input="${1%/}"
@@ -36,19 +38,20 @@ sign_oci_container() {
     rsync -a "${input}/" "${output}/"
   fi
 
-  local manifest out_manifest
-  while read -d $'\0' -r manifest; do
-    out_manifest="${output}/${manifest}.sig"
-    manifest="${input}/${manifest}"
-    info "Signing: ${manifest}"
-    if ! openssl dgst -sha256 -sign "${key_file}" \
-                      -out "${out_manifest}" "${manifest}"; then
-      die "Failed to sign"
-    fi
-  done < <(find "${input}/" -name manifest.json -printf '%P\0')
+  local out_manifest="${output}/imageloader.sig.2"
+  local manifest="${input}/imageloader.json"
+  if [[ ! -f "${manifest}" ]]; then
+    die "Could not find manifest"
+  fi
+  info "Signing: ${manifest}"
+  if ! openssl dgst -sha256 -sign "${key_file}" \
+                    -out "${out_manifest}" "${manifest}"; then
+    die "Failed to sign"
+  fi
 }
 
-# Sign the crx/zip holding OCI container(s).  We look for manifest.json files.
+# Sign the crx/zip holding OCI container(s).  We look for an imageloader.json
+# file.
 sign_oci_container_zip() {
   [[ $# -eq 3 ]] || die "Usage: sign_oci_container_zip <input> <key> <output>"
   local input="$1"