diff options
author | Eric Caruso <ejcaruso@chromium.org> | 2017-03-17 14:56:31 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-04-26 16:19:51 -0700 |
commit | 1919b169bfb6739db8b31509fd0d6c22427bdadf (patch) | |
tree | 1ffd2b825c15e3abce0b08d1c068232d842fdefa | |
parent | 510e7a2b0373b61237ed3a8ec7b6788828e5deba (diff) | |
download | vboot-1919b169bfb6739db8b31509fd0d6c22427bdadf.tar.gz |
image_signing: change files sign_oci_container looks forstabilize-9517.Bfirmware-rowan-9516.B
Since we're packing containers in a format imageloader understands,
we need to consume imageloader's manifest and produce a signature
it knows to look for.
BRANCH=ToT
BUG=chromium:697645
TEST=package adb container, verify imageloader.sig.2 is present
Change-Id: Ied9cdacf1d448a094c1b171bc2bf3b2ae54eb517
Reviewed-on: https://chromium-review.googlesource.com/457102
Commit-Ready: Eric Caruso <ejcaruso@chromium.org>
Tested-by: Eric Caruso <ejcaruso@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
-rwxr-xr-x | scripts/image_signing/sign_oci_container.sh | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/scripts/image_signing/sign_oci_container.sh b/scripts/image_signing/sign_oci_container.sh index df3eb0fa..14ca3af8 100755 --- a/scripts/image_signing/sign_oci_container.sh +++ b/scripts/image_signing/sign_oci_container.sh @@ -10,12 +10,13 @@ load_shflags || exit 1 DEFINE_string output "" \ "Where to write signed output to (default: sign in-place)" -FLAGS_HELP="Usage: ${PROG} [options] <input_container> <key_dir> +FLAGS_HELP="Usage: ${PROG} [options] <input_image> <key_dir> -Signs <input_container> with keys in <key_dir>. Should have a config.json -file in the OCI format. +Signs <input_image> with keys in <key_dir>. Should have an imageloader.json +file which imageloader can understand and will use to mount the squashfs +image that provides the container's rootfs and OCI configuration. -Input can be an unpacked container, or a CRX/ZIP file. +Input can be an unpacked imageloader image, or a CRX/ZIP file. " # Parse command line. @@ -25,7 +26,8 @@ eval set -- "${FLAGS_ARGV}" # Abort on error. set -e -# Sign the directory holding OCI container(s). We look for manifest.json files. +# Sign the directory holding OCI container(s). We look for an imageloader.json +# file. sign_oci_container() { [[ $# -eq 3 ]] || die "Usage: sign_oci_container <input> <key> <output>" local input="${1%/}" @@ -36,19 +38,20 @@ sign_oci_container() { rsync -a "${input}/" "${output}/" fi - local manifest out_manifest - while read -d $'\0' -r manifest; do - out_manifest="${output}/${manifest}.sig" - manifest="${input}/${manifest}" - info "Signing: ${manifest}" - if ! openssl dgst -sha256 -sign "${key_file}" \ - -out "${out_manifest}" "${manifest}"; then - die "Failed to sign" - fi - done < <(find "${input}/" -name manifest.json -printf '%P\0') + local out_manifest="${output}/imageloader.sig.2" + local manifest="${input}/imageloader.json" + if [[ ! -f "${manifest}" ]]; then + die "Could not find manifest" + fi + info "Signing: ${manifest}" + if ! openssl dgst -sha256 -sign "${key_file}" \ + -out "${out_manifest}" "${manifest}"; then + die "Failed to sign" + fi } -# Sign the crx/zip holding OCI container(s). We look for manifest.json files. +# Sign the crx/zip holding OCI container(s). We look for an imageloader.json +# file. sign_oci_container_zip() { [[ $# -eq 3 ]] || die "Usage: sign_oci_container_zip <input> <key> <output>" local input="$1" |