image_signing: clean up oci container key references

We never released this feature and we've dropped the logic from newer
releases.  Purge the signing logic of references to the key.  We still
need to delete the key in case we're signing an older release branch.

BUG=chromium:976916
TEST=signing image w/key deletes it, and signing image w/out key passes
BRANCH=None

Change-Id: I82b8a4dab5f68e01c54281afd4817eea3dd359ff
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1742692
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>

4 files changed, 15 insertions, 106 deletions

diff --git a/scripts/image_signing/sign_oci_container.sh b/scripts/image_signing/sign_oci_container.sh
deleted file mode 100755
index 793e5f80..00000000
--- a/scripts/image_signing/sign_oci_container.sh
+++ /dev/null
@@ -1,97 +0,0 @@
-#!/bin/bash
-# Copyright 2017 The Chromium OS Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-. "$(dirname "$0")/common.sh"
-
-load_shflags || exit 1
-
-DEFINE_string output "" \
-  "Where to write signed output to (default: sign in-place)"
-
-FLAGS_HELP="Usage: ${PROG} [options] <input_image> <key_dir>
-
-Signs <input_image> with keys in <key_dir>. Should have an imageloader.json
-file which imageloader can understand and will use to mount the squashfs
-image that provides the container's rootfs and OCI configuration.
-
-Input can be an unpacked imageloader image, or a CRX/ZIP file.
-"
-
-# Parse command line.
-FLAGS "$@" || exit 1
-eval set -- "${FLAGS_ARGV}"
-
-# Abort on error.
-set -e
-
-# Sign the directory holding OCI container(s).  We look for an imageloader.json
-# file.
-sign_oci_container() {
-  [[ $# -eq 3 ]] || die "Usage: sign_oci_container <input> <key> <output>"
-  local input="${1%/}"
-  local key_file="$2"
-  local output="$3"
-
-  if [[ "${input}" != "${output}" ]]; then
-    rsync -a "${input}/" "${output}/"
-  fi
-
-  local manifest out_manifest
-  while read -d $'\0' -r manifest; do
-    out_manifest="${output}/${manifest%.json}.sig.2"
-    manifest="${input}/${manifest}"
-    info "Signing: ${manifest}"
-    if ! openssl dgst -sha256 -sign "${key_file}" \
-                      -out "${out_manifest}" "${manifest}"; then
-      die "Failed to sign"
-    fi
-  done < <(find "${input}/" -name imageloader.json -printf '%P\0')
-}
-
-# Sign the crx/zip holding OCI container(s).  We look for an imageloader.json
-# file.
-sign_oci_container_zip() {
-  [[ $# -eq 3 ]] || die "Usage: sign_oci_container_zip <input> <key> <output>"
-  local input="$1"
-  local key_file="$2"
-  local output="$3"
-  local tempdir=$(make_temp_dir)
-
-  info "Unpacking archive: ${input}"
-  unzip -q "${input}" -d "${tempdir}"
-
-  sign_oci_container "${tempdir}" "${key_file}" "${tempdir}"
-
-  rm -f "${output}"
-  info "Packing archive: ${output}"
-  (
-    cd "${tempdir}"
-    zip -q -r - ./
-  ) >"${output}"
-}
-
-main() {
-  if [[ $# -ne 2 ]]; then
-    flags_help
-    exit 1
-  fi
-
-  local input="${1%/}"
-  local key_dir="$2"
-
-  local key_file="${key_dir}/cros-oci-container.pem"
-  if [[ ! -e "${key_file}" ]]; then
-    die "Missing key file: ${key_file}"
-  fi
-
-  : "${FLAGS_output:=${input}}"
-
-  if [[ -f "${input}" ]]; then
-    sign_oci_container_zip "${input}" "${key_file}" "${FLAGS_output}"
-  else
-    sign_oci_container "${input}" "${key_file}" "${FLAGS_output}"
-  fi
-}
-main "$@"
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 59033c27..c87c4bb3 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -722,6 +722,20 @@ resign_firmware_payload() {
   info "Re-signed firmware AU payload in ${loopdev}"
 }
 
+# Remove old container key if it exists.
+# We can drop this logic once all devices that shipped R78 have gone EOL.
+# So probably in like 2025.
+remove_old_container_key() {
+  local loopdev="$1"
+
+  local rootfs_dir=$(make_temp_dir)
+  mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}"
+
+  sudo rm -f "${rootfs_dir}/usr/share/misc/oci-container-key-pub.der"
+
+  sudo umount "${rootfs_dir}"
+}
+
 # Re-sign Android image if exists.
 resign_android_image_if_exists() {
   local loopdev="$1"
@@ -1010,6 +1024,7 @@ sign_image_file() {
   local loop_rootfs="${loopdev}p3"
 
   resign_firmware_payload "${loopdev}"
+  remove_old_container_key "${loopdev}"
   resign_android_image_if_exists "${loopdev}"
   sign_uefi_binaries "${loopdev}"
   # We do NOT strip /boot for factory installer, since some devices need it to
diff --git a/tests/devkeys/cros-oci-container-pub.pem b/tests/devkeys/cros-oci-container-pub.pem
deleted file mode 100644
index ac433a1d..00000000
--- a/tests/devkeys/cros-oci-container-pub.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzDOi7z2ltATFnJnBU+Tb7TSkdTVE
-X2c12jDUzvhAA4EVtcbj4jph02YrzULzHzCmo8FjR0puYqmbOEkQA+JLzA==
------END PUBLIC KEY-----
diff --git a/tests/devkeys/cros-oci-container.pem b/tests/devkeys/cros-oci-container.pem
deleted file mode 100644
index 1c6992c9..00000000
--- a/tests/devkeys/cros-oci-container.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEICVrXoiL33vHU0clsTBn/XenWILpkvSFkL+x/Uczzvb9oAoGCCqGSM49
-AwEHoUQDQgAEzDOi7z2ltATFnJnBU+Tb7TSkdTVEX2c12jDUzvhAA4EVtcbj4jph
-02YrzULzHzCmo8FjR0puYqmbOEkQA+JLzA==
------END EC PRIVATE KEY-----