diff options
author | Nick Sanders <nsanders@chromium.org> | 2018-07-13 12:34:30 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-07-20 05:31:35 -0700 |
commit | e2ff36430b3e915d2c9a76a1f85889cbe68d788b (patch) | |
tree | 028a4a0889ffafbd0178a4594876bedda9a76ec8 /scripts | |
parent | 2c75f7e143834bded8e49887edb3ca4610150d98 (diff) | |
download | vboot-e2ff36430b3e915d2c9a76a1f85889cbe68d788b.tar.gz |
signer: fix accessory_rwsig signingstabilize-10895.Bstabilize-10895.56.Brelease-R69-10895.B
Require that the container passed in is the one containing
the specified key, and no other key. So if only one key is
present it must be the specified key.
BUG=chromium:863464
TEST=run locally
BRANCH=None
Change-Id: Ieeca5773f35b7bf92beae8a2192ed6e6fd9008e6
Reviewed-on: https://chromium-review.googlesource.com/1136910
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Nick Sanders <nsanders@chromium.org>
Reviewed-by: Bob Moragues <moragues@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 0f9bd50c..813a0210 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -1148,12 +1148,18 @@ elif [[ "${TYPE}" == "accessory_usbpd" ]]; then cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" futility sign --type usbpd1 --pem "${KEY_NAME}.pem" "${OUTPUT_IMAGE}" elif [[ "${TYPE}" == "accessory_rwsig" ]]; then - KEY_NAME="${KEY_DIR}/key_$(basename $(dirname ${INPUT_IMAGE}))" + # If one key is present in this container, assume it's the right one. + # See crbug.com/863464 if [[ ! -e "${KEY_NAME}.vbprik2" ]]; then - KEY_NAME="${KEY_DIR}/key" + KEYS=( "${KEY_DIR}"/*.vbprik2 ) + if [[ ${#KEYS[@]} -eq 1 ]]; then + KEY_NAME="${KEYS[0]}" + else + die "Expected exactly one key present in keyset for accessory_rwsig" + fi fi cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" - futility sign --type rwsig --prikey "${KEY_NAME}.vbprik2" \ + futility sign --type rwsig --prikey "${KEY_NAME}" \ --version "${FIRMWARE_VERSION}" "${OUTPUT_IMAGE}" elif [[ "${TYPE}" == "oci-container" ]]; then sign_oci_container "${INPUT_IMAGE}" "${KEY_DIR}" "${OUTPUT_IMAGE}" |