summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorMike Frysinger <vapier@chromium.org>2019-08-08 13:58:09 -0400
committerCommit Bot <commit-bot@chromium.org>2019-08-09 18:29:18 +0000
commit703e980a9a66f70b75d85427bd76a65a9794bc15 (patch)
treefd950cd7494363bbfc61c0f6e56dc34cc3749e09 /scripts
parentae3a69817d117a9b50dc404f6e2ceda1e74f29d6 (diff)
downloadvboot-703e980a9a66f70b75d85427bd76a65a9794bc15.tar.gz
image_signing: clean up oci container key references
We never released this feature and we've dropped the logic from newer releases. Purge the signing logic of references to the key. We still need to delete the key in case we're signing an older release branch. BUG=chromium:976916 TEST=signing image w/key deletes it, and signing image w/out key passes BRANCH=None Change-Id: I82b8a4dab5f68e01c54281afd4817eea3dd359ff Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1742692 Reviewed-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org>
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/image_signing/sign_oci_container.sh97
-rwxr-xr-xscripts/image_signing/sign_official_build.sh15
2 files changed, 15 insertions, 97 deletions
diff --git a/scripts/image_signing/sign_oci_container.sh b/scripts/image_signing/sign_oci_container.sh
deleted file mode 100755
index 793e5f80..00000000
--- a/scripts/image_signing/sign_oci_container.sh
+++ /dev/null
@@ -1,97 +0,0 @@
-#!/bin/bash
-# Copyright 2017 The Chromium OS Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-. "$(dirname "$0")/common.sh"
-
-load_shflags || exit 1
-
-DEFINE_string output "" \
- "Where to write signed output to (default: sign in-place)"
-
-FLAGS_HELP="Usage: ${PROG} [options] <input_image> <key_dir>
-
-Signs <input_image> with keys in <key_dir>. Should have an imageloader.json
-file which imageloader can understand and will use to mount the squashfs
-image that provides the container's rootfs and OCI configuration.
-
-Input can be an unpacked imageloader image, or a CRX/ZIP file.
-"
-
-# Parse command line.
-FLAGS "$@" || exit 1
-eval set -- "${FLAGS_ARGV}"
-
-# Abort on error.
-set -e
-
-# Sign the directory holding OCI container(s). We look for an imageloader.json
-# file.
-sign_oci_container() {
- [[ $# -eq 3 ]] || die "Usage: sign_oci_container <input> <key> <output>"
- local input="${1%/}"
- local key_file="$2"
- local output="$3"
-
- if [[ "${input}" != "${output}" ]]; then
- rsync -a "${input}/" "${output}/"
- fi
-
- local manifest out_manifest
- while read -d $'\0' -r manifest; do
- out_manifest="${output}/${manifest%.json}.sig.2"
- manifest="${input}/${manifest}"
- info "Signing: ${manifest}"
- if ! openssl dgst -sha256 -sign "${key_file}" \
- -out "${out_manifest}" "${manifest}"; then
- die "Failed to sign"
- fi
- done < <(find "${input}/" -name imageloader.json -printf '%P\0')
-}
-
-# Sign the crx/zip holding OCI container(s). We look for an imageloader.json
-# file.
-sign_oci_container_zip() {
- [[ $# -eq 3 ]] || die "Usage: sign_oci_container_zip <input> <key> <output>"
- local input="$1"
- local key_file="$2"
- local output="$3"
- local tempdir=$(make_temp_dir)
-
- info "Unpacking archive: ${input}"
- unzip -q "${input}" -d "${tempdir}"
-
- sign_oci_container "${tempdir}" "${key_file}" "${tempdir}"
-
- rm -f "${output}"
- info "Packing archive: ${output}"
- (
- cd "${tempdir}"
- zip -q -r - ./
- ) >"${output}"
-}
-
-main() {
- if [[ $# -ne 2 ]]; then
- flags_help
- exit 1
- fi
-
- local input="${1%/}"
- local key_dir="$2"
-
- local key_file="${key_dir}/cros-oci-container.pem"
- if [[ ! -e "${key_file}" ]]; then
- die "Missing key file: ${key_file}"
- fi
-
- : "${FLAGS_output:=${input}}"
-
- if [[ -f "${input}" ]]; then
- sign_oci_container_zip "${input}" "${key_file}" "${FLAGS_output}"
- else
- sign_oci_container "${input}" "${key_file}" "${FLAGS_output}"
- fi
-}
-main "$@"
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 59033c27..c87c4bb3 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -722,6 +722,20 @@ resign_firmware_payload() {
info "Re-signed firmware AU payload in ${loopdev}"
}
+# Remove old container key if it exists.
+# We can drop this logic once all devices that shipped R78 have gone EOL.
+# So probably in like 2025.
+remove_old_container_key() {
+ local loopdev="$1"
+
+ local rootfs_dir=$(make_temp_dir)
+ mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}"
+
+ sudo rm -f "${rootfs_dir}/usr/share/misc/oci-container-key-pub.der"
+
+ sudo umount "${rootfs_dir}"
+}
+
# Re-sign Android image if exists.
resign_android_image_if_exists() {
local loopdev="$1"
@@ -1010,6 +1024,7 @@ sign_image_file() {
local loop_rootfs="${loopdev}p3"
resign_firmware_payload "${loopdev}"
+ remove_old_container_key "${loopdev}"
resign_android_image_if_exists "${loopdev}"
sign_uefi_binaries "${loopdev}"
# We do NOT strip /boot for factory installer, since some devices need it to