summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorDaichi Hirono <hirono@google.com>2022-05-20 11:13:37 +0900
committerChromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com>2022-05-27 17:17:21 +0000
commitfb0ddbbdf6018d9305248eb3138cb3cfcd532b31 (patch)
treea44cc7d6bb73c75ec14e43c9ec01924f8dd9eb1a /scripts
parent6dba972b6ab1246864d3af0eaa3effcda29407d1 (diff)
downloadvboot-fb0ddbbdf6018d9305248eb3138cb3cfcd532b31.tar.gz
signer: Reland "Check the list of android image files"
Previous change I5e8b4d848f30f53fae58c721c9b7ddcfbfea9852 was reverted because the check did not pass if the signing process adds new files to the image. The new check alerts only when we miss files in the original image. BUG=b:230434967 BRANCH=None TEST=Run ./sign_official_build.sh locally Signed-off-by: Daichi Hirono <hirono@chromium.org> Change-Id: If8e9eeb9568fefcde92d737b356fa84b865b05c9 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3653721 Commit-Queue: Shao-Chuan Lee <shaochuan@chromium.org> Tested-by: Daichi Hirono <hirono@chromium.org> Commit-Queue: Daichi Hirono <hirono@chromium.org> Auto-Submit: Daichi Hirono <hirono@chromium.org> Reviewed-by: Shao-Chuan Lee <shaochuan@chromium.org>
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/image_signing/sign_android_image.sh19
1 files changed, 19 insertions, 0 deletions
diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh
index 5af1aa69..93977479 100755
--- a/scripts/image_signing/sign_android_image.sh
+++ b/scripts/image_signing/sign_android_image.sh
@@ -265,6 +265,12 @@ image_content_integrity_check() {
return 0
}
+list_image_files() {
+ local unsquashfs=$1
+ local system_img=$2
+ "${unsquashfs}" -l "${system_img}" | grep ^squashfs-root
+}
+
sign_android_internal() {
local root_fs_dir=$1
local key_dir=$2
@@ -332,6 +338,8 @@ sign_android_internal() {
local system_mnt="${working_dir}/mnt"
info "Unpacking squashfs system image to ${system_mnt}"
+ list_image_files "${unsquashfs}" "${system_img}" > \
+ "${working_dir}/image_file_list.orig"
sudo "${unsquashfs}" -no-xattrs -f -no-progress -d "${system_mnt}" "${system_img}"
snapshot_file_properties "${system_mnt}" > "${working_dir}/properties.orig"
@@ -408,6 +416,17 @@ sign_android_internal() {
-no-progress
local new_size=$(stat -c '%s' "${system_img}")
info "Android system image size change: ${old_size} -> ${new_size}"
+
+ list_image_files "${unsquashfs}" "${system_img}" > \
+ "${working_dir}/image_file_list.new"
+ if d=$(grep -v -F -x -f "${working_dir}"/image_file_list.{new,orig}); then
+ # If we have a line in image_file_list.orig which does not appear in
+ # image_file_list.new, it means some files are removed during signing
+ # process. Here we have already deleted the original Android image so
+ # cannot retry.
+ die "Unexpected change of file list\n${d}"
+ fi
+
return 0
}