diff options
| -rwxr-xr-x | scripts/image_signing/sign_oci_container.sh | 97 | ||||
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 15 | ||||
| -rw-r--r-- | tests/devkeys/cros-oci-container-pub.pem | 4 | ||||
| -rw-r--r-- | tests/devkeys/cros-oci-container.pem | 5 |
4 files changed, 15 insertions, 106 deletions
diff --git a/scripts/image_signing/sign_oci_container.sh b/scripts/image_signing/sign_oci_container.sh deleted file mode 100755 index 793e5f80..00000000 --- a/scripts/image_signing/sign_oci_container.sh +++ /dev/null @@ -1,97 +0,0 @@ -#!/bin/bash -# Copyright 2017 The Chromium OS Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -. "$(dirname "$0")/common.sh" - -load_shflags || exit 1 - -DEFINE_string output "" \ - "Where to write signed output to (default: sign in-place)" - -FLAGS_HELP="Usage: ${PROG} [options] <input_image> <key_dir> - -Signs <input_image> with keys in <key_dir>. Should have an imageloader.json -file which imageloader can understand and will use to mount the squashfs -image that provides the container's rootfs and OCI configuration. - -Input can be an unpacked imageloader image, or a CRX/ZIP file. -" - -# Parse command line. -FLAGS "$@" || exit 1 -eval set -- "${FLAGS_ARGV}" - -# Abort on error. -set -e - -# Sign the directory holding OCI container(s). We look for an imageloader.json -# file. -sign_oci_container() { - [[ $# -eq 3 ]] || die "Usage: sign_oci_container <input> <key> <output>" - local input="${1%/}" - local key_file="$2" - local output="$3" - - if [[ "${input}" != "${output}" ]]; then - rsync -a "${input}/" "${output}/" - fi - - local manifest out_manifest - while read -d $'\0' -r manifest; do - out_manifest="${output}/${manifest%.json}.sig.2" - manifest="${input}/${manifest}" - info "Signing: ${manifest}" - if ! openssl dgst -sha256 -sign "${key_file}" \ - -out "${out_manifest}" "${manifest}"; then - die "Failed to sign" - fi - done < <(find "${input}/" -name imageloader.json -printf '%P\0') -} - -# Sign the crx/zip holding OCI container(s). We look for an imageloader.json -# file. -sign_oci_container_zip() { - [[ $# -eq 3 ]] || die "Usage: sign_oci_container_zip <input> <key> <output>" - local input="$1" - local key_file="$2" - local output="$3" - local tempdir=$(make_temp_dir) - - info "Unpacking archive: ${input}" - unzip -q "${input}" -d "${tempdir}" - - sign_oci_container "${tempdir}" "${key_file}" "${tempdir}" - - rm -f "${output}" - info "Packing archive: ${output}" - ( - cd "${tempdir}" - zip -q -r - ./ - ) >"${output}" -} - -main() { - if [[ $# -ne 2 ]]; then - flags_help - exit 1 - fi - - local input="${1%/}" - local key_dir="$2" - - local key_file="${key_dir}/cros-oci-container.pem" - if [[ ! -e "${key_file}" ]]; then - die "Missing key file: ${key_file}" - fi - - : "${FLAGS_output:=${input}}" - - if [[ -f "${input}" ]]; then - sign_oci_container_zip "${input}" "${key_file}" "${FLAGS_output}" - else - sign_oci_container "${input}" "${key_file}" "${FLAGS_output}" - fi -} -main "$@" diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 59033c27..c87c4bb3 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -722,6 +722,20 @@ resign_firmware_payload() { info "Re-signed firmware AU payload in ${loopdev}" } +# Remove old container key if it exists. +# We can drop this logic once all devices that shipped R78 have gone EOL. +# So probably in like 2025. +remove_old_container_key() { + local loopdev="$1" + + local rootfs_dir=$(make_temp_dir) + mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" + + sudo rm -f "${rootfs_dir}/usr/share/misc/oci-container-key-pub.der" + + sudo umount "${rootfs_dir}" +} + # Re-sign Android image if exists. resign_android_image_if_exists() { local loopdev="$1" @@ -1010,6 +1024,7 @@ sign_image_file() { local loop_rootfs="${loopdev}p3" resign_firmware_payload "${loopdev}" + remove_old_container_key "${loopdev}" resign_android_image_if_exists "${loopdev}" sign_uefi_binaries "${loopdev}" # We do NOT strip /boot for factory installer, since some devices need it to diff --git a/tests/devkeys/cros-oci-container-pub.pem b/tests/devkeys/cros-oci-container-pub.pem deleted file mode 100644 index ac433a1d..00000000 --- a/tests/devkeys/cros-oci-container-pub.pem +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzDOi7z2ltATFnJnBU+Tb7TSkdTVE -X2c12jDUzvhAA4EVtcbj4jph02YrzULzHzCmo8FjR0puYqmbOEkQA+JLzA== ------END PUBLIC KEY----- diff --git a/tests/devkeys/cros-oci-container.pem b/tests/devkeys/cros-oci-container.pem deleted file mode 100644 index 1c6992c9..00000000 --- a/tests/devkeys/cros-oci-container.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEICVrXoiL33vHU0clsTBn/XenWILpkvSFkL+x/Uczzvb9oAoGCCqGSM49 -AwEHoUQDQgAEzDOi7z2ltATFnJnBU+Tb7TSkdTVEX2c12jDUzvhAA4EVtcbj4jph -02YrzULzHzCmo8FjR0puYqmbOEkQA+JLzA== ------END EC PRIVATE KEY----- |