diff options
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/image_signing/insert_container_publickey.sh | 49 | ||||
| -rwxr-xr-x | scripts/image_signing/sign_oci_container.sh | 94 | ||||
| -rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 14 |
3 files changed, 157 insertions, 0 deletions
diff --git a/scripts/image_signing/insert_container_publickey.sh b/scripts/image_signing/insert_container_publickey.sh new file mode 100755 index 00000000..8724e051 --- /dev/null +++ b/scripts/image_signing/insert_container_publickey.sh @@ -0,0 +1,49 @@ +#!/bin/bash +# Copyright 2017 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Load common constants and variables. +. "$(dirname "$0")/common.sh" + +load_shflags || exit 1 + +FLAGS_HELP="Usage: ${PROG} <image.bin|rootfs_dir> <public_key.pem> + +Installs the container verification public key <public_key.pem> to +<image.bin|rootfs_dir>. +" + +# Parse command line. +FLAGS "$@" || exit 1 +eval set -- "${FLAGS_ARGV}" + +# Abort on error. +set -e + +main() { + if [[ $# -ne 2 ]]; then + flags_help + exit 1 + fi + + local image="$1" + local pub_key="$2" + local rootfs + local key_location="/usr/share/misc/" + + if [[ -d "${image}" ]]; then + rootfs="${image}" + else + rootfs=$(make_temp_dir) + mount_image_partition "${image}" 3 "${rootfs}" + fi + + sudo install \ + -D -o root -g root -m 644 \ + "${pub_key}" "${rootfs}/${key_location}/oci-container-key-pub.pem" + info "Container verification key was installed." \ + "Do not forget to resign the image!" +} + +main "$@" diff --git a/scripts/image_signing/sign_oci_container.sh b/scripts/image_signing/sign_oci_container.sh new file mode 100755 index 00000000..df3eb0fa --- /dev/null +++ b/scripts/image_signing/sign_oci_container.sh @@ -0,0 +1,94 @@ +#!/bin/bash +# Copyright 2017 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +. "$(dirname "$0")/common.sh" + +load_shflags || exit 1 + +DEFINE_string output "" \ + "Where to write signed output to (default: sign in-place)" + +FLAGS_HELP="Usage: ${PROG} [options] <input_container> <key_dir> + +Signs <input_container> with keys in <key_dir>. Should have a config.json +file in the OCI format. + +Input can be an unpacked container, or a CRX/ZIP file. +" + +# Parse command line. +FLAGS "$@" || exit 1 +eval set -- "${FLAGS_ARGV}" + +# Abort on error. +set -e + +# Sign the directory holding OCI container(s). We look for manifest.json files. +sign_oci_container() { + [[ $# -eq 3 ]] || die "Usage: sign_oci_container <input> <key> <output>" + local input="${1%/}" + local key_file="$2" + local output="$3" + + if [[ "${input}" != "${output}" ]]; then + rsync -a "${input}/" "${output}/" + fi + + local manifest out_manifest + while read -d $'\0' -r manifest; do + out_manifest="${output}/${manifest}.sig" + manifest="${input}/${manifest}" + info "Signing: ${manifest}" + if ! openssl dgst -sha256 -sign "${key_file}" \ + -out "${out_manifest}" "${manifest}"; then + die "Failed to sign" + fi + done < <(find "${input}/" -name manifest.json -printf '%P\0') +} + +# Sign the crx/zip holding OCI container(s). We look for manifest.json files. +sign_oci_container_zip() { + [[ $# -eq 3 ]] || die "Usage: sign_oci_container_zip <input> <key> <output>" + local input="$1" + local key_file="$2" + local output="$3" + local tempdir=$(make_temp_dir) + + info "Unpacking archive: ${input}" + unzip -q "${input}" -d "${tempdir}" + + sign_oci_container "${tempdir}" "${key_file}" "${tempdir}" + + rm -f "${output}" + info "Packing archive: ${output}" + ( + cd "${tempdir}" + zip -q -r - ./ + ) >"${output}" +} + +main() { + if [[ $# -ne 2 ]]; then + flags_help + exit 1 + fi + + local input="${1%/}" + local key_dir="$2" + + local key_file="${key_dir}/cros-oci-container.pem" + if [[ ! -e "${key_file}" ]]; then + die "Missing key file: ${key_file}" + fi + + : "${FLAGS_output:=${input}}" + + if [[ -f "${input}" ]]; then + sign_oci_container_zip "${input}" "${key_file}" "${FLAGS_output}" + else + sign_oci_container "${input}" "${key_file}" "${FLAGS_output}" + fi +} +main "$@" diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 5d691958..80774731 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -39,6 +39,7 @@ where <type> is one of: nv_lp0_firmware (sign nvidia lp0 firmware) accessory_usbpd (sign USB-PD accessory firmware) accessory_rwsig (sign accessory RW firmware) + oci-container (sign an OCI container) output_image: File name of the signed output image version_file: File name of where to read the kernel and firmware versions. @@ -612,6 +613,17 @@ resign_android_image_if_exists() { echo "Re-signed Android image" } +# Sign an oci container with the given keys. +# Args: CONTAINER KEY_DIR [OUTPUT_CONTAINER] +sign_oci_container() { + local image=$1 + local key_dir=$2 + local output=$3 + + "${SCRIPT_DIR}/sign_oci_container.sh" \ + "${image}" "${key_dir}" --output "${output}" +} + # Verify an image including rootfs hash using the specified keys. verify_image() { local rootfs_image=$(make_temp_file) @@ -924,6 +936,8 @@ elif [[ "${TYPE}" == "accessory_rwsig" ]]; then fi cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" futility sign --type rwsig --prikey "${KEY_NAME}.vbprik2" "${OUTPUT_IMAGE}" +elif [[ "${TYPE}" == "oci-container" ]]; then + sign_oci_container "${INPUT_IMAGE}" "${KEY_DIR}" "${OUTPUT_IMAGE}" else echo "Invalid type ${TYPE}" exit 1 |