From 703e980a9a66f70b75d85427bd76a65a9794bc15 Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Thu, 8 Aug 2019 13:58:09 -0400 Subject: image_signing: clean up oci container key references We never released this feature and we've dropped the logic from newer releases. Purge the signing logic of references to the key. We still need to delete the key in case we're signing an older release branch. BUG=chromium:976916 TEST=signing image w/key deletes it, and signing image w/out key passes BRANCH=None Change-Id: I82b8a4dab5f68e01c54281afd4817eea3dd359ff Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1742692 Reviewed-by: LaMont Jones Commit-Queue: Mike Frysinger Tested-by: Mike Frysinger --- scripts/image_signing/sign_oci_container.sh | 97 ---------------------------- scripts/image_signing/sign_official_build.sh | 15 +++++ tests/devkeys/cros-oci-container-pub.pem | 4 -- tests/devkeys/cros-oci-container.pem | 5 -- 4 files changed, 15 insertions(+), 106 deletions(-) delete mode 100755 scripts/image_signing/sign_oci_container.sh delete mode 100644 tests/devkeys/cros-oci-container-pub.pem delete mode 100644 tests/devkeys/cros-oci-container.pem diff --git a/scripts/image_signing/sign_oci_container.sh b/scripts/image_signing/sign_oci_container.sh deleted file mode 100755 index 793e5f80..00000000 --- a/scripts/image_signing/sign_oci_container.sh +++ /dev/null @@ -1,97 +0,0 @@ -#!/bin/bash -# Copyright 2017 The Chromium OS Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -. "$(dirname "$0")/common.sh" - -load_shflags || exit 1 - -DEFINE_string output "" \ - "Where to write signed output to (default: sign in-place)" - -FLAGS_HELP="Usage: ${PROG} [options] - -Signs with keys in . Should have an imageloader.json -file which imageloader can understand and will use to mount the squashfs -image that provides the container's rootfs and OCI configuration. - -Input can be an unpacked imageloader image, or a CRX/ZIP file. -" - -# Parse command line. -FLAGS "$@" || exit 1 -eval set -- "${FLAGS_ARGV}" - -# Abort on error. -set -e - -# Sign the directory holding OCI container(s). We look for an imageloader.json -# file. -sign_oci_container() { - [[ $# -eq 3 ]] || die "Usage: sign_oci_container " - local input="${1%/}" - local key_file="$2" - local output="$3" - - if [[ "${input}" != "${output}" ]]; then - rsync -a "${input}/" "${output}/" - fi - - local manifest out_manifest - while read -d $'\0' -r manifest; do - out_manifest="${output}/${manifest%.json}.sig.2" - manifest="${input}/${manifest}" - info "Signing: ${manifest}" - if ! openssl dgst -sha256 -sign "${key_file}" \ - -out "${out_manifest}" "${manifest}"; then - die "Failed to sign" - fi - done < <(find "${input}/" -name imageloader.json -printf '%P\0') -} - -# Sign the crx/zip holding OCI container(s). We look for an imageloader.json -# file. -sign_oci_container_zip() { - [[ $# -eq 3 ]] || die "Usage: sign_oci_container_zip " - local input="$1" - local key_file="$2" - local output="$3" - local tempdir=$(make_temp_dir) - - info "Unpacking archive: ${input}" - unzip -q "${input}" -d "${tempdir}" - - sign_oci_container "${tempdir}" "${key_file}" "${tempdir}" - - rm -f "${output}" - info "Packing archive: ${output}" - ( - cd "${tempdir}" - zip -q -r - ./ - ) >"${output}" -} - -main() { - if [[ $# -ne 2 ]]; then - flags_help - exit 1 - fi - - local input="${1%/}" - local key_dir="$2" - - local key_file="${key_dir}/cros-oci-container.pem" - if [[ ! -e "${key_file}" ]]; then - die "Missing key file: ${key_file}" - fi - - : "${FLAGS_output:=${input}}" - - if [[ -f "${input}" ]]; then - sign_oci_container_zip "${input}" "${key_file}" "${FLAGS_output}" - else - sign_oci_container "${input}" "${key_file}" "${FLAGS_output}" - fi -} -main "$@" diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 59033c27..c87c4bb3 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -722,6 +722,20 @@ resign_firmware_payload() { info "Re-signed firmware AU payload in ${loopdev}" } +# Remove old container key if it exists. +# We can drop this logic once all devices that shipped R78 have gone EOL. +# So probably in like 2025. +remove_old_container_key() { + local loopdev="$1" + + local rootfs_dir=$(make_temp_dir) + mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}" + + sudo rm -f "${rootfs_dir}/usr/share/misc/oci-container-key-pub.der" + + sudo umount "${rootfs_dir}" +} + # Re-sign Android image if exists. resign_android_image_if_exists() { local loopdev="$1" @@ -1010,6 +1024,7 @@ sign_image_file() { local loop_rootfs="${loopdev}p3" resign_firmware_payload "${loopdev}" + remove_old_container_key "${loopdev}" resign_android_image_if_exists "${loopdev}" sign_uefi_binaries "${loopdev}" # We do NOT strip /boot for factory installer, since some devices need it to diff --git a/tests/devkeys/cros-oci-container-pub.pem b/tests/devkeys/cros-oci-container-pub.pem deleted file mode 100644 index ac433a1d..00000000 --- a/tests/devkeys/cros-oci-container-pub.pem +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzDOi7z2ltATFnJnBU+Tb7TSkdTVE -X2c12jDUzvhAA4EVtcbj4jph02YrzULzHzCmo8FjR0puYqmbOEkQA+JLzA== ------END PUBLIC KEY----- diff --git a/tests/devkeys/cros-oci-container.pem b/tests/devkeys/cros-oci-container.pem deleted file mode 100644 index 1c6992c9..00000000 --- a/tests/devkeys/cros-oci-container.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEICVrXoiL33vHU0clsTBn/XenWILpkvSFkL+x/Uczzvb9oAoGCCqGSM49 -AwEHoUQDQgAEzDOi7z2ltATFnJnBU+Tb7TSkdTVEX2c12jDUzvhAA4EVtcbj4jph -02YrzULzHzCmo8FjR0puYqmbOEkQA+JLzA== ------END EC PRIVATE KEY----- -- cgit v1.2.1