From e0b3841863281a3fc3b188bfbab55d401fabdc73 Mon Sep 17 00:00:00 2001 From: Marco Chen Date: Mon, 15 Jan 2018 13:05:59 +0800 Subject: image_signing: Add sha1sum of keys in keyset to VERSION.signer. To record sha1sum of keys in keyset can help loem or unibuild projects to verify 1. whether rekey process is performed correctly during the factory build. 2. whether HWID database is updated correctly. BUG=chromium:763328 TEST=1) modify loem.ini to match what coral is. 2) ~/trunk/src/platform/vboot_reference/scripts/image_signing/sign_official_build.sh recovery ./chromeos_10308.0.0_coral_recovery_dev-channel_mp-v4.bin ./src/platform/vboot_reference/tests/loemkeys ./output.bin 3) verify output file - VERSION.signer. BRANCH=none Change-Id: I80deadb04d9dc0eb66fc5ac45dce84e6f41f1a16 Signed-off-by: Marco Chen Reviewed-on: https://chromium-review.googlesource.com/866522 Reviewed-by: Simon Glass --- scripts/image_signing/sign_official_build.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index bba33e23..1bee36df 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -10,6 +10,7 @@ # # futility (from src/platform/vboot_reference) # vbutil_kernel (from src/platform/vboot_reference) +# vbutil_key (from src/platform/vboot_reference) # cgpt (from src/platform/vboot_reference) # dump_kernel_config (from src/platform/vboot_reference) # verity (from src/platform/verity) @@ -724,6 +725,14 @@ resign_firmware_payload() { local signer_notes="${shellball_dir}/VERSION.signer" echo "" >"$signer_notes" echo "Signed with keyset in $(readlink -f "${KEY_DIR}") ." >>"${signer_notes}" + if [[ -d "${shellball_keyset_dir}" ]]; then + echo "List sha1sum of all loem/model's signatures:" >>"${signer_notes}" + for key in "${shellball_keyset_dir}"/rootkey.*; do + model="${key##*.}" + sha1=$(vbutil_key --unpack "${key}" | grep sha1sum | cut -d" " -f9) + echo " ${model}: ${sha1}" >>"${signer_notes}" + done + fi new_shellball=$(make_temp_file) cp -f "${firmware_bundle}" "${new_shellball}" -- cgit v1.2.1