From e2ff36430b3e915d2c9a76a1f85889cbe68d788b Mon Sep 17 00:00:00 2001
From: Nick Sanders <nsanders@chromium.org>
Date: Fri, 13 Jul 2018 12:34:30 -0700
Subject: signer: fix accessory_rwsig signing

Require that the container passed in is the one containing
the specified key, and no other key. So if only one key is
present it must be the specified key.

BUG=chromium:863464
TEST=run locally
BRANCH=None

Change-Id: Ieeca5773f35b7bf92beae8a2192ed6e6fd9008e6
Reviewed-on: https://chromium-review.googlesource.com/1136910
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Nick Sanders <nsanders@chromium.org>
Reviewed-by: Bob Moragues <moragues@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
---
 scripts/image_signing/sign_official_build.sh | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 0f9bd50c..813a0210 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -1148,12 +1148,18 @@ elif [[ "${TYPE}" == "accessory_usbpd" ]]; then
   cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}"
   futility sign --type usbpd1 --pem "${KEY_NAME}.pem" "${OUTPUT_IMAGE}"
 elif [[ "${TYPE}" == "accessory_rwsig" ]]; then
-  KEY_NAME="${KEY_DIR}/key_$(basename $(dirname ${INPUT_IMAGE}))"
+  # If one key is present in this container, assume it's the right one.
+  # See crbug.com/863464
   if [[ ! -e "${KEY_NAME}.vbprik2" ]]; then
-    KEY_NAME="${KEY_DIR}/key"
+    KEYS=( "${KEY_DIR}"/*.vbprik2 )
+    if [[ ${#KEYS[@]} -eq 1 ]]; then
+      KEY_NAME="${KEYS[0]}"
+    else
+      die "Expected exactly one key present in keyset for accessory_rwsig"
+    fi
   fi
   cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}"
-  futility sign --type rwsig --prikey "${KEY_NAME}.vbprik2" \
+  futility sign --type rwsig --prikey "${KEY_NAME}" \
            --version "${FIRMWARE_VERSION}" "${OUTPUT_IMAGE}"
 elif [[ "${TYPE}" == "oci-container" ]]; then
   sign_oci_container "${INPUT_IMAGE}" "${KEY_DIR}" "${OUTPUT_IMAGE}"
-- 
cgit v1.2.1