diff options
author | Andrey V.Kosteltsev <AKosteltsev@IBS.RU> | 2022-08-06 23:52:07 +0300 |
---|---|---|
committer | Andrey V.Kosteltsev <AKosteltsev@IBS.RU> | 2022-08-06 23:52:07 +0300 |
commit | b3bc57222f6a5cf0817e30abd1f3d717a63509a4 (patch) | |
tree | 2f4e79b0ab38cdc8f5550a864481dc387350b366 /BIOS | |
parent | 08192b751ca1320b3827cf63080ae12c15d96df4 (diff) | |
download | sila-service-b3bc57222f6a5cf0817e30abd1f3d717a63509a4.tar.xz |
Do not sort signature files for image-full.sig
Diffstat (limited to 'BIOS')
-rwxr-xr-x | BIOS/gen-bios-tarball | 71 |
1 files changed, 36 insertions, 35 deletions
diff --git a/BIOS/gen-bios-tarball b/BIOS/gen-bios-tarball index 46a62ef..aeb0cb2 100755 --- a/BIOS/gen-bios-tarball +++ b/BIOS/gen-bios-tarball @@ -48,18 +48,34 @@ cM5FN5UeMcwz+yjfHAsePMkcmMaU7jUCQHlg9+N8upXuIo7Dqj2zOU7nMmkgvSNE 6ATvfP1Vrx4CbP11eKXbCsZ9OGPHSgyvVjn68oY5ZP3uPsIattoN7dE2BRfuJm7m F0nIdUAhR0yTfKM= -----END PRIVATE KEY----- - ' do_sign=true PRIVATE_KEY_PATH=${PRIVATE_KEY_PATH:-} -private_key_path="${PRIVATE_KEY_PATH}" +SIGNING_KEY="${PRIVATE_KEY_PATH}" outfile="" machine="" version="" extended_version="" image_name="image-hostfw" +make_signatures() { + signature_files="" + for file in "$@"; do + openssl dgst -sha256 -sign ${SIGNING_KEY} -out "${file}.sig" $file + signature_files="${signature_files} ${file}.sig" + done + + if [ -n "$signature_files" ]; then + # DO NOT SORT: sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '` + sort_signature_files="$signature_files" + cat $sort_signature_files > image-full + openssl dgst -sha256 -sign ${SIGNING_KEY} -out image-full.sig image-full + signature_files="${signature_files} image-full.sig" + fi +} + + while [[ $# -gt 0 ]]; do key="$1" case $key in @@ -70,7 +86,7 @@ while [[ $# -gt 0 ]]; do -s|--sign) do_sign=true if [[ -n "${2}" && "${2}" != -* ]]; then - private_key_path="$2" + SIGNING_KEY="$2" shift 2 else shift 1 @@ -134,64 +150,49 @@ scratch_dir=$(mktemp -d) trap '{ rm -r --interactive=never ${scratch_dir}; }' EXIT if [[ "${do_sign}" == true ]]; then - if [[ -z "${private_key_path}" ]]; then - private_key_path=${scratch_dir}/OpenBMC.priv - echo "${private_key}" > "${private_key_path}" + if [[ -z "${SIGNING_KEY}" ]]; then + SIGNING_KEY=${scratch_dir}/OpenBMC.priv + echo "${private_key}" > "${SIGNING_KEY}" echo "Image is NOT secure!! Signing with the open private key!" else - if [[ ! -f "${private_key_path}" ]]; then - echo "Couldn't find private key ${private_key_path}." + if [[ ! -f "${SIGNING_KEY}" ]]; then + echo "Couldn't find private key ${SIGNING_KEY}." exit 1 fi - echo "Signing with ${private_key_path}." + echo "Signing with ${SIGNING_KEY}." fi public_key_file=publickey public_key_path=${scratch_dir}/$public_key_file - openssl pkey -in "${private_key_path}" -pubout -out "${public_key_path}" + openssl pkey -in "${SIGNING_KEY}" -pubout -out "${public_key_path}" fi manifest_location="MANIFEST" -files_to_sign="$manifest_location $public_key_file" # Go to scratch_dir cp "${file}" "${scratch_dir}/${image_name}" cd "${scratch_dir}" -files_to_sign+=" ${image_name}" echo "Creating MANIFEST for the image" echo -e "purpose=xyz.openbmc_project.Software.Version.VersionPurpose.Host\n\ -version=$version" > $manifest_location +version=${version}" > ${manifest_location} -echo "ExtendedVersion=${extended_version}" >> $manifest_location -echo "CompatibleName=${image_name}" >> $manifest_location +echo "ExtendedVersion=${extended_version}" >> ${manifest_location} +echo "CompatibleName=${image_name}" >> ${manifest_location} if [[ -n "${machine}" ]]; then - echo -e "MachineName=${machine}" >> $manifest_location + echo -e "MachineName=${machine}" >> ${manifest_location} fi if [[ "${do_sign}" == true ]]; then - signature_files= - private_key_name=$(basename "${private_key_path}") + private_key_name=$(basename "${SIGNING_KEY}") key_type="${private_key_name%.*}" - echo KeyType="${key_type}" >> $manifest_location - echo HashType="RSA-SHA256" >> $manifest_location - - for file in $files_to_sign; do - openssl dgst -sha256 -sign "${private_key_path}" -out "${file}.sig" "$file" - signature_files="${signature_files} ${file}.sig" - done - - if [ -n "$signature_files" ]; then - sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '` - cat $sort_signature_files > image-full - openssl dgst -sha256 -sign ${private_key_path} -out image-full.sig image-full - signature_files="${signature_files} image-full.sig" - fi + echo KeyType="${key_type}" >> ${manifest_location} + echo HashType="RSA-SHA256" >> ${manifest_location} - additional_files="${signature_files}" + make_signatures ${image_name} ${manifest_location} ${public_key_file} fi -tar -czvf $outfile $files_to_sign $additional_files -echo "Bios image tarball is at $outfile" +tar -czvf ${outfile} ${image_name} ${manifest_location} ${public_key_file} ${signature_files} +echo "Bios image tarball is at ${outfile}" |