diff options
| author | Brandon Kim <brandonkim@google.com> | 2021-07-21 01:41:04 +0300 |
|---|---|---|
| committer | Brandon Kim <brandonkim@google.com> | 2021-08-02 19:23:11 +0300 |
| commit | 4e2735e0dc487c0cb3c3e38e10df7b728ff85cef (patch) | |
| tree | 17ea8300aee40e44dbf408308f3a8a03e8d5ca05 /meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh | |
| parent | 236c94eb62df7d2694225996d83c51d45594004f (diff) | |
| download | openbmc-4e2735e0dc487c0cb3c3e38e10df7b728ff85cef.tar.xz | |
meta-google: flash: Import google-key from gBMC
Google key installation script and bitbake recipe.
Google-Bug-Id: 179618162
Upstream: 22e2c3dd5f610777dee173a09d8e82dc2509a975
Signed-off-by: Brandon Kim <brandonkim@google.com>
Change-Id: I21c88b6c2810c4ab3f6089f79143e59b6ce935db
Diffstat (limited to 'meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh')
| -rwxr-xr-x | meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh b/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh new file mode 100755 index 000000000..cac229a94 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh @@ -0,0 +1,63 @@ +#!/bin/bash +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +help_out() { + echo "$ARG0 [--allow-dev] <image file> <sig file>" >&2 + exit 2 +} + +opts="$(getopt -o 'd' -l 'allow-dev' -- "$@")" || exit +dev= +eval set -- "$opts" +while true; do + case "$1" in + --allow-dev|-d) + dev=1 + shift + ;; + --) + shift + break + ;; + *) + echo "Bad option: $1" >&2 + help_out + ;; + esac +done +image_file="${1?Missing image file}" || help_out +sig_file="${2?Missing sig file}" || help_out + +# gnupg needs a home directory even though we don't want to persist any +# information. We always make a new temporary directory for this +GNUPGHOME= +cleanup() { + test -n "$GNUPGHOME" && rm -rf "$GNUPGHOME" +} +trap cleanup ERR EXIT INT +export GNUPGHOME="$(mktemp -d)" || exit + +gpg() { + command gpg --batch --allow-non-selfsigned-uid --no-tty "$@" +} +import_key() { + gpg --import "/usr/share/google-key/$1.key" +} + +import_key prod +if [ -n "$dev" ]; then + import_key dev +fi +gpg --verify --ignore-time-conflict "$sig_file" "$image_file" |