phosphor-software-manager: Add verify-full-signature

The phosphor-software-manager now supports signature checking of the
whole tarball contents, ensuring that all the expected images are
contained in the tarball. This new check adds an additional level of
security, and the new tarball signature file is included in the built
tarball now by default:
https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/39036
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-bmc-code-mgmt/+/39118

Change the verify_signature PACKAGECONFIG option to use the new
verify-full-signature since this is the recommended option now and the
previous one is marked as a legacy option.

Tested: Verified the generated config.h in the phosphor-software-manager
        build directory has both the original WANT_SIGNATURE_VERIFY and
        the new WANT_SIGNATURE_FULL_VERIFY defined.

Change-Id: I138d0c8ca9fc25d4e08e101c5a097c9cb4fbcbb5
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/meta-phosphor/recipes-phosphor/flash/phosphor-software-manager_git.bb b/meta-phosphor/recipes-phosphor/flash/phosphor-software-manager_git.bb
index d561eba48..4fa2aa457 100644
--- a/meta-phosphor/recipes-phosphor/flash/phosphor-software-manager_git.bb
+++ b/meta-phosphor/recipes-phosphor/flash/phosphor-software-manager_git.bb
@@ -24,7 +24,9 @@ DBUS_PACKAGES = "${SOFTWARE_MGR_PACKAGES}"
 # handles the rest.
 SYSTEMD_PACKAGES = ""
 
-PACKAGECONFIG[verify_signature] = "-Dverify-signature=enabled, -Dverify-signature=disabled"
+PACKAGECONFIG[verify_signature] = " \
+    -Dverify-full-signature=enabled, \
+    -Dverify-full-signature=disabled"
 PACKAGECONFIG[sync_bmc_files] = "-Dsync-bmc-files=enabled, -Dsync-bmc-files=disabled"
 PACKAGECONFIG[ubifs_layout] = "-Dbmc-layout=ubi"
 PACKAGECONFIG[mmc_layout] = "-Dbmc-layout=mmc"