diff options
Diffstat (limited to 'meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh')
-rwxr-xr-x | meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh b/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh new file mode 100755 index 000000000..cac229a94 --- /dev/null +++ b/meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh @@ -0,0 +1,63 @@ +#!/bin/bash +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +help_out() { + echo "$ARG0 [--allow-dev] <image file> <sig file>" >&2 + exit 2 +} + +opts="$(getopt -o 'd' -l 'allow-dev' -- "$@")" || exit +dev= +eval set -- "$opts" +while true; do + case "$1" in + --allow-dev|-d) + dev=1 + shift + ;; + --) + shift + break + ;; + *) + echo "Bad option: $1" >&2 + help_out + ;; + esac +done +image_file="${1?Missing image file}" || help_out +sig_file="${2?Missing sig file}" || help_out + +# gnupg needs a home directory even though we don't want to persist any +# information. We always make a new temporary directory for this +GNUPGHOME= +cleanup() { + test -n "$GNUPGHOME" && rm -rf "$GNUPGHOME" +} +trap cleanup ERR EXIT INT +export GNUPGHOME="$(mktemp -d)" || exit + +gpg() { + command gpg --batch --allow-non-selfsigned-uid --no-tty "$@" +} +import_key() { + gpg --import "/usr/share/google-key/$1.key" +} + +import_key prod +if [ -n "$dev" ]; then + import_key dev +fi +gpg --verify --ignore-time-conflict "$sig_file" "$image_file" |