scottk/OpenCellular
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/OpenCellular.git synced 2025-12-08 17:05:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

image_signing: change files sign_oci_container looks for

Browse Source 
Since we're packing containers in a format imageloader understands,
we need to consume imageloader's manifest and produce a signature
it knows to look for.

BRANCH=ToT
BUG=chromium:697645
TEST=package adb container, verify imageloader.sig.2 is present

Change-Id: Ied9cdacf1d448a094c1b171bc2bf3b2ae54eb517
Reviewed-on: https://chromium-review.googlesource.com/457102
Commit-Ready: Eric Caruso <ejcaruso@chromium.org>
Tested-by: Eric Caruso <ejcaruso@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
This commit is contained in:
Eric Caruso
2017-03-17 14:56:31 -07:00
committed by chrome-bot
parent 510e7a2b03
commit 1919b169bf
1 changed files with 19 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
scripts/image_signing/sign_oci_container.sh
View File

@@ -10,12 +10,13 @@ load_shflags || exit 1
DEFINE_string output "" \ DEFINE_string output "" \
"Where to write signed output to (default: sign in-place)" "Where to write signed output to (default: sign in-place)"
FLAGS_HELP="Usage: ${PROG} [options] <input_container> <key_dir> FLAGS_HELP="Usage: ${PROG} [options] <input_image> <key_dir>
Signs <input_container> with keys in <key_dir>. Should have a config.json Signs <input_image> with keys in <key_dir>. Should have an imageloader.json
file in the OCI format. file which imageloader can understand and will use to mount the squashfs
image that provides the container's rootfs and OCI configuration.
Input can be an unpacked container, or a CRX/ZIP file. Input can be an unpacked imageloader image, or a CRX/ZIP file.
" "
# Parse command line. # Parse command line.
@@ -25,7 +26,8 @@ eval set -- "${FLAGS_ARGV}"
# Abort on error. # Abort on error.
set -e set -e
# Sign the directory holding OCI container(s). We look for manifest.json files. # Sign the directory holding OCI container(s). We look for an imageloader.json
# file.
sign_oci_container() { sign_oci_container() {
[[ $# -eq 3 ]] || die "Usage: sign_oci_container <input> <key> <output>" [[ $# -eq 3 ]] || die "Usage: sign_oci_container <input> <key> <output>"
local input="${1%/}" local input="${1%/}"
@@ -36,19 +38,20 @@ sign_oci_container() {
rsync -a "${input}/" "${output}/" rsync -a "${input}/" "${output}/"
fi fi
local manifest out_manifest local out_manifest="${output}/imageloader.sig.2"
while read -d $'\0' -r manifest; do local manifest="${input}/imageloader.json"
out_manifest="${output}/${manifest}.sig" if [[ ! -f "${manifest}" ]]; then
manifest="${input}/${manifest}" die "Could not find manifest"
info "Signing: ${manifest}" fi
if ! openssl dgst -sha256 -sign "${key_file}" \ info "Signing: ${manifest}"
-out "${out_manifest}" "${manifest}"; then if ! openssl dgst -sha256 -sign "${key_file}" \
die "Failed to sign" -out "${out_manifest}" "${manifest}"; then
fi die "Failed to sign"
done < <(find "${input}/" -name manifest.json -printf '%P\0') fi
} }
# Sign the crx/zip holding OCI container(s). We look for manifest.json files. # Sign the crx/zip holding OCI container(s). We look for an imageloader.json
# file.
sign_oci_container_zip() { sign_oci_container_zip() {
[[ $# -eq 3 ]] || die "Usage: sign_oci_container_zip <input> <key> <output>" [[ $# -eq 3 ]] || die "Usage: sign_oci_container_zip <input> <key> <output>"
local input="$1" local input="$1"