sign_official_build.sh: add an update payload operation

This enables the signer script to sign update payloads. BUG=chromium-os:34521 TEST=`./sign_official_build.sh update_payload testcase.sha256 . foo` produced a signed foo file BRANCH=None Change-Id: I27a9de89e760427251538deec38161944388a152 Reviewed-on: https://gerrit.chromium.org/gerrit/33535 Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Don Garrett <dgarrett@chromium.org> Reviewed-by: Gaurav Shah <gauravsh@chromium.org> Commit-Ready: Mike Frysinger <vapier@chromium.org>
2026-01-11 18:35:28 +00:00 · 2012-09-18 02:16:26 -04:00
parent 65d3c277a2
commit 283cbf89a9
1 changed files with 30 additions and 0 deletions
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -29,6 +29,7 @@ where <type> is one of:
             recovery (sign a USB recovery image)
             factory (sign a factory install image)
             install (old alias to "factory")
+             update_payload (sign a delta update hash)
             firmware (sign a firmware image)
             usb  (sign an image to boot directly from USB)
             verify (verify an image including rootfs hashes)
@@ -338,6 +339,33 @@ sign_firmware() {
  echo "Signed firmware image output to ${image}"
 }

+# Sign a delta update payload (usually created by paygen).
+# Args: INPUT_IMAGE KEY_DIR OUTPUT_IMAGE
+sign_update_payload() {
+  local image=$1
+  local key_dir=$2
+  local output=$3
+  local key_size key_file="${key_dir}/update_key.pem"
+  local algo algos=(
+    # Maps key size to verified boot's algorithm id (for pad_digest_utility).
+    # Hashing algorithm is always SHA-256.
+    [1024]=1
+    [2048]=4
+    [4096]=7
+    [8192]=10
+  )
+
+  key_size=$(openssl rsa -text -noout -in "${key_file}" | \
+    sed -n -r '1{s/Private-Key: \(([0-9]*) bit\)/\1/p}')
+  algo=${algos[${key_size}]}
+  if [[ -z ${algo} ]]; then
+    die "Unknown algorithm specified by key_size=${key_size}"
+  fi
+
+  pad_digest_utility ${algo} "${image}" | \
+    openssl rsautl -sign -pkcs -inkey "${key_file}" -out "${output}"
+}
+
 # Re-sign the firmware AU payload inside the image rootfs with a new keys.
 # Args: IMAGE
 resign_firmware_payload() {
@@ -640,6 +668,8 @@ elif [ "${TYPE}" == "factory" ] || [ "${TYPE}" == "install" ]; then
 elif [ "${TYPE}" == "firmware" ]; then
  cp ${INPUT_IMAGE} ${OUTPUT_IMAGE}
  sign_firmware ${OUTPUT_IMAGE} ${KEY_DIR} ${FIRMWARE_VERSION}
+elif [ "${TYPE}" == "update_payload" ]; then
+  sign_update_payload ${INPUT_IMAGE} ${KEY_DIR} ${OUTPUT_IMAGE}
 else
  echo "Invalid type ${TYPE}"
  exit 1