From dc82178796a49669cfb0fd359ba12c307cc54962 Mon Sep 17 00:00:00 2001
From: Vadim Bendebury <vbendeb@chromium.org>
Date: Fri, 6 Apr 2018 14:50:37 -0700
Subject: [PATCH] cr50: fix assorted signer script issues

  - make sure DBG images could not be signed for prod

    When debug image marker was changed from "DEV" to "DBG", the
    script checking for this was not updated.

    Fix that and also use 'strings' generated output to not require
    grep to delineate input binary blobs into strings.

  - do not invoke cr50-codesigner as sudo, it is not necessary with
    the correct udev rules in place.

BRANCH=none
BUG=b:73296144
TEST=Tried signing for prod a DBG image, the attempt failed. Then
     built a non DBG image, signed it successfully.

Change-Id: I7cec2d9eb344b40f7726d7e432689b0c0416dc47
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1000755
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
---
 util/signer/bs | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/util/signer/bs b/util/signer/bs
index 5ab29b24b9..529c584c11 100755
--- a/util/signer/bs
+++ b/util/signer/bs
@@ -108,7 +108,7 @@ tweak_manifest () {
 }
 
 SIGNER="cr50-codesigner"
-if ! sudo which "${SIGNER}" 2>/dev/null > /dev/null; then
+if ! which "${SIGNER}" 2>/dev/null > /dev/null; then
   echo "${SIGNER} is not available, try running 'sudo emerge cr50-utils'" >&2
   exit 1
 fi
@@ -198,19 +198,18 @@ tweak_manifest
 count=0
 for elf in ${elves[@]}; do
   if [[ -n "${do_prod}" ]]; then
-    if grep -q "DEV/cr50" "${elf}"; then
+    if strings "${elf}" | grep -q "DBG/cr50"; then
       echo "Will not sign debug image with prod keys" >&2
       exit 1
     fi
   fi
   signed_file="${count}.${dst_suffix}"
 
-  # Make sure this file is not owned by root
+  # Make sure output file is not owned by root
   touch "${signed_file}"
-  sudo "${SIGNER}" ${signer_command_params[@]} \
-    -i ${elf} -o "${signed_file}"
-  if [[ ! -s "${signed_file}" ]]; then
-    echo "${progname}: error: empty signed file ${signed_file}" >&2
+  if ! "${SIGNER}" ${signer_command_params[@]} \
+       -i ${elf} -o "${signed_file}"; then
+    echo "${progname}: ${SIGNER} failed" >&2
     exit 1
   fi
   : $(( count++ ))