image_signing: Add sha1sum of keys in keyset to VERSION.signer.

To record sha1sum of keys in keyset can help loem or unibuild projects to verify 1. whether rekey process is performed correctly during the factory build. 2. whether HWID database is updated correctly. BUG=chromium:763328 TEST=1) modify loem.ini to match what coral is. 2) ~/trunk/src/platform/vboot_reference/scripts/image_signing/sign_official_build.sh recovery ./chromeos_10308.0.0_coral_recovery_dev-channel_mp-v4.bin ./src/platform/vboot_reference/tests/loemkeys ./output.bin 3) verify output file - VERSION.signer. BRANCH=none Change-Id: I80deadb04d9dc0eb66fc5ac45dce84e6f41f1a16 Signed-off-by: Marco Chen <marcochen@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/866522 Reviewed-by: Simon Glass <sjg@chromium.org>
2025-12-25 17:27:18 +00:00 · 2018-01-15 13:05:59 +08:00
parent fde7cdc134
commit e0b3841863
1 changed files with 9 additions and 0 deletions
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -10,6 +10,7 @@
 #
 #  futility (from src/platform/vboot_reference)
 #  vbutil_kernel (from src/platform/vboot_reference)
+#  vbutil_key (from src/platform/vboot_reference)
 #  cgpt (from src/platform/vboot_reference)
 #  dump_kernel_config (from src/platform/vboot_reference)
 #  verity (from src/platform/verity)
@@ -724,6 +725,14 @@ resign_firmware_payload() {
  local signer_notes="${shellball_dir}/VERSION.signer"
  echo "" >"$signer_notes"
  echo "Signed with keyset in $(readlink -f "${KEY_DIR}") ." >>"${signer_notes}"
+  if [[ -d "${shellball_keyset_dir}"  ]]; then
+    echo "List sha1sum of all loem/model's signatures:" >>"${signer_notes}"
+    for key in "${shellball_keyset_dir}"/rootkey.*; do
+      model="${key##*.}"
+      sha1=$(vbutil_key --unpack "${key}" | grep sha1sum | cut -d" " -f9)
+      echo "  ${model}: ${sha1}" >>"${signer_notes}"
+    done
+  fi

  new_shellball=$(make_temp_file)
  cp -f "${firmware_bundle}" "${new_shellball}"