This directory holds instruction files that are used when uploading artifacts for signing with official keys. pushimage will process them to create output instruction files which are then posted to a Google Storage bucket that the signing processes watch. The input files tell pushimage how to operate, and output files tell the signer how to operate.
This file covers things that pushimage itself cares about. It does not get into the fields that the signer utilizes. See [References] below for that.
DEFAULT.instructions
: Default values for all boards/artifacts; loaded first.DEFAULT.$TYPE.instructions
: Default values for all boards for a specific artifact type.$BOARD.instructions
: Default values for all artifacts for $BOARD, and used for recovery images.$BOARD.$TYPE.instructions
: Values specific to a board and artifact type; see pushimage's --sign-types
for more info.There are a few main sections that pushimage cares about:
[insns]
[insns.XXX]
(Where XXX can be anything)[general]
Other sections are passed through to the signer untouched, and many fields in the above sections are also unmodified.
The keys that pushimage looks at are:
[insns] channels = comma/space delimited list of the channels to flag for signing keysets = comma/space delimited list of the keysets to use when signing
A bunch of fields will also be clobbered in the [general]
section as pushimage writes out metadata based on the command line flags/artifacts.
When you want to sign a single board/artifact type for multiple channels or keysets, simply list them in the insns.channels
and insn.keysets
fields. pushimage will take care of posting to the right subdirs and creating unique filenames based on those.
When you want to sign multiple artifacts for a single board (and all the same artifact type), you need to use the multiple input form instead. When you create multiple sections that start with insns.
, pushimage will overlay that on top of the insns
section, and then produce multiple ouput requests.
So if you wrote a file like:
[insns] channel = dev [insns.one] keyset = Zinger input_files = zinger/ec.bin [insns.two] keyset = Hoho input_files = hoho/ec.bin
pushimage will produce two requests for the signer:
[insns] channel = dev keyset = Zinger input_files = zinger/ec.bin
And:
[insns] channel = dev keyset = Hoho input_files = hoho/ec.bin
For details on the fields that the signer uses: https://sites.google.com/a/google.com/chromeos/resources/engineering/releng/signer-documentation