Fail verification if the rootfs hash is empty.
This should let the signer catch errors where there are errors parsing verity output. And failing verification if rootfs hash verification is turned off for whatever reason.
Change-Id: I1e3f239a5b6afab31accdd8f0a737b8685530e8d
BUG=chrome-os-partner:3093, chrome-os-partner:3104
TEST=manually on a badly signed image (verification fails now)
Review URL: http://codereview.chromium.org/6720043
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 8b61f39..7c0018c 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -301,12 +301,17 @@
local expected_hash=$(get_hash_from_config "${new_kernel_config}")
local got_hash=$(get_hash_from_config "${kernel_config}")
+ if [ -z "${expected_hash}" ]; then
+ echo "FAILED: RootFS hash is empty!"
+ exit 1
+ fi
if [ ! "${got_hash}" = "${expected_hash}" ]; then
cat <<EOF
FAILED: RootFS hash is incorrect.
Expected: ${expected_hash}
Got: ${got_hash}
EOF
+ exit 1
else
echo "PASS: RootFS hash is correct (${expected_hash})"
fi
