Google Git
Sign in
cos / mirrors / cros / chromiumos / platform / vboot_reference / refs/heads/firmware-rowan-9516.B^! / .
commit1919b169bfb6739db8b31509fd0d6c22427bdadf[log] [tgz]
authorEric Caruso <ejcaruso@chromium.org>Fri Mar 17 14:56:31 2017 -0700
committerchrome-bot <chrome-bot@chromium.org>Wed Apr 26 16:19:51 2017 -0700
tree1ffd2b825c15e3abce0b08d1c068232d842fdefa
parent510e7a2b0373b61237ed3a8ec7b6788828e5deba [diff]
image_signing: change files sign_oci_container looks for

Since we're packing containers in a format imageloader understands,
we need to consume imageloader's manifest and produce a signature
it knows to look for.

BRANCH=ToT
BUG=chromium:697645
TEST=package adb container, verify imageloader.sig.2 is present

Change-Id: Ied9cdacf1d448a094c1b171bc2bf3b2ae54eb517
Reviewed-on: https://chromium-review.googlesource.com/457102
Commit-Ready: Eric Caruso <ejcaruso@chromium.org>
Tested-by: Eric Caruso <ejcaruso@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

diff --git a/scripts/image_signing/sign_oci_container.sh b/scripts/image_signing/sign_oci_container.sh
index df3eb0f..14ca3af 100755
--- a/scripts/image_signing/sign_oci_container.sh
+++ b/scripts/image_signing/sign_oci_container.sh

@@ -10,12 +10,13 @@
 DEFINE_string output "" \
   "Where to write signed output to (default: sign in-place)"
 
-FLAGS_HELP="Usage: ${PROG} [options] <input_container> <key_dir>
+FLAGS_HELP="Usage: ${PROG} [options] <input_image> <key_dir>
 
-Signs <input_container> with keys in <key_dir>.  Should have a config.json
-file in the OCI format.
+Signs <input_image> with keys in <key_dir>. Should have an imageloader.json
+file which imageloader can understand and will use to mount the squashfs
+image that provides the container's rootfs and OCI configuration.
 
-Input can be an unpacked container, or a CRX/ZIP file.
+Input can be an unpacked imageloader image, or a CRX/ZIP file.
 "
 
 # Parse command line.
@@ -25,7 +26,8 @@
 # Abort on error.
 set -e
 
-# Sign the directory holding OCI container(s).  We look for manifest.json files.
+# Sign the directory holding OCI container(s).  We look for an imageloader.json
+# file.
 sign_oci_container() {
   [[ $# -eq 3 ]] || die "Usage: sign_oci_container <input> <key> <output>"
   local input="${1%/}"
@@ -36,19 +38,20 @@
     rsync -a "${input}/" "${output}/"
   fi
 
-  local manifest out_manifest
-  while read -d $'\0' -r manifest; do
-    out_manifest="${output}/${manifest}.sig"
-    manifest="${input}/${manifest}"
-    info "Signing: ${manifest}"
-    if ! openssl dgst -sha256 -sign "${key_file}" \
-                      -out "${out_manifest}" "${manifest}"; then
-      die "Failed to sign"
-    fi
-  done < <(find "${input}/" -name manifest.json -printf '%P\0')
+  local out_manifest="${output}/imageloader.sig.2"
+  local manifest="${input}/imageloader.json"
+  if [[ ! -f "${manifest}" ]]; then
+    die "Could not find manifest"
+  fi
+  info "Signing: ${manifest}"
+  if ! openssl dgst -sha256 -sign "${key_file}" \
+                    -out "${out_manifest}" "${manifest}"; then
+    die "Failed to sign"
+  fi
 }
 
-# Sign the crx/zip holding OCI container(s).  We look for manifest.json files.
+# Sign the crx/zip holding OCI container(s).  We look for an imageloader.json
+# file.
 sign_oci_container_zip() {
   [[ $# -eq 3 ]] || die "Usage: sign_oci_container_zip <input> <key> <output>"
   local input="$1"