image_signing: Add sha1sum of keys in keyset to VERSION.signer.
To record sha1sum of keys in keyset can help loem or unibuild projects to verify
1. whether rekey process is performed correctly during the factory
build.
2. whether HWID database is updated correctly.
BUG=chromium:763328
TEST=1) modify loem.ini to match what coral is.
2) ~/trunk/src/platform/vboot_reference/scripts/image_signing/sign_official_build.sh
recovery ./chromeos_10308.0.0_coral_recovery_dev-channel_mp-v4.bin
./src/platform/vboot_reference/tests/loemkeys ./output.bin
3) verify output file - VERSION.signer.
BRANCH=none
Change-Id: I80deadb04d9dc0eb66fc5ac45dce84e6f41f1a16
Signed-off-by: Marco Chen <marcochen@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/866522
Reviewed-by: Simon Glass <sjg@chromium.org>
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index bba33e2..1bee36d 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -10,6 +10,7 @@
#
# futility (from src/platform/vboot_reference)
# vbutil_kernel (from src/platform/vboot_reference)
+# vbutil_key (from src/platform/vboot_reference)
# cgpt (from src/platform/vboot_reference)
# dump_kernel_config (from src/platform/vboot_reference)
# verity (from src/platform/verity)
@@ -724,6 +725,14 @@
local signer_notes="${shellball_dir}/VERSION.signer"
echo "" >"$signer_notes"
echo "Signed with keyset in $(readlink -f "${KEY_DIR}") ." >>"${signer_notes}"
+ if [[ -d "${shellball_keyset_dir}" ]]; then
+ echo "List sha1sum of all loem/model's signatures:" >>"${signer_notes}"
+ for key in "${shellball_keyset_dir}"/rootkey.*; do
+ model="${key##*.}"
+ sha1=$(vbutil_key --unpack "${key}" | grep sha1sum | cut -d" " -f9)
+ echo " ${model}: ${sha1}" >>"${signer_notes}"
+ done
+ fi
new_shellball=$(make_temp_file)
cp -f "${firmware_bundle}" "${new_shellball}"
