signer: fix accessory_rwsig signing
Require that the container passed in is the one containing
the specified key, and no other key. So if only one key is
present it must be the specified key.
BUG=chromium:863464
TEST=run locally
BRANCH=None
Change-Id: Ieeca5773f35b7bf92beae8a2192ed6e6fd9008e6
Reviewed-on: https://chromium-review.googlesource.com/1136910
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Nick Sanders <nsanders@chromium.org>
Reviewed-by: Bob Moragues <moragues@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 0f9bd50..813a021 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -1148,12 +1148,18 @@
cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}"
futility sign --type usbpd1 --pem "${KEY_NAME}.pem" "${OUTPUT_IMAGE}"
elif [[ "${TYPE}" == "accessory_rwsig" ]]; then
- KEY_NAME="${KEY_DIR}/key_$(basename $(dirname ${INPUT_IMAGE}))"
+ # If one key is present in this container, assume it's the right one.
+ # See crbug.com/863464
if [[ ! -e "${KEY_NAME}.vbprik2" ]]; then
- KEY_NAME="${KEY_DIR}/key"
+ KEYS=( "${KEY_DIR}"/*.vbprik2 )
+ if [[ ${#KEYS[@]} -eq 1 ]]; then
+ KEY_NAME="${KEYS[0]}"
+ else
+ die "Expected exactly one key present in keyset for accessory_rwsig"
+ fi
fi
cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}"
- futility sign --type rwsig --prikey "${KEY_NAME}.vbprik2" \
+ futility sign --type rwsig --prikey "${KEY_NAME}" \
--version "${FIRMWARE_VERSION}" "${OUTPUT_IMAGE}"
elif [[ "${TYPE}" == "oci-container" ]]; then
sign_oci_container "${INPUT_IMAGE}" "${KEY_DIR}" "${OUTPUT_IMAGE}"
