sign_official_build.sh: Update kern_b_hash to support SHA256
We're updating the algorithm for this so the signing scripts have to
support it as well. Since we're running ToT signing scripts on older
images as well, determine the hash algorithm used in the image by
checking its length (40 hex digits for SHA1, 64 for SHA256).
BRANCH=None
BUG=b:137576540
TEST=$(sign_official_build.sh recovery recovery_image.bin
/tmp/scratch/mykeys/ resigned_image.bin) -- used futility to confirm
that new image kern_b_hash matches new image KERN-B and uses the
expected algorithm (tried with both SHA1 and SHA256)
Cq-Depend: chromium:1706624
Change-Id: Ie1a62ad1fd4fbf141cc1c32d592b863f2d43a24e
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1707529
Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 4e83a31..59033c2 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -913,7 +913,13 @@
# Update the Kernel B hash in Kernel A command line
local old_kerna_config="$(sudo dump_kernel_config "${loop_kerna}")"
- local new_kernb_hash=$(sudo sha1sum "${loop_kernb}" | cut -f1 -d' ')
+ local old_kernb_hash="$(echo "$old_kerna_config" |
+ sed -nEe "s#.*kern_b_hash=([a-z0-9]*).*#\1#p")"
+ if [[ "${#old_kernb_hash}" -lt 64 ]]; then
+ local new_kernb_hash=$(sudo sha1sum "${loop_kernb}" | cut -f1 -d' ')
+ else
+ local new_kernb_hash=$(sudo sha256sum "${loop_kernb}" | cut -f1 -d' ')
+ fi
new_kerna_config=$(make_temp_file)
echo "$old_kerna_config" |
