Update kern_b_hash to support SHA256

We're updating the algorithm for this so the signing scripts have to
support it as well. Since we're running ToT signing scripts on older
images as well, determine the hash algorithm used in the image by
checking its length (40 hex digits for SHA1, 64 for SHA256).

TEST=$( recovery recovery_image.bin
    /tmp/scratch/mykeys/ resigned_image.bin) -- used futility to confirm
    that new image kern_b_hash matches new image KERN-B and uses the
    expected algorithm (tried with both SHA1 and SHA256)

Cq-Depend: chromium:1706624
Change-Id: Ie1a62ad1fd4fbf141cc1c32d592b863f2d43a24e
Signed-off-by: Julius Werner <>
Legacy-Commit-Queue: Commit Bot <>
Reviewed-by: Mike Frysinger <>
diff --git a/scripts/image_signing/ b/scripts/image_signing/
index 4e83a31..59033c2 100755
--- a/scripts/image_signing/
+++ b/scripts/image_signing/
@@ -913,7 +913,13 @@
   # Update the Kernel B hash in Kernel A command line
   local old_kerna_config="$(sudo dump_kernel_config "${loop_kerna}")"
-  local new_kernb_hash=$(sudo sha1sum "${loop_kernb}" | cut -f1 -d' ')
+  local old_kernb_hash="$(echo "$old_kerna_config" |
+    sed -nEe "s#.*kern_b_hash=([a-z0-9]*).*#\1#p")"
+  if [[ "${#old_kernb_hash}" -lt 64 ]]; then
+    local new_kernb_hash=$(sudo sha1sum "${loop_kernb}" | cut -f1 -d' ')
+  else
+    local new_kernb_hash=$(sudo sha256sum "${loop_kernb}" | cut -f1 -d' ')
+  fi
   echo "$old_kerna_config" |