diff options
author | Vadim Bendebury <vbendeb@chromium.org> | 2018-04-06 14:50:37 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-04-10 19:13:12 -0700 |
commit | dc82178796a49669cfb0fd359ba12c307cc54962 (patch) | |
tree | 5f1fe3dec042e7cf0bcd0da3511667da20291188 | |
parent | 396750a226e991b81af0afd52637b599dc6f27fa (diff) | |
download | chrome-ec-dc82178796a49669cfb0fd359ba12c307cc54962.tar.gz |
cr50: fix assorted signer script issues
- make sure DBG images could not be signed for prod
When debug image marker was changed from "DEV" to "DBG", the
script checking for this was not updated.
Fix that and also use 'strings' generated output to not require
grep to delineate input binary blobs into strings.
- do not invoke cr50-codesigner as sudo, it is not necessary with
the correct udev rules in place.
BRANCH=none
BUG=b:73296144
TEST=Tried signing for prod a DBG image, the attempt failed. Then
built a non DBG image, signed it successfully.
Change-Id: I7cec2d9eb344b40f7726d7e432689b0c0416dc47
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1000755
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
-rwxr-xr-x | util/signer/bs | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/util/signer/bs b/util/signer/bs index 5ab29b24b9..529c584c11 100755 --- a/util/signer/bs +++ b/util/signer/bs @@ -108,7 +108,7 @@ tweak_manifest () { } SIGNER="cr50-codesigner" -if ! sudo which "${SIGNER}" 2>/dev/null > /dev/null; then +if ! which "${SIGNER}" 2>/dev/null > /dev/null; then echo "${SIGNER} is not available, try running 'sudo emerge cr50-utils'" >&2 exit 1 fi @@ -198,19 +198,18 @@ tweak_manifest count=0 for elf in ${elves[@]}; do if [[ -n "${do_prod}" ]]; then - if grep -q "DEV/cr50" "${elf}"; then + if strings "${elf}" | grep -q "DBG/cr50"; then echo "Will not sign debug image with prod keys" >&2 exit 1 fi fi signed_file="${count}.${dst_suffix}" - # Make sure this file is not owned by root + # Make sure output file is not owned by root touch "${signed_file}" - sudo "${SIGNER}" ${signer_command_params[@]} \ - -i ${elf} -o "${signed_file}" - if [[ ! -s "${signed_file}" ]]; then - echo "${progname}: error: empty signed file ${signed_file}" >&2 + if ! "${SIGNER}" ${signer_command_params[@]} \ + -i ${elf} -o "${signed_file}"; then + echo "${progname}: ${SIGNER} failed" >&2 exit 1 fi : $(( count++ )) |