From 0e2e748940b7a48b8b056700dc0d081928c63c2e Mon Sep 17 00:00:00 2001 From: Julius Werner Date: Wed, 17 Jul 2019 14:44:16 -0700 Subject: sign_official_build.sh: Update kern_b_hash to support SHA256 We're updating the algorithm for this so the signing scripts have to support it as well. Since we're running ToT signing scripts on older images as well, determine the hash algorithm used in the image by checking its length (40 hex digits for SHA1, 64 for SHA256). BRANCH=None BUG=b:137576540 TEST=$(sign_official_build.sh recovery recovery_image.bin /tmp/scratch/mykeys/ resigned_image.bin) -- used futility to confirm that new image kern_b_hash matches new image KERN-B and uses the expected algorithm (tried with both SHA1 and SHA256) Cq-Depend: chromium:1706624 Change-Id: Ie1a62ad1fd4fbf141cc1c32d592b863f2d43a24e Signed-off-by: Julius Werner Reviewed-on: https://chromium-review.googlesource.com/1707529 Legacy-Commit-Queue: Commit Bot Reviewed-by: Mike Frysinger --- scripts/image_signing/sign_official_build.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 4e83a31a..59033c27 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -913,7 +913,13 @@ update_recovery_kernel_hash() { # Update the Kernel B hash in Kernel A command line local old_kerna_config="$(sudo dump_kernel_config "${loop_kerna}")" - local new_kernb_hash=$(sudo sha1sum "${loop_kernb}" | cut -f1 -d' ') + local old_kernb_hash="$(echo "$old_kerna_config" | + sed -nEe "s#.*kern_b_hash=([a-z0-9]*).*#\1#p")" + if [[ "${#old_kernb_hash}" -lt 64 ]]; then + local new_kernb_hash=$(sudo sha1sum "${loop_kernb}" | cut -f1 -d' ') + else + local new_kernb_hash=$(sudo sha256sum "${loop_kernb}" | cut -f1 -d' ') + fi new_kerna_config=$(make_temp_file) echo "$old_kerna_config" | -- cgit v1.2.1