diff options
author | Dave Heller <hellerda@linux.vnet.ibm.com> | 2018-04-24 08:27:43 -0400 |
---|---|---|
committer | Dave Heller <hellerda@linux.vnet.ibm.com> | 2018-04-24 08:27:43 -0400 |
commit | 8c775dc9f86dfc2bdfa453b54be14b4a2df559ac (patch) | |
tree | 425b74fb7b265aeb11097bfbfc60b0e53e42ee4e | |
parent | c914d3d8b09440d3607c6bd90fedf333a5cba902 (diff) | |
download | sb-signing-utils-8c775dc9f86dfc2bdfa453b54be14b4a2df559ac.tar.gz sb-signing-utils-8c775dc9f86dfc2bdfa453b54be14b4a2df559ac.zip |
Don't reuse FW keys sigs for transition containers
because SBKT and SBKTRAND are regenerated on each run
-rwxr-xr-x | crtSignedContainer.sh | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/crtSignedContainer.sh b/crtSignedContainer.sh index afefe21..26d5cfb 100755 --- a/crtSignedContainer.sh +++ b/crtSignedContainer.sh @@ -685,12 +685,16 @@ then test "$KEYFILE" == __get -o "$KEYFILE" == __getkey && \ die "Cannot $KEYFILE $varname in $SIGN_MODE mode" - # If no signature found, try to generate one. - if [ -f "$T/$SIGFILE" ] + # Look for a signature in the local cache dir, if found use it. + # (but never reuse a sig for SBKT, the payload is always regenerated) + if [ -f "$T/$SIGFILE" ] && \ + [ "$(to_upper "$LABEL")" != SBKT ] && \ + [ "$(to_upper "$LABEL")" != SBKTRAND ] then echo "--> $P: Found signature for SW key $(to_upper $KEY)." elif test -f "$KEYFILE" && is_private_key "$KEYFILE" then + # No signature found, try to generate one. echo "--> $P: Generating signature for SW key $(to_upper $KEY)..." openssl dgst -SHA512 -sign "$KEYFILE" "$T/software_hdr" > "$T/$SIGFILE" rc=$? @@ -758,11 +762,14 @@ then test -z "$KEYFILE" && break test "$KEYFILE" == __skip && break - # If no signature in the current dir, request one. - if [ -f "$T/$SIGFILE" ] + # Look for a signature in the local cache dir, if found use it. + if [ -f "$T/$SIGFILE" ] && \ + [ "$(to_upper "$LABEL")" != SBKT ] && \ + [ "$(to_upper "$LABEL")" != SBKTRAND ] then echo "--> $P: Found signature for SW key $(to_upper $KEY)." else + # No signature found, request one. test "$KEYFILE" == __getkey && continue echo "--> $P: Requesting signature for SW key $(to_upper $KEY)..." sf_client $SF_DEBUG_ARGS -project $SF_PROJECT -epwd "$SF_EPWD" \ |