diff options
| author | Dave Heller <hellerda@linux.vnet.ibm.com> | 2018-01-10 09:21:48 -0500 |
|---|---|---|
| committer | Dave Heller <hellerda@linux.vnet.ibm.com> | 2018-01-10 09:21:48 -0500 |
| commit | 63bd6f1f5901a5fed3fa81d0f6d9986d295ea7d2 (patch) | |
| tree | 9cb08237aec2c915ffc982d0071946d594e3eb78 /crtSignedContainer.sh | |
| parent | 9b766cf98157c9a73c2f170c3caf0c17edb35443 (diff) | |
| download | sb-signing-utils-63bd6f1f5901a5fed3fa81d0f6d9986d295ea7d2.tar.gz sb-signing-utils-63bd6f1f5901a5fed3fa81d0f6d9986d295ea7d2.zip | |
Adjust sig finding behavior in indpendent mode
In indpendent mode, there are cases where we want to look for signatures
elsewhere in the cache, if not found in the local cache, that were not
covered previously.
Signed-off-by: Dave Heller <hellerda@linux.vnet.ibm.com>
Diffstat (limited to 'crtSignedContainer.sh')
| -rwxr-xr-x | crtSignedContainer.sh | 37 |
1 files changed, 29 insertions, 8 deletions
diff --git a/crtSignedContainer.sh b/crtSignedContainer.sh index 776919f..e68ffd4 100755 --- a/crtSignedContainer.sh +++ b/crtSignedContainer.sh @@ -627,17 +627,36 @@ then test "$KEYFILE" == __get -o "$KEYFILE" == __getkey && \ die "Cannot $KEYFILE $varname in $SIGN_MODE mode" - # If no signature found, try to generate one. + # Look for signature in the local cache dir. if [ -f "$T/$SIGFILE" ] then echo "--> $P: Found signature for HW key $(to_upper $KEY)." - elif test -f "$KEYFILE" && is_private_key "$KEYFILE" - then - echo "--> $P: Generating signature for HW key $(to_upper $KEY)..." - openssl dgst -SHA512 -sign "$KEYFILE" "$T/prefix_hdr" > "$T/$SIGFILE" else - echo "--> $P: No signature found and no private key available for HW key $(to_upper $KEY), skipping." - continue + # Check elsewhere in the cache. + if [ "$SIGN_MODE" == "independent" ] && [ "$SB_ARCHIVE_IN" ] + then + SIGFOUND=$(find "$TOPDIR" -type f -name $SIGFILE | head -1) + else + SIGFOUND="" + fi + + if [ "$SIGFOUND" ] + then + echo "--> $P: Found signature for HW key $(to_upper $KEY)." + cp -p "$SIGFOUND" "$T/" + else + # If no signature found, try to generate one. + if [ -f "$KEYFILE" ] && is_private_key "$KEYFILE" + then + echo "--> $P: Generating signature for HW key $(to_upper $KEY)..." + openssl dgst -SHA512 -sign "$KEYFILE" "$T/prefix_hdr" > "$T/$SIGFILE" + rc=$? + test $rc -ne 0 && die "Call to openssl failed with error: $rc" + else + echo "--> $P: No signature found and no private key available for HW key $(to_upper $KEY), skipping." + continue + fi + fi fi FOUND="${FOUND}$(to_upper $KEY)," @@ -662,6 +681,8 @@ then then echo "--> $P: Generating signature for SW key $(to_upper $KEY)..." openssl dgst -SHA512 -sign "$KEYFILE" "$T/software_hdr" > "$T/$SIGFILE" + rc=$? + test $rc -ne 0 && die "Call to openssl failed with error: $rc" else echo "--> $P: No signature found and no private key available for SW key $(to_upper $KEY), skipping." continue @@ -690,7 +711,7 @@ then then echo "--> $P: Found signature for HW key $(to_upper $KEY)." else - SIGFOUND=$(find "$TOPDIR" -name $SIGFILE | head -1) + SIGFOUND=$(find "$TOPDIR" -type f -name $SIGFILE | head -1) if [ "$SIGFOUND" ] then |
