From 5da26fa912f263a534aeb0f44fb3661f9780674f Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Mon, 19 Sep 2016 12:14:24 -0700
Subject: [PATCH] offline_signing: include kernel in official updates

---
 core_sign_update            | 4 +++-
 offline_signing/download.sh | 3 +++
 offline_signing/sign.sh     | 3 +++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/core_sign_update b/core_sign_update
index f327fb7660..a658206a2e 100755
--- a/core_sign_update
+++ b/core_sign_update
@@ -15,7 +15,8 @@ SCRIPT_ROOT=$(dirname $(readlink -f "$0"))
 export GCLIENT_ROOT=$(readlink -f "${SCRIPT_ROOT}/../../")
 . "${SCRIPT_ROOT}/common.sh" || exit 1
 
-DEFINE_string image "" "The image that should be sent to clients."
+DEFINE_string image "" "The filesystem image of /usr"
+DEFINE_string kernel "" "The kernel image"
 DEFINE_string output "" "Output file"
 DEFINE_string private_keys "" "Path to private key in .pem format."
 DEFINE_string public_keys "" "Path to public key in .pem format."
@@ -39,6 +40,7 @@ trap cleanup INT TERM EXIT
 
 delta_generator \
     -new_image "$FLAGS_image" \
+    -new_kernel "$FLAGS_kernel" \
     -out_file update
 
 IFS=: read -a private_keys <<< "$FLAGS_private_keys"
diff --git a/offline_signing/download.sh b/offline_signing/download.sh
index 2b94fc1be0..3a94cb11a8 100755
--- a/offline_signing/download.sh
+++ b/offline_signing/download.sh
@@ -7,10 +7,13 @@ GS="gs://builds.release.core-os.net/stable/boards/amd64-usr/$VERSION"
 cd "${2:-.}"
 
 gsutil cp \
+    "${GS}/coreos_production_image.vmlinuz.bz2" \
+    "${GS}/coreos_production_image.vmlinuz.bz2.sig" \
     "${GS}/coreos_production_update.bin.bz2" \
     "${GS}/coreos_production_update.bin.bz2.sig" \
     "${GS}/coreos_production_update.zip" \
     "${GS}/coreos_production_update.zip.sig" ./
 
+gpg --verify "coreos_production_image.vmlinuz.bz2.sig"
 gpg --verify "coreos_production_update.bin.bz2.sig"
 gpg --verify "coreos_production_update.zip.sig"
diff --git a/offline_signing/sign.sh b/offline_signing/sign.sh
index e27b3c9625..9521869488 100755
--- a/offline_signing/sign.sh
+++ b/offline_signing/sign.sh
@@ -5,8 +5,10 @@ DATA_DIR="$(readlink -f "$1")"
 KEYS_DIR="$(readlink -f "$(dirname "$0")")"
 
 gpg2 --verify "${DATA_DIR}/coreos_production_update.bin.bz2.sig"
+gpg2 --verify "${DATA_DIR}/coreos_production_image.vmlinuz.bz2.sig"
 gpg2 --verify "${DATA_DIR}/coreos_production_update.zip.sig"
 bunzip2 --keep "${DATA_DIR}/coreos_production_update.bin.bz2"
+bunzip2 --keep "${DATA_DIR}/coreos_production_image.vmlinuz.bz2"
 unzip "${DATA_DIR}/coreos_production_update.zip" -d "${DATA_DIR}"
 
 export PATH="${DATA_DIR}:${PATH}"
@@ -14,6 +16,7 @@ export PATH="${DATA_DIR}:${PATH}"
 cd "${DATA_DIR}"
 ./core_sign_update \
     --image "${DATA_DIR}/coreos_production_update.bin" \
+    --kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \
     --output "${DATA_DIR}/coreos_production_update.gz" \
     --private_keys "${KEYS_DIR}/devel.key.pem:${KEYS_DIR}/prod-2.key.pem" \
     --public_keys  "${KEYS_DIR}/devel.pub.pem:${KEYS_DIR}/prod-2.pub.pem"