From 61be39c99944969fdef1ff2b850e643fb3230e7c Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Tue, 11 Jul 2017 13:55:59 -0700 Subject: [PATCH] core_sign_update: remain compatible with older sign.sh The motivation behind retaining this backwards compatibility, at least now, is that it's actually non-trivial to revert these code changes for a given release. The `sign.sh` changes can easily be changed, but the `core_sign_update` code is included in the update-specific "au_zip" file. Replacing that is a little more fiddly. Since it's possible we'll still want to revert to the previous signing behavior, make it so the update payload (namely core_sign_update) should work both under the previous `sign.sh` script, and when using the new one. --- core_sign_update | 10 ++++++---- offline_signing/sign.sh | 3 ++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/core_sign_update b/core_sign_update index 6b55d1a0b9..20159cf255 100755 --- a/core_sign_update +++ b/core_sign_update @@ -18,8 +18,9 @@ export GCLIENT_ROOT=$(readlink -f "${SCRIPT_ROOT}/../../") DEFINE_string image "" "The filesystem image of /usr" DEFINE_string kernel "" "The kernel image" DEFINE_string output "" "Output file" -DEFINE_string private_keys "" "Path to private key in .pem format." -DEFINE_string public_keys "" "Path to public key in .pem format." +DEFINE_string private_keys "" "Path or pkcs11 URI to private keys." +DEFINE_string public_keys "" "Path to public keys in .pem format." +DEFINE string keys_separator ":" "Separator for the above keys" # Parse command line FLAGS "$@" || exit 1 @@ -45,8 +46,9 @@ delta_generator \ -new_kernel "$FLAGS_kernel" \ -out_file update -IFS=+ read -a private_keys <<< "$FLAGS_private_keys" -IFS=+ read -a public_keys <<< "$FLAGS_public_keys" +# The separator is configurable for backwards compatibility with old `sign.sh` scripts. +IFS="${keys_separator}" read -a private_keys <<< "$FLAGS_private_keys" +IFS="${keys_separator}" read -a public_keys <<< "$FLAGS_public_keys" if [ ${#private_keys[@]} -ne ${#public_keys[@]} ]; then echo "mismatch in count of private keys and public keys" diff --git a/offline_signing/sign.sh b/offline_signing/sign.sh index 1f4a621909..ecd690a951 100755 --- a/offline_signing/sign.sh +++ b/offline_signing/sign.sh @@ -18,4 +18,5 @@ cd "${DATA_DIR}" --kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \ --output "${DATA_DIR}/coreos_production_update.gz" \ --private_keys "${KEYS_DIR}/devel.key.pem+pkcs11:object=CoreOS_Update_Signing_Key;type=private" \ - --public_keys "${KEYS_DIR}/devel.pub.pem+${KEYS_DIR}/prod-2.pub.pem" + --public_keys "${KEYS_DIR}/devel.pub.pem+${KEYS_DIR}/prod-2.pub.pem" \ + --keys_separator "+"