diff mbox series

[isar-cip-core,RFC,2/3] swupdate.bbclass: Use new swupdate-certificate

Message ID 20230713085106.2062587-3-Quirin.Gylstorff@siemens.com (mailing list archive)
State Superseded
Headers show
Series Enable signed Software Update Binaries | expand

Commit Message

Quirin Gylstorff July 13, 2023, 8:51 a.m. UTC 
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This also changes the signing type from
RSA PKCS#1.5[1](SWUPDATE_SIGNATURE_TYPE="rsa") to
certificates[2](SWUPDATE_SIGNATURE_TYPE="cms").
certificates are the default of the debian SWUpdate package.

[1]: https://sbabic.github.io/swupdate/signed_images.html?highlight=signing#usage-with-rsa-pkcs-1-5-or-rsa-pss
[2]:https://sbabic.github.io/swupdate/signed_images.html?highlight=signing#usage-with-certificates-and-cms

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 classes/swupdate.bbclass | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)
diff mbox series

Patch

diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
index 3d2b5f0..f5186de 100644
--- a/classes/swupdate.bbclass
+++ b/classes/swupdate.bbclass
@@ -27,12 +27,13 @@  SWU_DESCRIPTION_FILE ?= "sw-description"
 SWU_ADDITIONAL_FILES ?= "linux.efi ${SWU_ROOTFS_PARTITION_NAME}"
 SWU_SIGNED ?= ""
 SWU_SIGNATURE_EXT ?= "sig"
-SWU_SIGNATURE_TYPE ?= "rsa"
+SWU_SIGNATURE_TYPE ?= "cms"
 
 SWU_BUILDCHROOT_IMAGE_FILE ?= "${PP_DEPLOY}/${@os.path.basename(d.getVar('SWU_IMAGE_FILE'))}"
 
 IMAGE_TYPEDEP:swu = "${SWU_ROOTFS_TYPE}${@get_swu_compression_type(d)}"
-IMAGER_INSTALL:swu += "cpio ${@'openssl' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
+IMAGER_BUILD_DEPS:swu += "${@'swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
+IMAGER_INSTALL:swu += "cpio ${@'openssl swupdate-certificates-key' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}"
 
 IMAGE_SRC_URI:swu = "file://${SWU_DESCRIPTION_FILE}.tmpl"
 IMAGE_TEMPLATE_FILES:swu = "${SWU_DESCRIPTION_FILE}.tmpl"
@@ -102,10 +103,6 @@  IMAGE_CMD:swu() {
 
     # Prepare for signing
     export sign='${@'x' if bb.utils.to_boolean(d.getVar('SWU_SIGNED')) else ''}'
-    if [ -n "$sign" ]; then
-        cp -f '${SIGN_KEY}' '${WORKDIR}/dev.key'
-        test -e '${SIGN_CRT}' && cp -f '${SIGN_CRT}' '${WORKDIR}/dev.crt'
-    fi
 
     sudo -E chroot ${BUILDCHROOT_DIR} sh -c ' \
         # Fill in file check sums
@@ -123,14 +120,14 @@  IMAGE_CMD:swu() {
             if [ -n "$sign" -a "${SWU_DESCRIPTION_FILE}" = "$file" ]; then
                 if [ "${SWU_SIGNATURE_TYPE}" = "rsa" ]; then
                     openssl dgst \
-                        -sha256 -sign "${PP_WORK}/dev.key" "$file" \
+                        -sha256 -sign "/usr/share/swupdate-signing/swupdate-sign.key" "$file" \
                         > "$file.${SWU_SIGNATURE_EXT}"
                 elif [ "${SWU_SIGNATURE_TYPE}" = "cms" ]; then
                     openssl cms \
                         -sign -in "$file" \
                         -out "$file"."${SWU_SIGNATURE_EXT}" \
-                        -signer "${PP_WORK}/dev.crt" \
-                        -inkey "${PP_WORK}/dev.key" \
+                        -signer "/usr/share/swupdate-signing/swupdate-sign.crt" \
+                        -inkey "/usr/share/swupdate-signing/swupdate-sign.key" \
                         -outform DER -nosmimecap -binary
                 fi
                 # Set file timestamps for reproducible builds