meta-google/recipes-phosphor/flash/google-key/verify-bmc-image.sh

#!/bin/bash
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

help_out() {
  echo "$ARG0 [--allow-dev] <image file> <sig file>" >&2
  exit 2
}

opts="$(getopt -o 'd' -l 'allow-dev' -- "$@")" || exit
dev=
eval set -- "$opts"
while true; do
  case "$1" in
    --allow-dev|-d)
      dev=1
      shift
      ;;
    --)
      shift
      break
      ;;
    *)
      echo "Bad option: $1" >&2
      help_out
      ;;
  esac
done
image_file="${1?Missing image file}" || help_out
sig_file="${2?Missing sig file}" || help_out

# gnupg needs a home directory even though we don't want to persist any
# information. We always make a new temporary directory for this
GNUPGHOME=
cleanup() {
  test -n "$GNUPGHOME" && rm -rf "$GNUPGHOME"
}
trap cleanup ERR EXIT INT
export GNUPGHOME="$(mktemp -d)" || exit

gpg() {
  command gpg --batch --allow-non-selfsigned-uid --no-tty "$@"
}
import_key() {
  gpg --import "/usr/share/google-key/$1.key"
}

import_key prod
if [ -n "$dev" ]; then
  import_key dev
fi
gpg --verify --ignore-time-conflict "$sig_file" "$image_file"