commit 444782b47d12ba2fef2886e9f884bdae4fc67571
author Lei YU <yulei.sh@bytedance.com> Wed Jan 18 17:35:03 2023 +0800
committer Patrick Williams <patrick@stwcx.xyz> Mon Mar 20 15:13:27 2023 +0000
tree e0e758440274171b33cbd394f2d5e6755d36ad2e
parent ce2197669a935b377de05ca8af53fb017150e25c

image_types_phosphor: Add SIGNING_PUBLIC_KEY

Support SIGNING_PUBLIC_KEY so that it generates an unsigned tarball.
Such tarball will be signed by separate tools as needed.

Tested:
* Do not define both SIGNING_KEY and SIGNING_PUBLIC_KEY, it generates
  the tarball as before with the dev key.
* Define SIGNING_PUBLIC_KEY and do not define SIGNING_KEY, it generates
  tarballs without signature.
* Define SIGNING_KEY and do not define SIGNING_PUBLIC_KEY, it generates
the tarball signed with the SIGNING_KEY.
* Define both SIGNING_KEY and SIGNING_PUBLIC_KEY, it gets error on
  building phosphor-image-signing recipe.

Signed-off-by: Lei YU <yulei.sh@bytedance.com>
Change-Id: If6cffc477c1aa76674af758e0154b21b7b88c099

meta-phosphor/classes/image_types_phosphor.bbclass

diff --git a/meta-phosphor/classes/image_types_phosphor.bbclass b/meta-phosphor/classes/image_types_phosphor.bbclass
index 49d13b4..26af079 100644
--- a/meta-phosphor/classes/image_types_phosphor.bbclass
+++ b/meta-phosphor/classes/image_types_phosphor.bbclass
@@ -82,6 +82,9 @@
 MMC_UBOOT_SIZE ?= "1024"
 MMC_BOOT_PARTITION_SIZE ?= "65536"
 
+SIGNING_PUBLIC_KEY ?= ""
+SIGNING_PUBLIC_KEY_TYPE = "${@os.path.splitext(os.path.basename('${SIGNING_PUBLIC_KEY}'))[0]}"
+
 SIGNING_KEY ?= "${STAGING_DIR_NATIVE}${datadir}/OpenBMC.priv"
 INSECURE_KEY = "${@'${SIGNING_KEY}' == '${STAGING_DIR_NATIVE}${datadir}/OpenBMC.priv'}"
 SIGNING_KEY_DEPENDS = "${@oe.utils.conditional('INSECURE_KEY', 'True', 'phosphor-insecure-signing-key-native:do_populate_sysroot', '', d)}"
@@ -351,17 +354,31 @@
         "
 
 make_signatures() {
-	signature_files=""
-	for file in "$@"; do
-		openssl dgst -sha256 -sign ${SIGNING_KEY} -out "${file}.sig" $file
-		signature_files="${signature_files} ${file}.sig"
-	done
+	signing_key="${SIGNING_KEY}"
 
-	if [ -n "$signature_files" ]; then
-		sort_signature_files=`echo "$signature_files" | tr ' ' '\n' | sort | tr '\n' ' '`
-		cat $sort_signature_files > image-full
-		openssl dgst -sha256 -sign ${SIGNING_KEY} -out image-full.sig image-full
-		signature_files="${signature_files} image-full.sig"
+	if [ "${INSECURE_KEY}" == "True" ] && [ -n "${SIGNING_PUBLIC_KEY}" ]; then
+		echo "Using SIGNING_PUBLIC_KEY"
+		signing_key=""
+	fi
+
+	if [ -n "${signing_key}" ] && [ -n "${SIGNING_PUBLIC_KEY}" ]; then
+		echo "Both SIGNING_KEY and SIGNING_PUBLIC_KEY are defined, expecting only one"
+		exit 1
+	fi
+
+	signature_files=""
+	if [ -n "${signing_key}" ]; then
+		for file in "$@"; do
+			openssl dgst -sha256 -sign ${signing_key} -out "${file}.sig" $file
+			signature_files="${signature_files} ${file}.sig"
+		done
+
+		if [ -n "${signature_files}" ]; then
+			sort_signature_files=$(echo "${signature_files}" | tr ' ' '\n' | sort | tr '\n' ' ')
+			cat ${sort_signature_files} > image-full
+			openssl dgst -sha256 -sign ${signing_key} -out image-full.sig image-full
+			signature_files="${signature_files} image-full.sig"
+		fi
 	fi
 }