phosphor-software-manager: Add verify-full-signature
The phosphor-software-manager now supports signature checking of the
whole tarball contents, ensuring that all the expected images are
contained in the tarball. This new check adds an additional level of
security, and the new tarball signature file is included in the built
tarball now by default:
https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/39036
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-bmc-code-mgmt/+/39118
Change the verify_signature PACKAGECONFIG option to use the new
verify-full-signature since this is the recommended option now and the
previous one is marked as a legacy option.
Tested: Verified the generated config.h in the phosphor-software-manager
build directory has both the original WANT_SIGNATURE_VERIFY and
the new WANT_SIGNATURE_FULL_VERIFY defined.
Change-Id: I138d0c8ca9fc25d4e08e101c5a097c9cb4fbcbb5
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>
diff --git a/meta-phosphor/recipes-phosphor/flash/phosphor-software-manager_git.bb b/meta-phosphor/recipes-phosphor/flash/phosphor-software-manager_git.bb
index d561eba..4fa2aa4 100644
--- a/meta-phosphor/recipes-phosphor/flash/phosphor-software-manager_git.bb
+++ b/meta-phosphor/recipes-phosphor/flash/phosphor-software-manager_git.bb
@@ -24,7 +24,9 @@
# handles the rest.
SYSTEMD_PACKAGES = ""
-PACKAGECONFIG[verify_signature] = "-Dverify-signature=enabled, -Dverify-signature=disabled"
+PACKAGECONFIG[verify_signature] = " \
+ -Dverify-full-signature=enabled, \
+ -Dverify-full-signature=disabled"
PACKAGECONFIG[sync_bmc_files] = "-Dsync-bmc-files=enabled, -Dsync-bmc-files=disabled"
PACKAGECONFIG[ubifs_layout] = "-Dbmc-layout=ubi"
PACKAGECONFIG[mmc_layout] = "-Dbmc-layout=mmc"