| Message ID | 1502958326-1780-1-git-send-email-maciej.pijanowski@3mdeb.com |
|---|---|
| State | Accepted |
| Delegated to: | Stefano Babic |
| Headers | show |
Hi Maciej, On 17/08/2017 10:25, Maciej Pijanowski wrote: > Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com> > --- > classes/swupdate.bbclass | 46 +++++++++++++++++++++++++++++++++++++--------- > 1 file changed, 37 insertions(+), 9 deletions(-) > > diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass > index 44e45461401c..28297ca41a1c 100644 > --- a/classes/swupdate.bbclass > +++ b/classes/swupdate.bbclass > @@ -1,5 +1,5 @@ > # Copyright (C) 2015 Stefano Babic <sbabic@denx.de> > -# > +# > # Some parts from the patch class > # > # swupdate allows to generate a compound image for the > @@ -14,7 +14,7 @@ > > S = "${WORKDIR}/${PN}" > > -DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) == '1' else ''}" > +DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) else ''}" > IMAGE_DEPENDS ?= "" > > def swupdate_is_hash_needed(s, filename): > @@ -101,7 +101,7 @@ python do_swuimage () { > fetch = bb.fetch2.Fetch([], d) > list_for_cpio = ["sw-description"] > > - if d.getVar('SWUPDATE_SIGNING', True) == '1': > + if d.getVar('SWUPDATE_SIGNING', True): > list_for_cpio.append('sw-description.sig') > > for url in fetch.urls: > @@ -140,12 +140,20 @@ python do_swuimage () { > hash = swupdate_get_sha256(s, file) > swupdate_write_sha256(s, file, hash) > > - if d.getVar('SWUPDATE_SIGNING', True) == '1': > - sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) > - if sign_tool: > - if os.system(sign_tool) != 0: > - bb.fatal("Failed to sign with %s" % (sign_tool)) > - else: > + signing = d.getVar('SWUPDATE_SIGNING', True) > + if signing == "1": > + bb.warn('SWUPDATE_SIGNING = "1" is deprecated, falling back to "RSA". It is advised to set it to "RSA" if using RSA signing.') > + signing = "RSA" > + if signing: > + if signing == "CUSTOM": > + sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) > + if sign_tool: > + ret = os.system(sign_tool) > + if ret != 0: > + bb.fatal("Failed to sign with %s" % (sign_tool)) > + else: > + bb.fatal("Custom SWUPDATE_SIGN_TOOL is not given") > + elif signing == "RSA": > privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True) > if not privkey: > bb.fatal("SWUPDATE_PRIVATE_KEY isn't set") > @@ -163,6 +171,26 @@ python do_swuimage () { > os.path.join(s, 'sw-description')) > if os.system(signcmd) != 0: > bb.fatal("Failed to sign sw-description with %s" % (privkey)) > + elif signing == "CMS": > + cms_cert = d.getVar('SWUPDATE_CMS_CERT', True) > + if not cms_cert: > + bb.fatal("SWUPDATE_CMS_CERT is not set") > + if not os.path.exists(cms_cert): > + bb.fatal("SWUPDATE_CMS_CERT %s doesn't exist" % (cms_cert)) > + cms_key = d.getVar('SWUPDATE_CMS_KEY', True) > + if not cms_key: > + bb.fatal("SWUPDATE_CMS_KEY isn't set") > + if not os.path.exists(cms_key): > + bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key)) > + signcmd = "openssl cms -sign -in '%s' -out '%s' -signer '%s' -inkey '%s' -outform DER -nosmimecap -binary" % ( > + os.path.join(s, 'sw-description'), > + os.path.join(s, 'sw-description.sig'), > + cms_cert, > + cms_key) > + if os.system(signcmd) != 0: > + bb.fatal("Failed to sign sw-description with %s" % (privkey)) > + else: > + bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism."); > > line = 'for i in ' + ' '.join(list_for_cpio) + '; do echo $i;done | cpio -ov -H crc >' + os.path.join(deploydir,d.getVar('IMAGE_NAME', True) + '.swu') > os.system("cd " + s + ";" + line) > Acked-by: Stefano Babic <sbabic@denx.de> Best regards, Stefano Babic
On 17/08/2017 10:25, Maciej Pijanowski wrote: > Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com> > --- > classes/swupdate.bbclass | 46 +++++++++++++++++++++++++++++++++++++--------- > 1 file changed, 37 insertions(+), 9 deletions(-) > > diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass > index 44e45461401c..28297ca41a1c 100644 > --- a/classes/swupdate.bbclass > +++ b/classes/swupdate.bbclass > @@ -1,5 +1,5 @@ > # Copyright (C) 2015 Stefano Babic <sbabic@denx.de> > -# > +# > # Some parts from the patch class > # > # swupdate allows to generate a compound image for the > @@ -14,7 +14,7 @@ > > S = "${WORKDIR}/${PN}" > > -DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) == '1' else ''}" > +DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) else ''}" > IMAGE_DEPENDS ?= "" > > def swupdate_is_hash_needed(s, filename): > @@ -101,7 +101,7 @@ python do_swuimage () { > fetch = bb.fetch2.Fetch([], d) > list_for_cpio = ["sw-description"] > > - if d.getVar('SWUPDATE_SIGNING', True) == '1': > + if d.getVar('SWUPDATE_SIGNING', True): > list_for_cpio.append('sw-description.sig') > > for url in fetch.urls: > @@ -140,12 +140,20 @@ python do_swuimage () { > hash = swupdate_get_sha256(s, file) > swupdate_write_sha256(s, file, hash) > > - if d.getVar('SWUPDATE_SIGNING', True) == '1': > - sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) > - if sign_tool: > - if os.system(sign_tool) != 0: > - bb.fatal("Failed to sign with %s" % (sign_tool)) > - else: > + signing = d.getVar('SWUPDATE_SIGNING', True) > + if signing == "1": > + bb.warn('SWUPDATE_SIGNING = "1" is deprecated, falling back to "RSA". It is advised to set it to "RSA" if using RSA signing.') > + signing = "RSA" > + if signing: > + if signing == "CUSTOM": > + sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) > + if sign_tool: > + ret = os.system(sign_tool) > + if ret != 0: > + bb.fatal("Failed to sign with %s" % (sign_tool)) > + else: > + bb.fatal("Custom SWUPDATE_SIGN_TOOL is not given") > + elif signing == "RSA": > privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True) > if not privkey: > bb.fatal("SWUPDATE_PRIVATE_KEY isn't set") > @@ -163,6 +171,26 @@ python do_swuimage () { > os.path.join(s, 'sw-description')) > if os.system(signcmd) != 0: > bb.fatal("Failed to sign sw-description with %s" % (privkey)) > + elif signing == "CMS": > + cms_cert = d.getVar('SWUPDATE_CMS_CERT', True) > + if not cms_cert: > + bb.fatal("SWUPDATE_CMS_CERT is not set") > + if not os.path.exists(cms_cert): > + bb.fatal("SWUPDATE_CMS_CERT %s doesn't exist" % (cms_cert)) > + cms_key = d.getVar('SWUPDATE_CMS_KEY', True) > + if not cms_key: > + bb.fatal("SWUPDATE_CMS_KEY isn't set") > + if not os.path.exists(cms_key): > + bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key)) > + signcmd = "openssl cms -sign -in '%s' -out '%s' -signer '%s' -inkey '%s' -outform DER -nosmimecap -binary" % ( > + os.path.join(s, 'sw-description'), > + os.path.join(s, 'sw-description.sig'), > + cms_cert, > + cms_key) > + if os.system(signcmd) != 0: > + bb.fatal("Failed to sign sw-description with %s" % (privkey)) > + else: > + bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism."); > > line = 'for i in ' + ' '.join(list_for_cpio) + '; do echo $i;done | cpio -ov -H crc >' + os.path.join(deploydir,d.getVar('IMAGE_NAME', True) + '.swu') > os.system("cd " + s + ";" + line) > Applied to -master, -pyro, thanks ! Best regards, Stefano Babic
Hi Stefano and Maciej, I just wanted to let you know that with this change an update of the documentation in the README is required, as now SWUPDATE_SIGNING can have values CUSTOM, RSA or CMS. https://github.com/sbabic/meta-swupdate/blob/master/README#L21 Bests, Diego Rondini Sr. Embedded Engineer Kynetics www.kynetics.com On Mon, Aug 21, 2017 at 11:16 AM, Stefano Babic <sbabic@denx.de> wrote: > On 17/08/2017 10:25, Maciej Pijanowski wrote: > > Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com> > > --- > > classes/swupdate.bbclass | 46 ++++++++++++++++++++++++++++++ > +++++++--------- > > 1 file changed, 37 insertions(+), 9 deletions(-) > > > > diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass > > index 44e45461401c..28297ca41a1c 100644 > > --- a/classes/swupdate.bbclass > > +++ b/classes/swupdate.bbclass > > @@ -1,5 +1,5 @@ > > # Copyright (C) 2015 Stefano Babic <sbabic@denx.de> > > -# > > +# > > # Some parts from the patch class > > # > > # swupdate allows to generate a compound image for the > > @@ -14,7 +14,7 @@ > > > > S = "${WORKDIR}/${PN}" > > > > -DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) > == '1' else ''}" > > +DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) > else ''}" > > IMAGE_DEPENDS ?= "" > > > > def swupdate_is_hash_needed(s, filename): > > @@ -101,7 +101,7 @@ python do_swuimage () { > > fetch = bb.fetch2.Fetch([], d) > > list_for_cpio = ["sw-description"] > > > > - if d.getVar('SWUPDATE_SIGNING', True) == '1': > > + if d.getVar('SWUPDATE_SIGNING', True): > > list_for_cpio.append('sw-description.sig') > > > > for url in fetch.urls: > > @@ -140,12 +140,20 @@ python do_swuimage () { > > hash = swupdate_get_sha256(s, file) > > swupdate_write_sha256(s, file, hash) > > > > - if d.getVar('SWUPDATE_SIGNING', True) == '1': > > - sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) > > - if sign_tool: > > - if os.system(sign_tool) != 0: > > - bb.fatal("Failed to sign with %s" % (sign_tool)) > > - else: > > + signing = d.getVar('SWUPDATE_SIGNING', True) > > + if signing == "1": > > + bb.warn('SWUPDATE_SIGNING = "1" is deprecated, falling back to > "RSA". It is advised to set it to "RSA" if using RSA signing.') > > + signing = "RSA" > > + if signing: > > + if signing == "CUSTOM": > > + sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) > > + if sign_tool: > > + ret = os.system(sign_tool) > > + if ret != 0: > > + bb.fatal("Failed to sign with %s" % (sign_tool)) > > + else: > > + bb.fatal("Custom SWUPDATE_SIGN_TOOL is not given") > > + elif signing == "RSA": > > privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True) > > if not privkey: > > bb.fatal("SWUPDATE_PRIVATE_KEY isn't set") > > @@ -163,6 +171,26 @@ python do_swuimage () { > > os.path.join(s, 'sw-description')) > > if os.system(signcmd) != 0: > > bb.fatal("Failed to sign sw-description with %s" % > (privkey)) > > + elif signing == "CMS": > > + cms_cert = d.getVar('SWUPDATE_CMS_CERT', True) > > + if not cms_cert: > > + bb.fatal("SWUPDATE_CMS_CERT is not set") > > + if not os.path.exists(cms_cert): > > + bb.fatal("SWUPDATE_CMS_CERT %s doesn't exist" % > (cms_cert)) > > + cms_key = d.getVar('SWUPDATE_CMS_KEY', True) > > + if not cms_key: > > + bb.fatal("SWUPDATE_CMS_KEY isn't set") > > + if not os.path.exists(cms_key): > > + bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % > (cms_key)) > > + signcmd = "openssl cms -sign -in '%s' -out '%s' -signer > '%s' -inkey '%s' -outform DER -nosmimecap -binary" % ( > > + os.path.join(s, 'sw-description'), > > + os.path.join(s, 'sw-description.sig'), > > + cms_cert, > > + cms_key) > > + if os.system(signcmd) != 0: > > + bb.fatal("Failed to sign sw-description with %s" % > (privkey)) > > + else: > > + bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism."); > > > > line = 'for i in ' + ' '.join(list_for_cpio) + '; do echo $i;done | > cpio -ov -H crc >' + os.path.join(deploydir,d.getVar('IMAGE_NAME', True) > + '.swu') > > os.system("cd " + s + ";" + line) > > > > Applied to -master, -pyro, thanks ! > > Best regards, > Stefano Babic > > -- > ===================================================================== > DENX Software Engineering GmbH, Managing Director: Wolfgang Denk > HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany > Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic@denx.de > ===================================================================== > > -- > You received this message because you are subscribed to the Google Groups > "swupdate" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to swupdate+unsubscribe@googlegroups.com. > To post to this group, send email to swupdate@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. >
Hi Diego, Maciej, On 07/09/2017 10:26, Diego Rondini wrote: > Hi Stefano and Maciej, > > I just wanted to let you know that with this change an update of the > documentation in the README is required, as now SWUPDATE_SIGNING can > have values CUSTOM, RSA or CMS. > > https://github.com/sbabic/meta-swupdate/blob/master/README#L21 > Right. Maciej promised to send pacthes for documentation when these patches were merged...Maciej ? Regards, Stefano > Bests, > Diego Rondini > Sr. Embedded Engineer > > Kynetics > www.kynetics.com <http://www.kynetics.com> > > > On Mon, Aug 21, 2017 at 11:16 AM, Stefano Babic <sbabic@denx.de > <mailto:sbabic@denx.de>> wrote: > > On 17/08/2017 10:25, Maciej Pijanowski wrote: > > Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com > <mailto:maciej.pijanowski@3mdeb.com>> > > --- > > classes/swupdate.bbclass | 46 > +++++++++++++++++++++++++++++++++++++--------- > > 1 file changed, 37 insertions(+), 9 deletions(-) > > > > diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass > > index 44e45461401c..28297ca41a1c 100644 > > --- a/classes/swupdate.bbclass > > +++ b/classes/swupdate.bbclass > > @@ -1,5 +1,5 @@ > > # Copyright (C) 2015 Stefano Babic <sbabic@denx.de > <mailto:sbabic@denx.de>> > > -# > > +# > > # Some parts from the patch class > > # > > # swupdate allows to generate a compound image for the > > @@ -14,7 +14,7 @@ > > > > S = "${WORKDIR}/${PN}" > > > > -DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', > True) == '1' else ''}" > > +DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', > True) else ''}" > > IMAGE_DEPENDS ?= "" > > > > def swupdate_is_hash_needed(s, filename): > > @@ -101,7 +101,7 @@ python do_swuimage () { > > fetch = bb.fetch2.Fetch([], d) > > list_for_cpio = ["sw-description"] > > > > - if d.getVar('SWUPDATE_SIGNING', True) == '1': > > + if d.getVar('SWUPDATE_SIGNING', True): > > list_for_cpio.append('sw-description.sig') > > > > for url in fetch.urls: > > @@ -140,12 +140,20 @@ python do_swuimage () { > > hash = swupdate_get_sha256(s, file) > > swupdate_write_sha256(s, file, hash) > > > > - if d.getVar('SWUPDATE_SIGNING', True) == '1': > > - sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) > > - if sign_tool: > > - if os.system(sign_tool) != 0: > > - bb.fatal("Failed to sign with %s" % (sign_tool)) > > - else: > > + signing = d.getVar('SWUPDATE_SIGNING', True) > > + if signing == "1": > > + bb.warn('SWUPDATE_SIGNING = "1" is deprecated, falling > back to "RSA". It is advised to set it to "RSA" if using RSA signing.') > > + signing = "RSA" > > + if signing: > > + if signing == "CUSTOM": > > + sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) > > + if sign_tool: > > + ret = os.system(sign_tool) > > + if ret != 0: > > + bb.fatal("Failed to sign with %s" % (sign_tool)) > > + else: > > + bb.fatal("Custom SWUPDATE_SIGN_TOOL is not given") > > + elif signing == "RSA": > > privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True) > > if not privkey: > > bb.fatal("SWUPDATE_PRIVATE_KEY isn't set") > > @@ -163,6 +171,26 @@ python do_swuimage () { > > os.path.join(s, 'sw-description')) > > if os.system(signcmd) != 0: > > bb.fatal("Failed to sign sw-description with %s" > % (privkey)) > > + elif signing == "CMS": > > + cms_cert = d.getVar('SWUPDATE_CMS_CERT', True) > > + if not cms_cert: > > + bb.fatal("SWUPDATE_CMS_CERT is not set") > > + if not os.path.exists(cms_cert): > > + bb.fatal("SWUPDATE_CMS_CERT %s doesn't exist" % > (cms_cert)) > > + cms_key = d.getVar('SWUPDATE_CMS_KEY', True) > > + if not cms_key: > > + bb.fatal("SWUPDATE_CMS_KEY isn't set") > > + if not os.path.exists(cms_key): > > + bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % > (cms_key)) > > + signcmd = "openssl cms -sign -in '%s' -out '%s' > -signer '%s' -inkey '%s' -outform DER -nosmimecap -binary" % ( > > + os.path.join(s, 'sw-description'), > > + os.path.join(s, 'sw-description.sig'), > > + cms_cert, > > + cms_key) > > + if os.system(signcmd) != 0: > > + bb.fatal("Failed to sign sw-description with %s" > % (privkey)) > > + else: > > + bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism."); > > > > line = 'for i in ' + ' '.join(list_for_cpio) + '; do echo > $i;done | cpio -ov -H crc >' + > os.path.join(deploydir,d.getVar('IMAGE_NAME', True) + '.swu') > > os.system("cd " + s + ";" + line) > > > > Applied to -master, -pyro, thanks ! > > Best regards, > Stefano Babic > > -- > ===================================================================== > DENX Software Engineering GmbH, Managing Director: Wolfgang Denk > HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany > Phone: +49-8142-66989-53 <tel:%2B49-8142-66989-53> Fax: > +49-8142-66989-80 <tel:%2B49-8142-66989-80> Email: sbabic@denx.de > <mailto:sbabic@denx.de> > ===================================================================== > > -- > You received this message because you are subscribed to the Google > Groups "swupdate" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to swupdate+unsubscribe@googlegroups.com > <mailto:swupdate%2Bunsubscribe@googlegroups.com>. > To post to this group, send email to swupdate@googlegroups.com > <mailto:swupdate@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > > > -- > You received this message because you are subscribed to the Google > Groups "swupdate" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to swupdate+unsubscribe@googlegroups.com > <mailto:swupdate+unsubscribe@googlegroups.com>. > To post to this group, send email to swupdate@googlegroups.com > <mailto:swupdate@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout.
On 07.09.2017 10:26, Diego Rondini wrote: > Hi Stefano and Maciej, Hi! > > I just wanted to let you know that with this change an update of the > documentation in the README is required, as now SWUPDATE_SIGNING can > have values CUSTOM, RSA or CMS. > https://github.com/sbabic/meta-swupdate/blob/master/README#L21 Thanks for your your interest in this matter. I will try to send a patch till the end of the week to SWUpdate documentation as according to prior messages we would like to have meta-swupdate documented in documentation instead of readme. > > Bests, > Diego Rondini > Sr. Embedded Engineer > > Kynetics > www.kynetics.com <http://www.kynetics.com> > > > On Mon, Aug 21, 2017 at 11:16 AM, Stefano Babic <sbabic@denx.de > <mailto:sbabic@denx.de>> wrote: > > On 17/08/2017 10:25, Maciej Pijanowski wrote: > > Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com > <mailto:maciej.pijanowski@3mdeb.com>> > > --- > > classes/swupdate.bbclass | 46 > +++++++++++++++++++++++++++++++++++++--------- > > 1 file changed, 37 insertions(+), 9 deletions(-) > > > > diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass > > index 44e45461401c..28297ca41a1c 100644 > > --- a/classes/swupdate.bbclass > > +++ b/classes/swupdate.bbclass > > @@ -1,5 +1,5 @@ > > # Copyright (C) 2015 Stefano Babic <sbabic@denx.de > <mailto:sbabic@denx.de>> > > -# > > +# > > # Some parts from the patch class > > # > > # swupdate allows to generate a compound image for the > > @@ -14,7 +14,7 @@ > > > > S = "${WORKDIR}/${PN}" > > > > -DEPENDS += "${@ 'openssl-native' if > d.getVar('SWUPDATE_SIGNING', True) == '1' else ''}" > > +DEPENDS += "${@ 'openssl-native' if > d.getVar('SWUPDATE_SIGNING', True) else ''}" > > IMAGE_DEPENDS ?= "" > > > > def swupdate_is_hash_needed(s, filename): > > @@ -101,7 +101,7 @@ python do_swuimage () { > > fetch = bb.fetch2.Fetch([], d) > > list_for_cpio = ["sw-description"] > > > > - if d.getVar('SWUPDATE_SIGNING', True) == '1': > > + if d.getVar('SWUPDATE_SIGNING', True): > > list_for_cpio.append('sw-description.sig') > > > > for url in fetch.urls: > > @@ -140,12 +140,20 @@ python do_swuimage () { > > hash = swupdate_get_sha256(s, file) > > swupdate_write_sha256(s, file, hash) > > > > - if d.getVar('SWUPDATE_SIGNING', True) == '1': > > - sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) > > - if sign_tool: > > - if os.system(sign_tool) != 0: > > - bb.fatal("Failed to sign with %s" % (sign_tool)) > > - else: > > + signing = d.getVar('SWUPDATE_SIGNING', True) > > + if signing == "1": > > + bb.warn('SWUPDATE_SIGNING = "1" is deprecated, falling > back to "RSA". It is advised to set it to "RSA" if using RSA > signing.') > > + signing = "RSA" > > + if signing: > > + if signing == "CUSTOM": > > + sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) > > + if sign_tool: > > + ret = os.system(sign_tool) > > + if ret != 0: > > + bb.fatal("Failed to sign with %s" % > (sign_tool)) > > + else: > > + bb.fatal("Custom SWUPDATE_SIGN_TOOL is not given") > > + elif signing == "RSA": > > privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True) > > if not privkey: > > bb.fatal("SWUPDATE_PRIVATE_KEY isn't set") > > @@ -163,6 +171,26 @@ python do_swuimage () { > > os.path.join(s, 'sw-description')) > > if os.system(signcmd) != 0: > > bb.fatal("Failed to sign sw-description with > %s" % (privkey)) > > + elif signing == "CMS": > > + cms_cert = d.getVar('SWUPDATE_CMS_CERT', True) > > + if not cms_cert: > > + bb.fatal("SWUPDATE_CMS_CERT is not set") > > + if not os.path.exists(cms_cert): > > + bb.fatal("SWUPDATE_CMS_CERT %s doesn't exist" % (cms_cert)) > > + cms_key = d.getVar('SWUPDATE_CMS_KEY', True) > > + if not cms_key: > > + bb.fatal("SWUPDATE_CMS_KEY isn't set") > > + if not os.path.exists(cms_key): > > + bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key)) > > + signcmd = "openssl cms -sign -in '%s' -out '%s' > -signer '%s' -inkey '%s' -outform DER -nosmimecap -binary" % ( > > + os.path.join(s, 'sw-description'), > > + os.path.join(s, 'sw-description.sig'), > > + cms_cert, > > + cms_key) > > + if os.system(signcmd) != 0: > > + bb.fatal("Failed to sign sw-description with > %s" % (privkey)) > > + else: > > + bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism."); > > > > line = 'for i in ' + ' '.join(list_for_cpio) + '; do echo > $i;done | cpio -ov -H crc >' + > os.path.join(deploydir,d.getVar('IMAGE_NAME', True) + '.swu') > > os.system("cd " + s + ";" + line) > > > > Applied to -master, -pyro, thanks ! > > Best regards, > Stefano Babic > > -- > ===================================================================== > DENX Software Engineering GmbH, Managing Director: Wolfgang Denk > HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany > Phone: +49-8142-66989-53 <tel:%2B49-8142-66989-53> Fax: > +49-8142-66989-80 <tel:%2B49-8142-66989-80> Email: sbabic@denx.de > <mailto:sbabic@denx.de> > ===================================================================== > > -- > You received this message because you are subscribed to the Google > Groups "swupdate" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to swupdate+unsubscribe@googlegroups.com > <mailto:swupdate%2Bunsubscribe@googlegroups.com>. > To post to this group, send email to swupdate@googlegroups.com > <mailto:swupdate@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > >
diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 44e45461401c..28297ca41a1c 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -1,5 +1,5 @@ # Copyright (C) 2015 Stefano Babic <sbabic@denx.de> -# +# # Some parts from the patch class # # swupdate allows to generate a compound image for the @@ -14,7 +14,7 @@ S = "${WORKDIR}/${PN}" -DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) == '1' else ''}" +DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) else ''}" IMAGE_DEPENDS ?= "" def swupdate_is_hash_needed(s, filename): @@ -101,7 +101,7 @@ python do_swuimage () { fetch = bb.fetch2.Fetch([], d) list_for_cpio = ["sw-description"] - if d.getVar('SWUPDATE_SIGNING', True) == '1': + if d.getVar('SWUPDATE_SIGNING', True): list_for_cpio.append('sw-description.sig') for url in fetch.urls: @@ -140,12 +140,20 @@ python do_swuimage () { hash = swupdate_get_sha256(s, file) swupdate_write_sha256(s, file, hash) - if d.getVar('SWUPDATE_SIGNING', True) == '1': - sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) - if sign_tool: - if os.system(sign_tool) != 0: - bb.fatal("Failed to sign with %s" % (sign_tool)) - else: + signing = d.getVar('SWUPDATE_SIGNING', True) + if signing == "1": + bb.warn('SWUPDATE_SIGNING = "1" is deprecated, falling back to "RSA". It is advised to set it to "RSA" if using RSA signing.') + signing = "RSA" + if signing: + if signing == "CUSTOM": + sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True) + if sign_tool: + ret = os.system(sign_tool) + if ret != 0: + bb.fatal("Failed to sign with %s" % (sign_tool)) + else: + bb.fatal("Custom SWUPDATE_SIGN_TOOL is not given") + elif signing == "RSA": privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True) if not privkey: bb.fatal("SWUPDATE_PRIVATE_KEY isn't set") @@ -163,6 +171,26 @@ python do_swuimage () { os.path.join(s, 'sw-description')) if os.system(signcmd) != 0: bb.fatal("Failed to sign sw-description with %s" % (privkey)) + elif signing == "CMS": + cms_cert = d.getVar('SWUPDATE_CMS_CERT', True) + if not cms_cert: + bb.fatal("SWUPDATE_CMS_CERT is not set") + if not os.path.exists(cms_cert): + bb.fatal("SWUPDATE_CMS_CERT %s doesn't exist" % (cms_cert)) + cms_key = d.getVar('SWUPDATE_CMS_KEY', True) + if not cms_key: + bb.fatal("SWUPDATE_CMS_KEY isn't set") + if not os.path.exists(cms_key): + bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key)) + signcmd = "openssl cms -sign -in '%s' -out '%s' -signer '%s' -inkey '%s' -outform DER -nosmimecap -binary" % ( + os.path.join(s, 'sw-description'), + os.path.join(s, 'sw-description.sig'), + cms_cert, + cms_key) + if os.system(signcmd) != 0: + bb.fatal("Failed to sign sw-description with %s" % (privkey)) + else: + bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism."); line = 'for i in ' + ' '.join(list_for_cpio) + '; do echo $i;done | cpio -ov -H crc >' + os.path.join(deploydir,d.getVar('IMAGE_NAME', True) + '.swu') os.system("cd " + s + ";" + line)
Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com> --- classes/swupdate.bbclass | 46 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 9 deletions(-)