summaryrefslogtreecommitdiffstats
path: root/scripts/sign-file
diff options
context:
space:
mode:
authorRusty Russell <rusty@rustcorp.com.au>2012-10-19 03:23:15 +0200
committerLinus Torvalds <torvalds@linux-foundation.org>2012-10-19 17:27:43 +0200
commite2a666d52b4825c26c857cada211f3baac26a600 (patch)
treeb7e91bd10e8c1b2932ffd1716fde3abccd7c4dd8 /scripts/sign-file
parentMerge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git... (diff)
downloadlinux-e2a666d52b4825c26c857cada211f3baac26a600.tar.xz
linux-e2a666d52b4825c26c857cada211f3baac26a600.zip
kbuild: sign the modules at install time
Linus deleted the old code and put signing on the install command, I fixed it to extract the keyid and signer-name within sign-file and cleaned up that script now it always signs in-place. Some enthusiast should convert sign-key to perl and pull x509keyid into it. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'scripts/sign-file')
-rw-r--r--scripts/sign-file44
1 files changed, 18 insertions, 26 deletions
diff --git a/scripts/sign-file b/scripts/sign-file
index e58e34e50ac5..095a953bdb8e 100644
--- a/scripts/sign-file
+++ b/scripts/sign-file
@@ -1,8 +1,8 @@
-#!/bin/sh
+#!/bin/bash
#
# Sign a module file using the given key.
#
-# Format: sign-file <key> <x509> <src-file> <dst-file>
+# Format: sign-file <key> <x509> <keyid-script> <module>
#
scripts=`dirname $0`
@@ -15,8 +15,8 @@ fi
key="$1"
x509="$2"
-src="$3"
-dst="$4"
+keyid_script="$3"
+mod="$4"
if [ ! -r "$key" ]
then
@@ -29,16 +29,6 @@ then
echo "Can't read X.509 certificate" >&2
exit 2
fi
-if [ ! -r "$x509.signer" ]
-then
- echo "Can't read Signer name" >&2
- exit 2;
-fi
-if [ ! -r "$x509.keyid" ]
-then
- echo "Can't read Key identifier" >&2
- exit 2;
-fi
#
# Signature parameters
@@ -83,33 +73,35 @@ fi
(
perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $?
-openssl dgst $dgst -binary $src || exit $?
-) >$src.dig || exit $?
+openssl dgst $dgst -binary $mod || exit $?
+) >$mod.dig || exit $?
#
# Generate the binary signature, which will be just the integer that comprises
# the signature with no metadata attached.
#
-openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig || exit $?
-signerlen=`stat -c %s $x509.signer`
-keyidlen=`stat -c %s $x509.keyid`
-siglen=`stat -c %s $src.sig`
+openssl rsautl -sign -inkey $key -keyform PEM -in $mod.dig -out $mod.sig || exit $?
+
+SIGNER="`perl $keyid_script $x509 signer-name`"
+KEYID="`perl $keyid_script $x509 keyid`"
+keyidlen=${#KEYID}
+siglen=${#SIGNER}
#
# Build the signed binary
#
(
- cat $src || exit $?
+ cat $mod || exit $?
echo '~Module signature appended~' || exit $?
- cat $x509.signer $x509.keyid || exit $?
+ echo -n "$SIGNER" || exit $?
+ echo -n "$KEYID" || exit $?
# Preface each signature integer with a 2-byte BE length
perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $?
- cat $src.sig || exit $?
+ cat $mod.sig || exit $?
# Generate the information block
perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $?
-) >$dst~ || exit $?
+) >$mod~ || exit $?
-# Permit in-place signing
-mv $dst~ $dst || exit $?
+mv $mod~ $mod || exit $?