def _sign_image(self, image, parsegen): # Check all other authorities and display if they have signed for authority in [x for x in self.AUTHORITIES_SUPPORTED if x != self.authority]: if parsegen.is_signed(authority): logger.info(image.image_under_operation + ' is already ' + str(authority) + '-signed.') # Prevent re-signing by authorities that previously signed that aren't the most recently signed authority previously_signed_authorities = [] for authority in self.AUTHORITIES_SUPPORTED: if parsegen.is_signed(authority): previously_signed_authorities.append(authority) last_signed_authority = self.highest_authority([AUTHORITY_OEM in previously_signed_authorities]) if self.authority != last_signed_authority and self.authority in previously_signed_authorities: raise RuntimeError("Cannot resign as {0} because image is already signed by {1}" .format(self.authority, last_signed_authority)) # Display sign status of signing authority logger.info(image.image_under_operation + ' is already signed. ' 'Re-signing image.' if parsegen.is_signed(self.authority) else 'Signing image: ' + image.image_under_operation) signer = get_signer(image.signer_config) sign_assets = signer.sign( parsegen.data_to_sign, image, debug_dir=image.dest_image.debug_dir_signer, is_hash=parsegen.is_data_hash, parsegen=parsegen) parsegen.data_signature = sign_assets.signature parsegen.cert_chain = sign_assets.cert_chain # Dump any debug information self.dump_signer_debug_data(image, sign_assets, parsegen)
def _sign_image(self, image, parsegen): from sectools.features.isc.signer import get_signer # Check all other authorities and display if they have signed for authority in [ x for x in defines.AUTHORITIES_SUPPORTED if x != self.authority ]: if parsegen.is_signed(authority): logger.info(image.image_under_operation + ' is already ' + str(authority) + '-signed.') # Display sign status of signing authority logger.info( image.image_under_operation + ' is already ' + self.authority + '-signed. ' 'Rerunning ' + self.authority + ' sign.' if parsegen.is_signed(self.authority) else 'Performing ' + self.authority + ' sign on image: ' + image.image_under_operation) signer = get_signer(image.config) # TODO: a sanity check here # data_to_sign = parsegen.data_to_sign # if data_to_sign != parsegen.data_to_sign: # raise RuntimeError('Data to sign is changing') sign_assets = signer.sign(parsegen.data_to_sign, image, image.dest_image.debug_dir_signer, parsegen.is_data_hash) parsegen.data_signature = sign_assets.signature parsegen.cert_chain = sign_assets.cert_chain # Dump any debug information self.dump_signer_debug_data(image, sign_assets, parsegen)
def _validate_sign(self, image, parsegen): if parsegen.is_signed(): signer = get_signer(image.config) if signer.validate(parsegen, image.validation_root_cert_hash, image): logger.info('Image ' + image.image_under_operation + ' signature is valid') else: raise RuntimeError('Image ' + image.image_under_operation + ' signature is not valid') else: raise CustomError('Image ' + image.image_under_operation + ' is not signed')
def _validate_sign(self, image, parsegen): if parsegen.is_signed(): signer = get_signer(image.signer_config) if signer.validate(parsegen, imageinfo=image): logger.info('Image ' + image.image_under_operation + ' signature is valid') else: raise RuntimeError('Image ' + image.image_under_operation + ' signature is not valid') else: message = 'Image ' + image.image_under_operation + ' is not signed' if image in self.image_info_list and self.enforce_signed: raise RuntimeError(message) raise CustomError(message)
def _sign_image(self, image, parsegen): from sectools.features.isc.signer import get_signer logger.info('Resigning signed' if parsegen.is_signed() else 'Signing' ' image: ' + image.image_under_operation) signer = get_signer(image.config) # TODO: a sanity check here # data_to_sign = parsegen.data_to_sign # if data_to_sign != parsegen.data_to_sign: # raise RuntimeError('Data to sign is changing') sign_assets = signer.sign(parsegen.data_to_sign, image, image.dest_image.debug_dir_signer, parsegen.is_data_hash) # Dump any debug information self.dump_signer_debug_data(image, sign_assets) parsegen.data_signature = sign_assets.signature parsegen.cert_chain = sign_assets.cert_chain