def _sign_image(self, image, parsegen):
# Check all other authorities and display if they have signed
for authority in [x for x in self.AUTHORITIES_SUPPORTED if x != self.authority]:
if parsegen.is_signed(authority):
logger.info(image.image_under_operation + ' is already ' + str(authority) + '-signed.')
# Prevent re-signing by authorities that previously signed that aren't the most recently signed authority
previously_signed_authorities = []
for authority in self.AUTHORITIES_SUPPORTED:
if parsegen.is_signed(authority):
previously_signed_authorities.append(authority)
last_signed_authority = self.highest_authority([AUTHORITY_OEM in previously_signed_authorities])
if self.authority != last_signed_authority and self.authority in previously_signed_authorities:
raise RuntimeError("Cannot resign as {0} because image is already signed by {1}"
.format(self.authority, last_signed_authority))
# Display sign status of signing authority
logger.info(image.image_under_operation + ' is already signed. '
'Re-signing image.' if parsegen.is_signed(self.authority)
else 'Signing image: ' + image.image_under_operation)
signer = get_signer(image.signer_config)
sign_assets = signer.sign(
parsegen.data_to_sign, image, debug_dir=image.dest_image.debug_dir_signer,
is_hash=parsegen.is_data_hash, parsegen=parsegen)
parsegen.data_signature = sign_assets.signature
parsegen.cert_chain = sign_assets.cert_chain
# Dump any debug information
self.dump_signer_debug_data(image, sign_assets, parsegen)
def _sign_image(self, image, parsegen):
from sectools.features.isc.signer import get_signer
# Check all other authorities and display if they have signed
for authority in [
x for x in defines.AUTHORITIES_SUPPORTED if x != self.authority
]:
if parsegen.is_signed(authority):
logger.info(image.image_under_operation + ' is already ' +
str(authority) + '-signed.')
# Display sign status of signing authority
logger.info(
image.image_under_operation + ' is already ' + self.authority +
'-signed. '
'Rerunning ' + self.authority +
' sign.' if parsegen.is_signed(self.authority) else 'Performing ' +
self.authority + ' sign on image: ' + image.image_under_operation)
signer = get_signer(image.config)
# TODO: a sanity check here
# data_to_sign = parsegen.data_to_sign
# if data_to_sign != parsegen.data_to_sign:
# raise RuntimeError('Data to sign is changing')
sign_assets = signer.sign(parsegen.data_to_sign, image,
image.dest_image.debug_dir_signer,
parsegen.is_data_hash)
parsegen.data_signature = sign_assets.signature
parsegen.cert_chain = sign_assets.cert_chain
# Dump any debug information
self.dump_signer_debug_data(image, sign_assets, parsegen)
def _validate_sign(self, image, parsegen):
if parsegen.is_signed():
signer = get_signer(image.config)
if signer.validate(parsegen, image.validation_root_cert_hash, image):
logger.info('Image ' + image.image_under_operation + ' signature is valid')
else:
raise RuntimeError('Image ' + image.image_under_operation + ' signature is not valid')
else:
raise CustomError('Image ' + image.image_under_operation + ' is not signed')
def _validate_sign(self, image, parsegen):
if parsegen.is_signed():
signer = get_signer(image.signer_config)
if signer.validate(parsegen, imageinfo=image):
logger.info('Image ' + image.image_under_operation + ' signature is valid')
else:
raise RuntimeError('Image ' + image.image_under_operation + ' signature is not valid')
else:
message = 'Image ' + image.image_under_operation + ' is not signed'
if image in self.image_info_list and self.enforce_signed:
raise RuntimeError(message)
raise CustomError(message)
def _sign_image(self, image, parsegen):
from sectools.features.isc.signer import get_signer
logger.info('Resigning signed' if parsegen.is_signed() else 'Signing'
' image: ' + image.image_under_operation)
signer = get_signer(image.config)
# TODO: a sanity check here
# data_to_sign = parsegen.data_to_sign
# if data_to_sign != parsegen.data_to_sign:
# raise RuntimeError('Data to sign is changing')
sign_assets = signer.sign(parsegen.data_to_sign, image,
image.dest_image.debug_dir_signer,
parsegen.is_data_hash)
# Dump any debug information
self.dump_signer_debug_data(image, sign_assets)
parsegen.data_signature = sign_assets.signature
parsegen.cert_chain = sign_assets.cert_chain
