build: store sha256_unsigned in JSON

Introduce `sha256_unsigned` which is a checksum of the image _before_ a
signature is attached. This is helpful to compare image reproducibility.

Since the `.sha256sum` file is located in the $(KDIR) folder, switch
$(BIN_DIR) with $(KDIR) to simplify the code. The value of $(BIN_DIR)
itself is not stored inside the resulting JSON file, so it can be
replaced.

Signed-off-by: Paul Spooren <mail@aparcar.org>
This commit is contained in:
Paul Spooren 2022-03-28 03:29:09 +01:00
parent 5e34b316c5
commit 8822a8d850
3 changed files with 16 additions and 7 deletions

View File

@ -81,6 +81,7 @@ metadata_json = \
define Build/append-metadata define Build/append-metadata
$(if $(SUPPORTED_DEVICES),-echo $(call metadata_json) | fwtool -I - $@) $(if $(SUPPORTED_DEVICES),-echo $(call metadata_json) | fwtool -I - $@)
sha256sum "$@" | cut -d" " -f1 > "$@.sha256sum"
[ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \ [ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \
cp "$(BUILD_KEY).ucert" "$@.ucert" ;\ cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\ usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\

View File

@ -493,9 +493,9 @@ define Device/Build/initramfs
$(BUILD_DIR)/json_info_files/$$(KERNEL_INITRAMFS_IMAGE).json: $(BIN_DIR)/$$(KERNEL_INITRAMFS_IMAGE) $(BUILD_DIR)/json_info_files/$$(KERNEL_INITRAMFS_IMAGE).json: $(BIN_DIR)/$$(KERNEL_INITRAMFS_IMAGE)
@mkdir -p $$(shell dirname $$@) @mkdir -p $$(shell dirname $$@)
DEVICE_ID="$(1)" \ DEVICE_ID="$(1)" \
BIN_DIR="$(BIN_DIR)" \
SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \ SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
FILE_NAME="$$(notdir $$^)" \ FILE_NAME="$$(notdir $$^)" \
FILE_DIR="$(KDIR)/tmp" \
FILE_TYPE="kernel" \ FILE_TYPE="kernel" \
FILE_FILESYSTEM="initramfs" \ FILE_FILESYSTEM="initramfs" \
DEVICE_IMG_PREFIX="$$(DEVICE_IMG_PREFIX)" \ DEVICE_IMG_PREFIX="$$(DEVICE_IMG_PREFIX)" \
@ -600,9 +600,9 @@ define Device/Build/image
$(BUILD_DIR)/json_info_files/$(call DEVICE_IMG_NAME,$(1),$(2)).json: $(BIN_DIR)/$(call DEVICE_IMG_NAME,$(1),$(2))$$(GZ_SUFFIX) $(BUILD_DIR)/json_info_files/$(call DEVICE_IMG_NAME,$(1),$(2)).json: $(BIN_DIR)/$(call DEVICE_IMG_NAME,$(1),$(2))$$(GZ_SUFFIX)
@mkdir -p $$(shell dirname $$@) @mkdir -p $$(shell dirname $$@)
DEVICE_ID="$(DEVICE_NAME)" \ DEVICE_ID="$(DEVICE_NAME)" \
BIN_DIR="$(BIN_DIR)" \
SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \ SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
FILE_NAME="$(DEVICE_IMG_NAME)" \ FILE_NAME="$(DEVICE_IMG_NAME)" \
FILE_DIR="$(KDIR)/tmp" \
FILE_TYPE=$(word 1,$(subst ., ,$(2))) \ FILE_TYPE=$(word 1,$(subst ., ,$(2))) \
FILE_FILESYSTEM="$(1)" \ FILE_FILESYSTEM="$(1)" \
DEVICE_IMG_PREFIX="$(DEVICE_IMG_PREFIX)" \ DEVICE_IMG_PREFIX="$(DEVICE_IMG_PREFIX)" \
@ -646,9 +646,9 @@ define Device/Build/artifact
$(BUILD_DIR)/json_info_files/$(DEVICE_IMG_PREFIX)-$(1).json: $(BIN_DIR)/$(DEVICE_IMG_PREFIX)-$(1) $(BUILD_DIR)/json_info_files/$(DEVICE_IMG_PREFIX)-$(1).json: $(BIN_DIR)/$(DEVICE_IMG_PREFIX)-$(1)
@mkdir -p $$(shell dirname $$@) @mkdir -p $$(shell dirname $$@)
DEVICE_ID="$(DEVICE_NAME)" \ DEVICE_ID="$(DEVICE_NAME)" \
BIN_DIR="$(BIN_DIR)" \
SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \ SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
FILE_NAME="$(DEVICE_IMG_PREFIX)-$(1)" \ FILE_NAME="$(DEVICE_IMG_PREFIX)-$(1)" \
FILE_DIR="$(KDIR)/tmp" \
FILE_TYPE="$(1)" \ FILE_TYPE="$(1)" \
DEVICE_IMG_PREFIX="$(DEVICE_IMG_PREFIX)" \ DEVICE_IMG_PREFIX="$(DEVICE_IMG_PREFIX)" \
DEVICE_VENDOR="$(DEVICE_VENDOR)" \ DEVICE_VENDOR="$(DEVICE_VENDOR)" \

View File

@ -11,8 +11,8 @@ if len(argv) != 2:
exit(1) exit(1)
json_path = Path(argv[1]) json_path = Path(argv[1])
bin_dir = Path(getenv("BIN_DIR")) file_path = Path(getenv("FILE_DIR")) / getenv("FILE_NAME")
file_path = bin_dir / getenv("FILE_NAME")
if not file_path.is_file(): if not file_path.is_file():
print("Skip JSON creation for non existing file", file_path) print("Skip JSON creation for non existing file", file_path)
@ -37,7 +37,14 @@ def get_titles():
device_id = getenv("DEVICE_ID") device_id = getenv("DEVICE_ID")
file_hash = hashlib.sha256(file_path.read_bytes()).hexdigest() hash_file = hashlib.sha256(file_path.read_bytes()).hexdigest()
if file_path.with_suffix(file_path.suffix + ".sha256sum").exists():
hash_unsigned = (
file_path.with_suffix(file_path.suffix + ".sha256sum").read_text().strip()
)
else:
hash_unsigned = hash_file
file_info = { file_info = {
"metadata_version": 1, "metadata_version": 1,
@ -52,7 +59,8 @@ file_info = {
{ {
"type": getenv("FILE_TYPE"), "type": getenv("FILE_TYPE"),
"name": getenv("FILE_NAME"), "name": getenv("FILE_NAME"),
"sha256": file_hash, "sha256": hash_file,
"sha256_unsigned": hash_unsigned,
} }
], ],
"device_packages": getenv("DEVICE_PACKAGES").split(), "device_packages": getenv("DEVICE_PACKAGES").split(),