From a5cf20d1974f8247ed87fad4a61216cc75eddfdb Mon Sep 17 00:00:00 2001
From: Paul Spooren <mail@aparcar.org>
Date: Mon, 28 Mar 2022 03:29:09 +0100
Subject: build: store sha256_unsigned in JSON
Introduce `sha256_unsigned` which is a checksum of the image _before_ a
signature is attached. This is helpful to compare image reproducibility.
Since the `.sha256sum` file is located in the $(KDIR) folder, switch
$(BIN_DIR) with $(KDIR) to simplify the code. The value of $(BIN_DIR)
itself is not stored inside the resulting JSON file, so it can be
replaced.
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 8822a8d850ba2df69b81289758959bb90643a696)
---
scripts/json_add_image_info.py | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
(limited to 'scripts/json_add_image_info.py')
diff --git a/scripts/json_add_image_info.py b/scripts/json_add_image_info.py
index 4608996f02..9aa2a19e45 100755
--- a/scripts/json_add_image_info.py
+++ b/scripts/json_add_image_info.py
@@ -11,8 +11,8 @@ if len(argv) != 2:
exit(1)
json_path = Path(argv[1])
-bin_dir = Path(getenv("BIN_DIR"))
-file_path = bin_dir / getenv("FILE_NAME")
+file_path = Path(getenv("FILE_DIR")) / getenv("FILE_NAME")
+
if not file_path.is_file():
print("Skip JSON creation for non existing file", file_path)
@@ -37,7 +37,14 @@ def get_titles():
device_id = getenv("DEVICE_ID")
-file_hash = hashlib.sha256(file_path.read_bytes()).hexdigest()
+hash_file = hashlib.sha256(file_path.read_bytes()).hexdigest()
+
+if file_path.with_suffix(file_path.suffix + ".sha256sum").exists():
+ hash_unsigned = (
+ file_path.with_suffix(file_path.suffix + ".sha256sum").read_text().strip()
+ )
+else:
+ hash_unsigned = hash_file
file_info = {
"metadata_version": 1,
@@ -52,7 +59,8 @@ file_info = {
{
"type": getenv("FILE_TYPE"),
"name": getenv("FILE_NAME"),
- "sha256": file_hash,
+ "sha256": hash_file,
+ "sha256_unsigned": hash_unsigned,
}
],
"device_packages": getenv("DEVICE_PACKAGES").split(),
--
cgit v1.2.3