Add ensure_not_tainted_license.sh
This is a part of the work to ensure that tainted images are never signed with MP keys. A special tainted tag was added to the license file by https://chromium-review.googlesource.com/c/chromiumos/chromite/+/2560225 and in ensure_not_tainted.sh we detect the presence of this tag. This script has been manually tested on tainted and non-tainted images. BUG=chromium:1059363 TEST=manual BRANCH=none Change-Id: I17ca27bb7895f268a79cca3ad948808f0f96b8c7 Signed-off-by: Sergey Frolov <sfrolov@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2607414 Commit-Queue: Mike Frysinger <vapier@chromium.org> Reviewed-by: Allen Webb <allenwebb@google.com>
This commit is contained in:
Sergey Frolov
Commit Bot
parent
681305cd1c
commit
506d9df62d
|
|
@ -0,0 +1,66 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Copyright 2020 The Chromium OS Authors. All rights reserved.
|
||||
# Use of this source code is governed by a BSD-style license that can be
|
||||
# found in the LICENSE file.
|
||||
#
|
||||
# This script ensures absence of a <!-- tainted --> tag in image's license.
|
||||
|
||||
# Abort on error.
|
||||
set -e
|
||||
|
||||
# Load common constants and variables.
|
||||
. "$(dirname "$0")/common.sh"
|
||||
|
||||
usage() {
|
||||
echo "Usage ${PROG} image"
|
||||
}
|
||||
|
||||
main() {
|
||||
if [[ $# -ne 1 ]]; then
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
|
||||
local image="$1"
|
||||
|
||||
local loopdev rootfs
|
||||
if [[ -d "${image}" ]]; then
|
||||
rootfs="${image}"
|
||||
else
|
||||
rootfs=$(make_temp_dir)
|
||||
loopdev=$(loopback_partscan "${image}")
|
||||
mount_loop_image_partition_ro "${loopdev}" 3 "${rootfs}"
|
||||
fi
|
||||
|
||||
local license_dir license tainted_tag tainted_status
|
||||
license_dir="${rootfs}/opt/google/chrome/"
|
||||
if [[ ! -d "${license_dir}" ]]; then
|
||||
echo "Directory ${license_dir} does not exist. Skipping the tainted check."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
license=$(find "${license_dir}" -name about_os_credits.html 2>/dev/null)
|
||||
if [[ -z "${license}" ]]; then
|
||||
echo "License file about_os_credits.html not found in ${license_dir}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
tainted_tag="<!-- tainted -->"
|
||||
tainted_status=$(grep "${tainted_tag}" "${license}")
|
||||
if [[ -n "${tainted_status}" ]]; then
|
||||
echo "${license}:"
|
||||
echo "License file contains packages with LICENSE=TAINTED."
|
||||
echo "Remove those packages or modify their license to allow signing."
|
||||
# Print the list of tainted packages.
|
||||
sed -n '/Image is TAINTED/,/<\/ul>/{
|
||||
# Strip out HTML tags.
|
||||
s/<[^>]*>//g
|
||||
# Delete any empty lines.
|
||||
/^[[:space:]]*$/d
|
||||
p
|
||||
}' "${license}"
|
||||
fi
|
||||
exit 0
|
||||
}
|
||||
main "$@"
|
||||
Loading…
Reference in New Issue