build: sign uncompressed images instead of compressed ones; closes #386
Best of both worlds: let the checksums be a quick way to verify the download but offer full integrity using the signatures for the uncompressed images in case the uncompress is buggy.
This commit is contained in:
parent
57711c6b20
commit
86c0bd3fcc
|
@ -111,3 +111,5 @@ arm_unmount
|
|||
mdconfig -d -u ${DEV}
|
||||
|
||||
echo "done"
|
||||
|
||||
sign_image ${ARMIMG}
|
||||
|
|
|
@ -694,12 +694,12 @@ sign_image()
|
|||
fi
|
||||
|
||||
if [ ! -f "${1}".sig ]; then
|
||||
echo -n ">>> Creating ${PRODUCT_SETTINGS} signature for ${1}: "
|
||||
echo -n ">>> Creating ${PRODUCT_SETTINGS} signature for $(basename ${1}): "
|
||||
|
||||
openssl dgst -sha256 -sign "${PRODUCT_PRIVKEY}" "${1}" | \
|
||||
openssl base64 > "${1}".sig
|
||||
else
|
||||
echo -n ">>> Retaining ${PRODUCT_SETTINGS} signature for ${1}: "
|
||||
echo -n ">>> Retaining ${PRODUCT_SETTINGS} signature for $(basename ${1}): "
|
||||
fi
|
||||
|
||||
openssl base64 -d -in "${1}".sig > "${1}.sig.tmp"
|
||||
|
|
|
@ -39,8 +39,6 @@ for ARG in ${@}; do
|
|||
echo -n ">>> Compressing ${ARG} image... "
|
||||
bzip2 ${IMAGE}
|
||||
echo "done"
|
||||
|
||||
sign_image ${IMAGE}.bz2
|
||||
done
|
||||
;;
|
||||
esac
|
||||
|
|
|
@ -33,7 +33,7 @@ SELF=dvd
|
|||
|
||||
check_image ${SELF} ${@}
|
||||
|
||||
DVDIMAGE="${IMAGESDIR}/${PRODUCT_RELEASE}-dvd-${PRODUCT_ARCH}.iso"
|
||||
DVDIMG="${IMAGESDIR}/${PRODUCT_RELEASE}-dvd-${PRODUCT_ARCH}.iso"
|
||||
DVDLABEL=$(echo "${PRODUCT_NAME}_Install" | tr '[:lower:]' '[:upper:]')
|
||||
|
||||
sh ./clean.sh ${SELF}
|
||||
|
@ -66,6 +66,8 @@ echo -n ">>> Building dvd image... "
|
|||
|
||||
makefs -t cd9660 \
|
||||
-o 'bootimage=i386;'"${STAGEDIR}"'/work/boot/cdboot' -o no-emul-boot \
|
||||
${UEFIBOOT} -o label=${DVDLABEL} -o rockridge ${DVDIMAGE} ${STAGEDIR}/work
|
||||
${UEFIBOOT} -o label=${DVDLABEL} -o rockridge ${DVDIMG} ${STAGEDIR}/work
|
||||
|
||||
echo "done"
|
||||
|
||||
sign_image ${DVDIMG}
|
||||
|
|
|
@ -66,3 +66,5 @@ gpart create -s BSD ${DEV}
|
|||
gpart bootcode -b ${STAGEDIR}/boot/boot ${DEV}
|
||||
gpart add -t freebsd-ufs ${DEV}
|
||||
mdconfig -d -u ${DEV}
|
||||
|
||||
sign_image ${NANOIMG}
|
||||
|
|
|
@ -76,10 +76,6 @@ if [ -f "${PRODUCT_PRIVKEY}" ]; then
|
|||
"${STAGEDIR}/${PRODUCT_NAME}${PRODUCT_SUFFIX}-${PRODUCT_SETTINGS}.pub"
|
||||
fi
|
||||
|
||||
for IMAGE in $(find ${STAGEDIR} -type f \! -name "*.sig"); do
|
||||
sign_image ${IMAGE}
|
||||
done
|
||||
|
||||
echo -n ">>> Bundling images for ${PRODUCT_RELEASE}... "
|
||||
tar -C ${STAGEDIR} -cf ${RELEASESET} .
|
||||
echo "done"
|
||||
|
|
|
@ -73,3 +73,5 @@ echo -n ">>> Building serial image... "
|
|||
-p freebsd-boot:=work/boot/gptboot ${GPTDUMMY} -p freebsd-ufs:=root.part)
|
||||
|
||||
echo "done"
|
||||
|
||||
sign_image ${SERIALIMG}
|
||||
|
|
|
@ -72,3 +72,5 @@ echo -n ">>> Building vga image... "
|
|||
-p freebsd-boot:=work/boot/gptboot ${GPTDUMMY} -p freebsd-ufs:=root.part)
|
||||
|
||||
echo "done"
|
||||
|
||||
sign_image ${VGAIMG}
|
||||
|
|
|
@ -190,3 +190,5 @@ echo -n ">>> Building vm image... "
|
|||
-p freebsd-${ROOTFS}:=${VMBASE})
|
||||
|
||||
echo "done"
|
||||
|
||||
sign_image ${VMIMG}
|
||||
|
|
Loading…
Reference in New Issue