{"id":802425,"url":"http://patchwork.ozlabs.org/api/1.2/patches/802425/?format=json","web_url":"http://patchwork.ozlabs.org/project/swupdate/patch/1502958326-1780-1-git-send-email-maciej.pijanowski@3mdeb.com/","project":{"id":58,"url":"http://patchwork.ozlabs.org/api/1.2/projects/58/?format=json","name":"swupdate development","link_name":"swupdate","list_id":"swupdate.googlegroups.com","list_email":"swupdate@googlegroups.com","web_url":"https://github.com/sbabic/swupdate","scm_url":"git://github.com/sbabic/swupdate","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<1502958326-1780-1-git-send-email-maciej.pijanowski@3mdeb.com>","list_archive_url":null,"date":"2017-08-17T08:25:26","name":"[meta-swupdate] add CMS signing support","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"4637b24fb26191802f25b03089cda1f4757f660c","submitter":{"id":72175,"url":"http://patchwork.ozlabs.org/api/1.2/people/72175/?format=json","name":"Maciej Pijanowski","email":"maciej.pijanowski@3mdeb.com"},"delegate":{"id":1693,"url":"http://patchwork.ozlabs.org/api/1.2/users/1693/?format=json","username":"sbabic","first_name":"Stefano","last_name":"Babic","email":"sbabic@denx.de"},"mbox":"http://patchwork.ozlabs.org/project/swupdate/patch/1502958326-1780-1-git-send-email-maciej.pijanowski@3mdeb.com/mbox/","series":[],"comments":"http://patchwork.ozlabs.org/api/patches/802425/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/802425/checks/","tags":{},"related":[],"headers":{"Return-Path":"<swupdate+bncBDIL3GP4WUMRBZVF2XGAKGQERFTBGMQ@googlegroups.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=googlegroups.com\n\t(client-ip=2a00:1450:400c:c0c::23b;\n\thelo=mail-wr0-x23b.google.com;\n\tenvelope-from=swupdate+bncbdil3gp4wumrbzvf2xgakgqerftbgmq@googlegroups.com;\n\treceiver=<UNKNOWN>)","ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=googlegroups.com header.i=@googlegroups.com\n\theader.b=\"VIQwWXQS\"; dkim-atps=neutral"],"Received":["from mail-wr0-x23b.google.com (mail-wr0-x23b.google.com\n\t[IPv6:2a00:1450:400c:c0c::23b])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128\n\tbits)) (No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xXzmV3rQPz9t41\n\tfor <incoming@patchwork.ozlabs.org>;\n\tThu, 17 Aug 2017 18:25:13 +1000 (AEST)","by mail-wr0-x23b.google.com with SMTP id y44sf27007wrd.8\n\tfor <incoming@patchwork.ozlabs.org>;\n\tThu, 17 Aug 2017 01:25:13 -0700 (PDT)","by 10.28.4.141 with SMTP id 135ls656780wme.9.gmail;\n\tThu, 17 Aug 2017 01:25:10 -0700 (PDT)","from cloudserver096301.home.net.pl (cloudserver096301.home.net.pl.\n\t[79.96.179.35]) by gmr-mx.google.com with ESMTPS id\n\tv202si917374wmv.3.2017.08.17.01.25.09\n\tfor <swupdate@googlegroups.com>\n\t(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);\n\tThu, 17 Aug 2017 01:25:10 -0700 (PDT)","from 81-95-197-197.metrolink.pl (81.95.197.197) (HELO\n\tlocalhost.localdomain)\n\tby serwer1539010.home.pl (79.96.179.35) with SMTP (IdeaSmtpServer\n\t0.82) id 39348c2738fffc14; Thu, 17 Aug 2017 10:25:08 +0200"],"ARC-Seal":["i=2; a=rsa-sha256; t=1502958310; cv=pass;\n\td=google.com; s=arc-20160816;\n\tb=U8wyXSAtT4fxNzvaSk3Dy8GtqubAbkLvhYkkmSuNneKBHRNQSVzBv1Psr6oU+ZYSmq\n\ty5nYIkYXXxHJ7ISSRMsQS0rok42maQbPOibbGEkvtsRBqWNGJbZ+DlxUjjUAH6FyUmm8\n\tx/+PX8gN6HioqcIpq7V7kNBWBTqMgspv0T7vO9BrlvT2fA8hVx7YxlO6k5sOFCHeDL7E\n\tUGjlxVkVIFNEbF80JkJXqRdamx+6uaVna0I5xkKXQJ61wBgbqjAtG8tIbPOouXggllZ3\n\tJqfGRdEgxdcBqNqor00653EZxCkEXTRobzC5eHpVtnJcq9qhaLnt5scTkp0i+CWuJMTG\n\tymPQ==","i=1; a=rsa-sha256; t=1502958310; cv=none;\n\td=google.com; s=arc-20160816;\n\tb=xf3lptesJiTTSD+CdwW2Ajhcah981w70IMaGWoucY91L0/+Oq07/WvPmBBXGXXIqUS\n\tn1IqVkbebNnTZzHgE8y/+y6AJc7sFKe584ouZUBKw08ssqejkVCABSo/eBgdqlB6MvJA\n\tAM912C0vjsMOsrxkpD8Ir3M7LpNDGGBsXG/fb6BWX1bdwvpIv/nJLApT+J3xVwV1AVky\n\t4LfoB3UhupVrIfxaL2aydSqgg7sA/ni06Q+p46QfY0wZPVUg2qCkfaFRXNJWBCSkKPyG\n\tzXGf52dDdoUWi5dQxJqwvETlHfv8aK42M/587KQeOUpxx39bTmzSrMDxXkY55ZLOQNxE\n\timkA=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n\ts=arc-20160816; \n\th=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n\t:list-id:mailing-list:precedence:message-id:date:subject:cc:to:from\n\t:arc-authentication-results:arc-message-signature:mime-version\n\t:sender:dkim-signature:arc-authentication-results;\n\tbh=3yH9h/EpIdyxsO3EandodqwxA9Vcrfq2FulOmaA6X5Q=;\n\tb=rgq9GEH+xNTYXau+rB92C8pJcxGBVSTu3R7ZfHCRpFi1gVESYWNF68q/KEVc/RbfXx\n\tFiNs9QG0XcoBfq7s4qsdK4nrVzOuHwCswe1Z3Zn6Eudj0gfl8ILhDCZyTpA059pOaDal\n\t9c31uUODYTh8sICpB0vJdjKxDyb9cMdVyK8rmZbIXey03Que9iicvbUQMFtyWNNVqzr1\n\tM3xh5TyEiYKoqJtjaQyulcNV6Za8QfRElL6qaywmhbNwrKjidbYWfLOyRz6X0stZmoR2\n\tiItGyEz5c2uWRM3ctZQdPNesjpe6cpYjmn2qwQvk5PHYqGj5MAxCZ/diwniBON8FCNaK\n\tIHTg==","i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n\ts=arc-20160816; \n\th=message-id:date:subject:cc:to:from:arc-authentication-results;\n\tbh=/2thfMFkGLl0b3NRmAIyD8+YZ4tIE9kFf4/3YIieElw=;\n\tb=WF23nc9sIA4YOgTqL+OrcI6qfY5I+NXAunw3mi1W8tjISUhJznnUnGFR17rpfOt27B\n\tsr9JnK+wt6q7Olm6x7r9jCL2nydECHnsyPK2BSge0xZB78+2fAn8x2C8WkIunjAaoBX7\n\tSAvyxNRYJ/kLB+HM+1GcGD/ghtDu3viPWUQTdE2HHtAQU47wkoi84XsZbvCZ+DQeBPC2\n\tiJnP3dFqIbq6uh+sjiqymEU+hRGSCLXuMV4FRDdTp7i83iftRKMHIfuLw9IDJuOamwFd\n\tTLNSVfeiPpKSB93YTn5BnQbZhGGvVnDEciCQs3R+Wc2wM/ceJfczfIPOwF5puNXKOjdK\n\tcJcA=="],"ARC-Authentication-Results":["i=2; gmr-mx.google.com;\n\tspf=neutral (google.com: 79.96.179.35 is neither permitted nor denied\n\tby best guess record for domain of\n\tmaciej.pijanowski@3mdeb.com)\n\tsmtp.mailfrom=maciej.pijanowski@3mdeb.com","i=1; gmr-mx.google.com;\n\tspf=neutral (google.com: 79.96.179.35 is neither permitted nor denied\n\tby best guess record for domain of\n\tmaciej.pijanowski@3mdeb.com)\n\tsmtp.mailfrom=maciej.pijanowski@3mdeb.com"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=googlegroups.com; s=20161025;\n\th=sender:mime-version:from:to:cc:subject:date:message-id\n\t:x-original-sender:x-original-authentication-results:precedence\n\t:mailing-list:list-id:list-post:list-help:list-archive\n\t:list-subscribe:list-unsubscribe;\n\tbh=3yH9h/EpIdyxsO3EandodqwxA9Vcrfq2FulOmaA6X5Q=;\n\tb=VIQwWXQS1dLODR/ySkX8SJXDnNLsFyIqxyY09NZZ8CodcN51klEI08IWSd0dAZ7naZ\n\tAaaMps+jk5YBwFFelUV1YPEeDSFG3x6oIOgQM/mrLNtpRWuSdKT8ZKRvbRIG6xgGmO5D\n\tHcGOCmALoAkx/gyKrR85eR+iEeAaDJesZQZWiHwv2f5gNjtHrIAxmP37XH2jA1XibeEh\n\tjJewqu0OVGzotKa0eB7cEEwV4FqBNKf3CySbtDdUZEKFeZxAAzlrdzhAQX/vLMoTKBII\n\tb4fEUBiPVu29+4DWiIi4royBLwgntCfNVFkClmoeBkij/cmbeZ1MfTmzQyCHSjzD02el\n\t98SA==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=sender:x-gm-message-state:mime-version:from:to:cc:subject:date\n\t:message-id:x-original-sender:x-original-authentication-results\n\t:precedence:mailing-list:list-id:x-spam-checked-in-group:list-post\n\t:list-help:list-archive:list-subscribe:list-unsubscribe;\n\tbh=3yH9h/EpIdyxsO3EandodqwxA9Vcrfq2FulOmaA6X5Q=;\n\tb=IbHWkW2K4nM+2u/OSbDjyA/ucRrd1kGDlSlT7azHushfA0RagbQm5phwlLvdXBWbqt\n\tDHwCSgx9vo88P8pKB2wn2mFewZ8JxVQSU5AGf+H+2UfuSQiIR3mMLyHrJ+Kiae46L9n5\n\tWEp9v1XSK/5/eZWYBXpEImM8Spuq+YX+aJUoqZmOh7ch9aWwyEYYERb4zS/UcYlE2hjg\n\tKPAAx4MsKn3ck2Ph5S9Tyv/akEmCeBDtM1N58+Z+/D58ohShnT1Fovvur/g4gzu/bNm4\n\txGJxSa+UyLooT/AGZYx+wTEFVOpJIpXAERIHsHE2Tl5nX3bsJc/xTYgOW/csdgjAL0u8\n\ttZGg==","Sender":"swupdate@googlegroups.com","X-Gm-Message-State":"AHYfb5gleEEgc/tvoRuYlhPTyKwGG2gEygV7i4WFIcAIoRkk4UGwvuGA\n\tpVsYNndrlA6uBw==","X-Received":["by 10.28.134.207 with SMTP id i198mr3259wmd.1.1502958310657;\n\tThu, 17 Aug 2017 01:25:10 -0700 (PDT)","by 10.223.157.28 with SMTP id k28mr470581wre.14.1502958310265;\n\tThu, 17 Aug 2017 01:25:10 -0700 (PDT)"],"MIME-Version":"1.0","X-BeenThere":"swupdate@googlegroups.com","Received-SPF":"neutral (google.com: 79.96.179.35 is neither permitted nor\n\tdenied by best guess record for domain of\n\tmaciej.pijanowski@3mdeb.com) client-ip=79.96.179.35; ","From":"Maciej Pijanowski <maciej.pijanowski@3mdeb.com>","To":"swupdate@googlegroups.com","Cc":"piotr.krol@3mdeb.com,\n\tMaciej Pijanowski <maciej.pijanowski@3mdeb.com>","Subject":"[swupdate] [meta-swupdate][PATCH] add CMS signing support","Date":"Thu, 17 Aug 2017 10:25:26 +0200","Message-Id":"<1502958326-1780-1-git-send-email-maciej.pijanowski@3mdeb.com>","X-Mailer":"git-send-email 2.7.4","X-Original-Sender":"maciej.pijanowski@3mdeb.com","X-Original-Authentication-Results":"gmr-mx.google.com;       spf=neutral\n\t(google.com: 79.96.179.35 is neither permitted nor denied by best\n\tguess\n\trecord for domain of maciej.pijanowski@3mdeb.com)\n\tsmtp.mailfrom=maciej.pijanowski@3mdeb.com","Content-Type":"text/plain; charset=\"UTF-8\"","Precedence":"list","Mailing-list":"list swupdate@googlegroups.com;\n\tcontact swupdate+owners@googlegroups.com","List-ID":"<swupdate.googlegroups.com>","X-Spam-Checked-In-Group":"swupdate@googlegroups.com","X-Google-Group-Id":"605343134186","List-Post":"<https://groups.google.com/group/swupdate/post>,\n\t<mailto:swupdate@googlegroups.com>","List-Help":"<https://groups.google.com/support/>,\n\t<mailto:swupdate+help@googlegroups.com>","List-Archive":"<https://groups.google.com/group/swupdate","List-Subscribe":"<https://groups.google.com/group/swupdate/subscribe>,\n\t<mailto:swupdate+subscribe@googlegroups.com>","List-Unsubscribe":"<mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,\n\t<https://groups.google.com/group/swupdate/subscribe>"},"content":"Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com>\n---\n classes/swupdate.bbclass | 46 +++++++++++++++++++++++++++++++++++++---------\n 1 file changed, 37 insertions(+), 9 deletions(-)","diff":"diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass\nindex 44e45461401c..28297ca41a1c 100644\n--- a/classes/swupdate.bbclass\n+++ b/classes/swupdate.bbclass\n@@ -1,5 +1,5 @@\n # Copyright (C) 2015 Stefano Babic <sbabic@denx.de>\n-# \n+#\n # Some parts from the patch class\n #\n # swupdate allows to generate a compound image for the\n@@ -14,7 +14,7 @@\n \n S = \"${WORKDIR}/${PN}\"\n \n-DEPENDS += \"${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) == '1' else ''}\"\n+DEPENDS += \"${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) else ''}\"\n IMAGE_DEPENDS ?= \"\"\n \n def swupdate_is_hash_needed(s, filename):\n@@ -101,7 +101,7 @@ python do_swuimage () {\n     fetch = bb.fetch2.Fetch([], d)\n     list_for_cpio = [\"sw-description\"]\n \n-    if d.getVar('SWUPDATE_SIGNING', True) == '1':\n+    if d.getVar('SWUPDATE_SIGNING', True):\n         list_for_cpio.append('sw-description.sig')\n \n     for url in fetch.urls:\n@@ -140,12 +140,20 @@ python do_swuimage () {\n             hash = swupdate_get_sha256(s, file)\n             swupdate_write_sha256(s, file, hash)\n \n-    if d.getVar('SWUPDATE_SIGNING', True) == '1':\n-        sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True)\n-        if sign_tool:\n-            if os.system(sign_tool) != 0:\n-                bb.fatal(\"Failed to sign with %s\" % (sign_tool))\n-        else:\n+    signing = d.getVar('SWUPDATE_SIGNING', True)\n+    if signing == \"1\":\n+        bb.warn('SWUPDATE_SIGNING = \"1\" is deprecated, falling back to \"RSA\". It is advised to set it to \"RSA\" if using RSA signing.')\n+        signing = \"RSA\"\n+    if signing:\n+        if signing == \"CUSTOM\":\n+            sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True)\n+            if sign_tool:\n+                ret = os.system(sign_tool)\n+                if ret != 0:\n+                    bb.fatal(\"Failed to sign with %s\" % (sign_tool))\n+            else:\n+                bb.fatal(\"Custom SWUPDATE_SIGN_TOOL is not given\")\n+        elif signing == \"RSA\":\n             privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True)\n             if not privkey:\n                 bb.fatal(\"SWUPDATE_PRIVATE_KEY isn't set\")\n@@ -163,6 +171,26 @@ python do_swuimage () {\n                 os.path.join(s, 'sw-description'))\n             if os.system(signcmd) != 0:\n                 bb.fatal(\"Failed to sign sw-description with %s\" % (privkey))\n+        elif signing == \"CMS\":\n+            cms_cert = d.getVar('SWUPDATE_CMS_CERT', True)\n+            if not cms_cert:\n+                bb.fatal(\"SWUPDATE_CMS_CERT is not set\")\n+            if not os.path.exists(cms_cert):\n+                bb.fatal(\"SWUPDATE_CMS_CERT %s doesn't exist\" % (cms_cert))\n+            cms_key = d.getVar('SWUPDATE_CMS_KEY', True)\n+            if not cms_key:\n+                bb.fatal(\"SWUPDATE_CMS_KEY isn't set\")\n+            if not os.path.exists(cms_key):\n+                bb.fatal(\"SWUPDATE_CMS_KEY %s doesn't exist\" % (cms_key))\n+            signcmd = \"openssl cms -sign -in '%s' -out '%s' -signer '%s' -inkey '%s' -outform DER -nosmimecap -binary\" % (\n+                os.path.join(s, 'sw-description'),\n+                os.path.join(s, 'sw-description.sig'),\n+                cms_cert,\n+                cms_key)\n+            if os.system(signcmd) != 0:\n+                bb.fatal(\"Failed to sign sw-description with %s\" % (privkey))\n+        else:\n+            bb.fatal(\"Unrecognized SWUPDATE_SIGNING mechanism.\");\n \n     line = 'for i in ' + ' '.join(list_for_cpio) + '; do echo $i;done | cpio -ov -H crc >' + os.path.join(deploydir,d.getVar('IMAGE_NAME', True) + '.swu')\n     os.system(\"cd \" + s + \";\" + line)\n","prefixes":["meta-swupdate"]}