sign unencrypted sw-description

If sw-description is encrypted and signed, swupdate verifies the decrypted sw-description file (see core/stream_interface.c in swupdate code). So the signature has to be created from the unencrypted sw-description as well. Alternatively, the swupdate code needs to be changed to verify the encrypted sw-description. Signed-off-by: Christoph Lauer <christoph.lauer@xtronic.de>

sign unencrypted sw-description
If sw-description is encrypted and signed, swupdate verifies the decrypted sw-description file (see core/stream_interface.c in swupdate code). So the signature has to be created from the unencrypted sw-description as well. Alternatively, the swupdate code needs to be changed to verify the encrypted sw-description. Signed-off-by: Christoph Lauer <christoph.lauer@xtronic.de>
21092c20 · Christoph Lauer · Stefano Babic · 9995157c · 21092c20
Commit 21092c20 authored Dec 10, 2020 by Christoph Lauer Committed by Stefano Babic Dec 11, 2020
--- a/classes/swupdate-common.bbclass
+++ b/classes/swupdate-common.bbclass
@@ -140,7 +140,7 @@ def prepare_sw_description(d, s, list_for_cpio):
                privkey,
                passout,
                os.path.join(s, 'sw-description.sig'),
-                os.path.join(s, 'sw-description'))
+                os.path.join(s, 'sw-description.plain' if encrypt else 'sw-description'))
            if os.system(signcmd) != 0:
                bb.fatal("Failed to sign sw-description with %s" % (privkey))
        elif signing == "CMS":
@@ -160,7 +160,7 @@ def prepare_sw_description(d, s, list_for_cpio):
            else:
                passout = ""
            signcmd = "openssl cms -sign -in '%s' -out '%s' -signer '%s' -inkey '%s' %s -outform DER -nosmimecap -binary" % (
-                os.path.join(s, 'sw-description'),
+                os.path.join(s, 'sw-description.plain' if encrypt else 'sw-description'),
                os.path.join(s, 'sw-description.sig'),
                cms_cert,
                cms_key,