Skip to content

Commit d3cc391

Browse files
tdewey-rpitdewey-rpi
committed
HSM: Fixup string passing of signing directives
We pass the return value of get_signing_directives as a string - but then double-quote this in the invocation, mixing arguments as one. This, rightly, causes OpenSSL to complain. So, let's drop the erroneous double-quotes, and include a line to silence shellcheck in the various sites where we use the result as an argument.
1 parent d177780 commit d3cc391

File tree

2 files changed

+6
-3
lines changed

2 files changed

+6
-3
lines changed

device-provisioner/provisioner.sh

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -213,7 +213,8 @@ cp "$(get_fastboot_config_file)" "${RPI_SB_WORKDIR}"/config.txt
213213
sha256sum "${RPI_SB_WORKDIR}"/boot.img | awk '{print $1}' > "${RPI_SB_WORKDIR}"/boot.sig
214214
echo -n "rsa2048: " >> "${RPI_SB_WORKDIR}"/boot.sig
215215
# Prefer PKCS11 over PEM keyfiles, if both are specified.
216-
${OPENSSL} dgst -sign "$(get_signing_directives)" -sha256 "${RPI_SB_WORKDIR}"/boot.img | xxd -c 4096 -p >> "${RPI_SB_WORKDIR}"/boot.sig
216+
# shellcheck disable=SC2046
217+
${OPENSSL} dgst -sign $(get_signing_directives) -sha256 "${RPI_SB_WORKDIR}"/boot.img | xxd -c 4096 -p >> "${RPI_SB_WORKDIR}"/boot.sig
217218

218219
announce_stop "Finding/generating fastboot image"
219220

@@ -379,7 +380,8 @@ if [[ -z $(check_file_is_expected "${RPI_SB_WORKDIR}"/bootfs-temporary.img "img"
379380
# N.B. rpi-eeprom-digest could be used here but it includes a timestamp that is not required for this use-case
380381
sha256sum "${TMP_DIR}"/boot.img | awk '{print $1}' > "${TMP_DIR}"/boot.sig
381382
echo -n "rsa2048: " >> "${TMP_DIR}"/boot.sig
382-
${OPENSSL} dgst -sign "$(get_signing_directives)" -sha256 "${TMP_DIR}"/boot.img | xxd -c 4096 -p >> "${TMP_DIR}"/boot.sig
383+
# shellcheck disable=SC2046
384+
${OPENSSL} dgst -sign $(get_signing_directives) -sha256 "${TMP_DIR}"/boot.img | xxd -c 4096 -p >> "${TMP_DIR}"/boot.sig
383385
announce_stop "boot.img signing"
384386

385387
announce_start "Boot Image partition extraction"

key-writer/keywriter.sh

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,8 @@ writeSig() {
3232
echo "ts: $(date -u +%s)" >> "${OUTPUT}"
3333

3434
if [ -n "$(get_signing_directives)" ]; then
35-
"${OPENSSL}" dgst -sign "$(get_signing_directives)" -sha256 -out "${SIG_TMP}" "${IMAGE}"
35+
# shellcheck disable=SC2046
36+
"${OPENSSL}" dgst -sign $(get_signing_directives) -sha256 -out "${SIG_TMP}" "${IMAGE}"
3637
echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
3738
fi
3839
rm "${SIG_TMP}"

0 commit comments

Comments
 (0)