recipe_modules/build/resources/sign.py

# Copyright 2019 The Fuchsia Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import argparse
import base64
import os

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.serialization import load_pem_private_key

RELEASE_PKEY_PATH = "/etc/release_keys/release_key.pem"
RELEASE_PUBKEY_PATH = "/etc/release_keys/release_key_pub.pem"


def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("--archive-file")
    opts = parser.parse_args()

    # Validate args
    if not opts.archive_file or not os.path.exists(opts.archive_file):
        return

    if not os.path.exists(RELEASE_PKEY_PATH) or not os.path.exists(RELEASE_PUBKEY_PATH):
        return

    # Open the private key file
    with open(RELEASE_PKEY_PATH, "rb") as f:
        pkey_data = f.read()
    private_key = load_pem_private_key(pkey_data, None, default_backend())

    # Open and sign the archive.
    with open(opts.archive_file, "rb") as f:
        archive_data = f.read()

    signature = private_key.sign(archive_data)
    print(base64.b64encode(signature))


if __name__ == "__main__":
    main()