sign_official_build: add cloud-signing param
Adds the `--cloud-signing` parameter to script to support new flow.
This parameter is currently unused, but should be used by signing
scripts that switch over to the Cloud KMS flow.
BUG=b:256867824
TEST=./sign_official_build.sh base foo ./ bar baz --cloud-sigining
BRANCH=none
Signed-off-by: George Englebrecht <engeg@google.com>
Change-Id: Ie62fb26dfe3c651744b43e430a0b0c9f129af67a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4630329
Commit-Queue: Benjamin Shai <bshai@google.com>
Tested-by: Benjamin Shai <bshai@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 4765514..c11b756 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -30,7 +30,7 @@
usage() {
cat <<EOF
Usage: ${PROG} <type> input_image /path/to/keys/dir [output_image] \
-[version_file]
+[version_file] [--cloud-signing]
where <type> is one of:
base (sign a base image)
recovery (sign a USB recovery image)
@@ -44,6 +44,8 @@
output_image: File name of the signed output image
version_file: File name of where to read the kernel and firmware versions.
+--cloud-signing: Instead of relying on a local key directory, retrieve keys
+ from Cloud KMS.
If you are signing an image, you must specify an [output_image] and
optionally, a [version_file].
@@ -1239,6 +1241,36 @@
die "${prereqs} tool not found."
done
+ # Parse arguments with positional and optional options.
+ local script_args=()
+ CLOUD_SIGNING=false
+ while [[ "$#" -gt 0 ]]; do
+ case $1 in
+ --cloud-signing)
+ CLOUD_SIGNING=true
+ ;;
+ -h|--help)
+ usage
+ ;;
+ --)
+ shift
+ break
+ ;;
+ -*)
+ usage "Unknown option: $1"
+ ;;
+ *)
+ script_args+=("$1")
+ ;;
+ esac
+ shift
+ done
+
+ if [[ "${CLOUD_SIGNING}" == true ]]; then
+ info "signing with cloud keys"
+ fi
+ set -- "${script_args[@]}"
+
TYPE=$1
INPUT_IMAGE=$2
KEY_DIR=$3