scripts: update dev release scripts for jade v2 signature scheme (2of3)

Blockstream · Oct 4, 2024 · 9808371 · 9808371
1 parent 4e0a72c
commit 9808371
Show file tree

Hide file tree

Showing 8 changed files with 120 additions and 6 deletions.
diff --git a/release/README.txt b/release/README.txt
@@ -42,8 +42,8 @@ eg. './scripts/prepver.sh 0.1.33'
 * scripts/devfw.sh <new version>
 eg. './scripts/devfw.sh 0.1.33'
 - For each dev build dir (ie. jadedev and jade1.1dev, ble and noradio variants),
-  signs the dev firmware 'jade.bin' with the dev/test key present in the
-  scripts dir.  Validates with the pubkey.  Creates 'jade_signed.bin'.
+  signs the dev firmware 'jade.bin' with the dev/test keys present in the
+  scripts dir.  Validates with the pubkeys.  Creates 'jade_signed.bin'.
 - Runs 'jade/tools/fwprep.py' on the signed binary 'jade_signed.bin'.  This
   compresses the firmware file and generates the descriptive name using the
   standard/agreed format (<ver>_<cfg>_<decompressed_size>)_fw.bin).  Also writes

diff --git a/release/scripts/dev_fw_pub_key.pub → release/scripts/dev_fw_pub_key_A.pub b/release/scripts/dev_fw_pub_key.pub → release/scripts/dev_fw_pub_key_A.pub
diff --git a/release/scripts/dev_fw_pub_key_B.pub b/release/scripts/dev_fw_pub_key_B.pub
@@ -0,0 +1,11 @@
+-----BEGIN PUBLIC KEY-----
+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA47Co44HAsu3umivF5nbB
+MhXS5p6FN03BvokRPH73xC8iWeWrmgci+gfj0w5i9OSPQJNiFQcNOtF96KozH+We
+hNf5Y+LAEapgUUKd//qHGMXbFkFzJcGNWaoQVN6271kUc/Hv8G3LNqYL0RirfC6j
+L6+knMaV6gTLx1hcQ/iSz21Eo4fkL6Q6+c1Lg+oCpDdd7LC07NZBO2+4BX2T8zo+
+uoylR9TbrspjIqlAQEVtRGO9iDFo4VuILRs4/SRREgLsZSFJCyv/qfiWCa/SSbPr
+gGyu7ZeoBUPn/+1p3vtzH+4Ac7d1QgflbTkI0zjz6lQP/75CN1wJFA3RK4ebm9i3
+MpbqAQ6lpAHv8E/4xWXuKNrYDExirD2a6yuV3QPP4h2I4HVLwT6aEAte+3q4zvv6
+pqdXFiUcub8DAggwakzkQwgBSkv8jZnwQ239GYnkvDuoCPwmTwP20OPIPojekwD5
+f+eJ0swQo4HnduVFi0CDfsM03XR3medZp5gbWpcxbKyNAgMBAAE=
+-----END PUBLIC KEY-----
diff --git a/release/scripts/dev_fw_pub_key_C.pub b/release/scripts/dev_fw_pub_key_C.pub
@@ -0,0 +1,11 @@
+-----BEGIN PUBLIC KEY-----
+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAlc4rzywcSXA+gFeCFryP
+6ZYSCYrlv7hRHRhF3WQE57l/RMlJKO1mu3J3Uv5A+7XY2VXvmvb055iBZ0xMRALk
+VRksPYIY84Et0c/n4UBaWo540fIi6MBkdHFVuzPUakUZyrLiMLkH0tIlFKeZuyg8
+RYfDSOSWq8IXy13f0ip9c3XMbo2nfIT91C7+nZyveNDjfzH97Fz62Gk8KUClZ/1Q
+pnXSIWcPt4V2xwFCCruqEoT1MZjX3+UBTn9RA7/5sY8yrakfNs4QFc+GCPaZVn2N
+qLGQLbV1QrWDh63XKT171T7NdYRkea/M1JAmak+g0zbj2Gv/5Wek7MoxsPOuSN+J
+5MG+cS7tQhcisBY0HG86i+nlms129ym6rWpgAHeeIdq5FJihN8xIsYQPJLaO28PT
+CJypIVaYXlMPZOWTQoV/jjH/INghGp/vOGZEwK291np072XkMAwB1j2ZONSeD8Oe
+5LlZaaTPqxlPaTGJrMP396073ToDB+jOro6u7NQYnphDAgMBAAE=
+-----END PUBLIC KEY-----
diff --git a/release/scripts/dev_fw_signing_key.pem → release/scripts/dev_fw_signing_key_A.pem b/release/scripts/dev_fw_signing_key.pem → release/scripts/dev_fw_signing_key_A.pem
diff --git a/release/scripts/dev_fw_signing_key_B.pem b/release/scripts/dev_fw_signing_key_B.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEA47Co44HAsu3umivF5nbBMhXS5p6FN03BvokRPH73xC8iWeWr
+mgci+gfj0w5i9OSPQJNiFQcNOtF96KozH+WehNf5Y+LAEapgUUKd//qHGMXbFkFz
+JcGNWaoQVN6271kUc/Hv8G3LNqYL0RirfC6jL6+knMaV6gTLx1hcQ/iSz21Eo4fk
+L6Q6+c1Lg+oCpDdd7LC07NZBO2+4BX2T8zo+uoylR9TbrspjIqlAQEVtRGO9iDFo
+4VuILRs4/SRREgLsZSFJCyv/qfiWCa/SSbPrgGyu7ZeoBUPn/+1p3vtzH+4Ac7d1
+QgflbTkI0zjz6lQP/75CN1wJFA3RK4ebm9i3MpbqAQ6lpAHv8E/4xWXuKNrYDExi
+rD2a6yuV3QPP4h2I4HVLwT6aEAte+3q4zvv6pqdXFiUcub8DAggwakzkQwgBSkv8
+jZnwQ239GYnkvDuoCPwmTwP20OPIPojekwD5f+eJ0swQo4HnduVFi0CDfsM03XR3
+medZp5gbWpcxbKyNAgMBAAECggGAbjA8S32rp+wFoI62g0XNUVPGcN0eUxlKPc9P
+jBtWBJda5G6FkVEK2D2hP66irSk/Ol0ZBlwXRvPDHyne+/y/rkJm6rP9h48QdcLr
+e8neP1rhH/AkrYzxvwbSSIBPv504jLP1DkHUKmpJJbPuqXZYeudhno1sV4hipeJZ
+JHvTcJbMtOc6wuOTtvhnJzvEc3xn8/fAVy2I/B6gy+duBjOVz+nows58UiaXu1p1
+QaVXr9UlEBf5TbZiPJIEDl3Y7gKDQqb5S/DHhvJl2MgDCV8r0lN2sj2HtVauehAL
+toDugOUVbjUuCCofTlupPct9ZW2ASFVs73O3ZnoMQqGQ4EIAEfJXHK/DQcwDdCVg
+r6axaQSSHOPrv4WuQGCzDgIeSKrF+Tv/5s6Ym9688ddL2jHt2CJdiTFbsbm9l/mv
+PvXN2F0rk6dV9YzOG6c4D7aFW3VPjR0pRVi/qKeFvDFi2IwP9Ts3LmOVavv6feli
+8FttJyeyDau/s5xY4Jp7l5vQkWhxAoHBAP2lfP13xnLwqL8IkCAAZnyYZ4nndPzv
+K5VzLhYLtZ2BHt4J5vIjdxUGy9Kl72Vyvque7/ROtqw/GhS+hxSbdAXx/pX7DOFq
+xz7KpOx4kBSETmlNgOU0Dl8RtsFwxbGd4uhVf8cx295CMecY0XcGuHm0A5u8JBMj
+1VDHtVFKXaMihn6xmRWxUpeevBJGAKfhHLRY5do1PxtMp75/OmWUjtcxDhT6X5lb
+ecWlxi1BLFGvxOtu2oBzPTpvfSs520KB9wKBwQDlzYPF0UDefFiFl/TCyUVl/G9g
+8S0qX79IjmX2fNMHpJbIUIEQUaDee/vmnClJOThbNiuC0A0iFtI8i8WjNWHAC4zL
+VPH0iyupmpj/MRiZ5DfPkSKEOZO7BZmjM19Wv+jVqJXwT7W/bqNXLmzeYoQORs48
+M+rW7XM5R+m9DKAEQDzUrzNKKylGQfhssEzuIx3DRya8ZxobfkeBLL6awSosIC+p
+U75J556G0xKMJeknrV6pO8eHdBMnCZbGRtTY5JsCgcA2Kh+91NUI+IFgggic/Njl
+5Hm/xjCCTuSkvnrp9EgtQUSBL+YkcRRd5hyieBLePBmhdohRSHnT4InGQkWATg4B
+swKlrn26qV2w9/8uDDTgXLyN2iIbT/l9rb+0IUvmOQwahx+JPwlvtf0IF5GrdEDy
+pFFc8VlWyQElhfAfUt0aGCZWacCCFGLJw/jvgglj0Dub+5vh9BrsznrHwE2NIaM7
+KtuR+UFu80zWuybNxSwcqYdIq1x3r6Q0lVhKYcmDs1MCgcB4uxsyz3f0K4HaVfYq
+a9HA/fmKBctDyt/U/7MD55p7FnZ9MQZNi4Unvh2ej4aFSMGZ8gC0DhgIQ9MaKhig
+YUhEvAyxOqSPZJqA1Y7x61pQZ30G2Oo4a4N4qz2HZ1L8YYCy14pGoaoLs9Wu1N4v
+i7RzR7HMIT6Mwl1Zx7U+NCbRdOpAlvcsTTa3Cau5dnpEVkCpunTYYJZvwU1RyS8u
+YLOGUTaZED0V2NEJZlUFOlmfFc94u8ZdHJd/V+NVshrbBGcCgcA/roDnSIpi8ctG
+Eb7c75omz+H6fRzM+Qc5qGgwBTwzoz7BPYx+5+Q4BFk+aUmBcEMMDpzd2nJh1XPk
+NOiavZAL7rWIQjHrhD2+F1TEzG2UF3toEhHlkJaKZtkFkPf7yNvWYC05JTMucPil
+H4FOUgD2JC8j8kk8hDhutjAKc+Ab+YDDux06Aib89PzYu5z0VH4C3xLZuO5qu/3+
+08VjUyw7UC3ZiYafDdo4RCExK9kUz36jaKpG0jv+y0NeXNl3ZGk=
+-----END RSA PRIVATE KEY-----
diff --git a/release/scripts/dev_fw_signing_key_C.pem b/release/scripts/dev_fw_signing_key_C.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAlc4rzywcSXA+gFeCFryP6ZYSCYrlv7hRHRhF3WQE57l/RMlJ
+KO1mu3J3Uv5A+7XY2VXvmvb055iBZ0xMRALkVRksPYIY84Et0c/n4UBaWo540fIi
+6MBkdHFVuzPUakUZyrLiMLkH0tIlFKeZuyg8RYfDSOSWq8IXy13f0ip9c3XMbo2n
+fIT91C7+nZyveNDjfzH97Fz62Gk8KUClZ/1QpnXSIWcPt4V2xwFCCruqEoT1MZjX
+3+UBTn9RA7/5sY8yrakfNs4QFc+GCPaZVn2NqLGQLbV1QrWDh63XKT171T7NdYRk
+ea/M1JAmak+g0zbj2Gv/5Wek7MoxsPOuSN+J5MG+cS7tQhcisBY0HG86i+nlms12
+9ym6rWpgAHeeIdq5FJihN8xIsYQPJLaO28PTCJypIVaYXlMPZOWTQoV/jjH/INgh
+Gp/vOGZEwK291np072XkMAwB1j2ZONSeD8Oe5LlZaaTPqxlPaTGJrMP396073ToD
+B+jOro6u7NQYnphDAgMBAAECggGAJYMyLzexgaZM0GCZX84qD2kX7THN5FtoXGvG
+mvC/1bL6rqPk4Q3Jqui3/p1ScnWP7qR5UonCu/fRd6eAdYtv1+tsy543V0qiyaZR
+P3OY7JI+qPwER9pdjVcQC8enylCxa7OttluvHNiolmp9sYMazKJ5gVhUboA06yT/
+tiYTsgTug0SPizvWP/rgoWEqA4vzW9eN6VFDM0vu17mrccXaG0TnsJuZMPCH1L94
+5S0nImoO6DOI4zT6RcjV5aV+BjuAKCuyXBBEe7DiKpoHwkZX90gQcFtxJ9H3myE0
+p82ssb0PcBBdlr3Va65zvRGTpvHFvnErqnZxp25uGAC06mt5l7QZz7WcHakZEKb5
+ejbIQ1MGAqlr3s88rmu0WYcCax6uOS/BtZOhCu3tm9Z1U/dc5rDYm4+06HuXVHkM
+O3ZC5Hqkauo6Yk6SXHy+wtS+/tryekBwgSLoaXWVi5Lrv/C7qmoQ6slwLOy9T2H8
+eivuAnqPmTGrXM6VojMjLjITzUwBAoHBAMbZ5+WOPagf2fASv14pm4lheuUSWiaB
+HWO4bMrs6Yfa63gRsz6waF/ebEgKhlEhbTTz3uVNlvOpn9I2qbZyluYkJbvsEIOq
+8xU0siiv5QEN5ZPFMptMOMIiP4N3owXtRWxTl5JI222lgnLBH53g++3bQI4qVuk4
+B0OW2G7WOLUrf2+Jpk1TsWB8p0/do2wBgfvmdyA9J6foXVsSmGc/I8jbBW7Mu6lN
+0I9erfaCK+7DGlq1ISnG0XnLcGOdU3diQwKBwQDA28/h2E/o6jf38Pb+3Mdu0mtq
+nT+HyoUagifaVu2hNYDZ7nZnYvnLoY9GRKfQYrtJpl0QOs+v5yABC1fayNwrh9/Q
+BeMqoa4igCKDQcCdQxcyhDHytXDb2Rg/jHgOsqMYyaYeKywFKR8VI1M4Ao5BRitf
+XNsTijH7ZTaFdk13RZl8Mk1+RcHn9msLxLPrTtNkBEn8TW6WQWg2asEt9kCv7PB9
+Z5OegbkIydwRea+7OKAWGYzsEFLleZwUawMfkgECgcAJawiwtqv06o1H8ZteulnD
+h/pqHxRl/neF4ZZFhjMJXDUK2svCjFhlMgOu5dC2xv6FI4fLFIGxyLbpHe2r1oGP
+JOckn2mo0s/wkS5e/vW5tw7IkO50rIeDqluXvnLaNQK0vsDPDORXrR8gkEUPFTjZ
+aykDkr3LDfxKFzrpBPxqmETQ45Qc1XnxN/Y0siqrUub1J1U9EahvK3JAfgD54uOu
+/7CiLtA0lJrsL2/N3Rx3koYNBccsU15YhmosTadGYEECgcEAmsGITdUTQnZ4FOhy
+es7U5dPJyFKIgUF8j2nz6tuocZ0KWVZmAs5EXie1XZCIDMq9OPtbYEOhFqjjYJMm
+m3RkYDX23elrgXEd16d0ilj/4/HLMokrv3PjLTdGou/oAvtLrv9Y4oqIF1gJDiA7
+jg1W84AIG8zaKxLQysdL+cqVnOjnoeaHkpUNZUKyYU4lhePJ808Rw3irDb1Mj6YY
+f/ZDsCf0Tt0HcsDrpua8RfWckyJ8K1+zWlY6/tMX8LZyWioBAoHAfaYJModHIvZ1
++HCHiKLsHiVkBmKOGINbg18fgla/TYa2Ic26xOAaG897JmQb/ffTkZUjadGa0DLX
+NcFUMU9818DDX3O9xryOcGnOcZ+hQ93Z+xcbvjNfayR2/yssB5DxAMoHtAuhUacu
+H4qK9bYv153NWZ/Z/RfVD37y0KhNio/0jaCrEyge1/D8nqBSTX3uOFkp1H+WZ7ZF
+Vp7bSPY+V419Pt+waxof5ijz6ZscrvclgeJnUP2jkyul1XUEmwaA
+-----END RSA PRIVATE KEY-----
diff --git a/release/scripts/devfw.sh b/release/scripts/devfw.sh
@@ -22,8 +22,12 @@ WORKING_DIR="${STAGING}/${1}"
 # Relative paths from where it will be referenced in
 # jade/release/staging/<working dir>/<hw flavour>/<build flavour>
 DEV_KEY_DIR="../../../../scripts"
-DEV_KEY_PRIV="${DEV_KEY_DIR}/dev_fw_signing_key.pem"
-DEV_KEY_PUB="${DEV_KEY_DIR}/dev_fw_pub_key.pub"
+DEV_KEY_PRIV_A="${DEV_KEY_DIR}/dev_fw_signing_key_A.pem"
+DEV_KEY_PRIV_B="${DEV_KEY_DIR}/dev_fw_signing_key_B.pem"
+DEV_KEY_PRIV_C="${DEV_KEY_DIR}/dev_fw_signing_key_C.pem"
+DEV_KEY_PUB_A="${DEV_KEY_DIR}/dev_fw_pub_key_A.pub"
+DEV_KEY_PUB_B="${DEV_KEY_DIR}/dev_fw_pub_key_B.pub"
+DEV_KEY_PUB_C="${DEV_KEY_DIR}/dev_fw_pub_key_C.pub"
 FWPREP="../../../../../tools/fwprep.py"
 
 pushd "${WORKING_DIR}"
@@ -33,8 +37,18 @@ do
   for dir in ${BUILDDIRS}
   do
     pushd "${dir}"
-    espsecure.py sign_data --keyfile "${DEV_KEY_PRIV}" --version 2 --output "${SIGNED_BINARY}" "${UNSIGNED_BINARY}"
-    espsecure.py verify_signature --version 2 --keyfile "${DEV_KEY_PUB}" "${SIGNED_BINARY}"
+
+    # Sign the binary
+    espsecure.py sign_data --keyfile "${DEV_KEY_PRIV_A}" --version 2 --output "${SIGNED_BINARY}" "${UNSIGNED_BINARY}"
+
+    if [ "${devdir}" == "jade2.0dev" ]
+    then
+        # Append a second signature and verify
+        espsecure.py sign_data --keyfile "${DEV_KEY_PRIV_B}" --version 2 --append_signatures "${SIGNED_BINARY}"
+        espsecure.py verify_signature --version 2 --keyfile "${DEV_KEY_PUB_B}" "${SIGNED_BINARY}"
+    fi
+
+    espsecure.py verify_signature --version 2 --keyfile "${DEV_KEY_PUB_A}" "${SIGNED_BINARY}"
     "${FWPREP}" "${SIGNED_BINARY}" ..
     popd
   done