ubuntu-phone team mailing list archive
-
ubuntu-phone team
-
Mailing list archive
-
Message #08085
Skipping GPG verification in recovery
Hello,
during bringup and development it is helpful to skip image signature
verification and not worry about setting up GPG keychains. A common way to
do it is to just add a return 0 to the verify_signature() function to the
local copy of system-image-upgrader.
What do you think of this patch to allow this to be toggled by developers
without having to change the script itself?
I am writing here and not just sending the change to gerrit as there may be
people not subscribed to gerrit who may want to share their opinion and
experiences.
This should have no effect on OTA upgrades from Ubuntu itself, as /etc/ is
not writable from there so it cannot be set either accidentally or
intentionally by users.
diff --git bootable/recovery/Android.mk bootable/recovery/Android.mk
index 6c0090f..fa5605b 100644
--- bootable/recovery/Android.mk
+++ bootable/recovery/Android.mk
@@ -113,6 +113,10 @@ $(RECOVERY_SYMLINKS): $(LOCAL_INSTALLED_MODULE)
@mkdir -p $(dir $@)
@rm -rf $@
$(hide) ln -sf $(RECOVERY_BINARY) $@
+ifeq ($(TARGET_RECOVERY_SKIP_GPG_VERIFICATION), true)
+ @touch $(TARGET_RECOVERY_ROOT_OUT)/etc/system-image/skip-gpg-verification
+endif
+
ALL_DEFAULT_INSTALLED_MODULES += $(RECOVERY_SYMLINKS)
diff --git bootable/recovery/system-image-upgrader
bootable/recovery/system-image-upgrader
index be02fb3..f473a36
--- bootable/recovery/system-image-upgrader
+++ bootable/recovery/system-image-upgrader
@@ -14,6 +14,11 @@ echo "Starting image upgrader: $(date)"
# Functions
verify_signature() {
+ if [ -e /etc/system-image/skip-gpg-verification ];then
+ return 0
+ fi
# $1 => validation keyring name
# $2 => path to validate
The state could be toggled at build time by having this line in
BoardConfig.mk
TARGET_RECOVERY_SKIP_GPG_VERIFICATION := true
or per-deployment by adb shell
touch /etc/system-image/skip-gpg-verification and running
system-image-upgrader when doing an update from recovery using
ubuntu-device-flash or a custom script.
thanks
Jani
Follow ups