Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_update_engine / 9b90c93edcaa16f6c734f421ccf00201a474d9ea^! / . / scripts / paycheck.py
commit9b90c93edcaa16f6c734f421ccf00201a474d9ea[log] [tgz]
authorGilad Arnold <garnold@chromium.org>Wed May 22 17:12:56 2013 -0700
committerChromeBot <chrome-bot@google.com>Wed May 22 19:15:54 2013 -0700
tree791c5a1c3c7ee0076d98cfc3d465fc8832781f69
parent432d601e236bf8b9110fdb497e5f5c87899346e2 [diff] [blame]
paycheck: move default pubkey handling inside the library

This is a more sensible choice given that the pubkey ships within the
library directory and hence should not be specified explicitly by an
outside entity (like paycheck). From the practical standpoint, it makes
this useful feature available to clients who use the library directly.

BUG=chromium:241283
TEST=Unit + integration tests

Change-Id: I059302326af1e0e394829466ee97ad2f60de4986
Reviewed-on: https://gerrit.chromium.org/gerrit/56335
Tested-by: Gilad Arnold <garnold@chromium.org>
Reviewed-by: Don Garrett <dgarrett@chromium.org>
Commit-Queue: Gilad Arnold <garnold@chromium.org>

diff --git a/scripts/paycheck.py b/scripts/paycheck.py
index 9852ded..80a5853 100755
--- a/scripts/paycheck.py
+++ b/scripts/paycheck.py

@@ -52,9 +52,6 @@
               'Update Engine. Use --check to verify a payload prior to '
               'applying it.'))
 
-  default_key = os.path.join(lib_dir,
-                             'update_payload/update-payload-key.pub.pem')
-
   check_opts = optparse.OptionGroup(parser, 'Checking payload integrity')
   check_opts.add_option('-c', '--check', action='store_true', default=False,
                         help=('force payload integrity check (e.g. before '
@@ -76,7 +73,7 @@
                         help=('comma-separated list of tests to disable; '
                               'available values: ' +
                               ', '.join(update_payload.CHECKS_TO_DISABLE)))
-  check_opts.add_option('-k', '--key', metavar='FILE', default=default_key,
+  check_opts.add_option('-k', '--key', metavar='FILE',
                         help=('Override standard key used for signature '
                               'validation'))
   check_opts.add_option('-m', '--meta-sig', metavar='FILE',
@@ -129,8 +126,7 @@
   # There are several options that imply --check.
   opts.check = (opts.check or opts.report or opts.assert_type or
                 opts.block_size or opts.allow_unhashed or
-                opts.disabled_tests or opts.meta_sig or
-                opts.key != default_key or
+                opts.disabled_tests or opts.meta_sig or opts.key or
                 opts.root_part_size != _DEFAULT_ROOTFS_PART_SIZE or
                 opts.kern_part_size != _DEFAULT_KERNEL_PART_SIZE)
 
@@ -156,9 +152,8 @@
     parser.error('unexpected number of arguments')
 
   # By default, look for a metadata-signature file with a name based on the name
-  # of the payload we are checking. We only do it when check is triggered and a
-  # public key provided, so as not to force a metadata signature to fail.
-  if opts.check and opts.key and not opts.meta_sig:
+  # of the payload we are checking. We only do it if check was triggered.
+  if opts.check and not opts.meta_sig:
     default_meta_sig = args[0] + '.metadata-signature'
     if os.path.isfile(default_meta_sig):
       opts.meta_sig = default_meta_sig