From 1f819ebb4019f754cbb1729a5ddcba06bb816279 Mon Sep 17 00:00:00 2001 From: Al Bailey Date: Tue, 5 Apr 2022 18:59:29 +0000 Subject: [PATCH] Debian: Fix dev certificate handling for patching On Debian running python3, patch dev signature verification fails because the expected string becomes malformed using the 'update' method. This fixes the issue, by not calling 'update' and instead directly passing the signature string to the constructor. Test-Plan: Verify on Debian that a sample designer patch can be imported (when the dev certificate is installed). Verify that altering the DEV_CERT_CONTENTS causes the dev certificate to be rejected and the patch to not import. Co-Authored-By: Jessica Castelino Story: 2009969 Task: 44950 Signed-off-by: Al Bailey Change-Id: I9c2d2ce3cbcf75f41d7886057959e2dbebcff084 --- sw-patch/cgcs-patch/cgcs_patch/patch_verify.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sw-patch/cgcs-patch/cgcs_patch/patch_verify.py b/sw-patch/cgcs-patch/cgcs_patch/patch_verify.py index a89fda47..69fcd1d8 100644 --- a/sw-patch/cgcs-patch/cgcs_patch/patch_verify.py +++ b/sw-patch/cgcs-patch/cgcs_patch/patch_verify.py @@ -22,6 +22,7 @@ from cgcs_patch.certificates import formal_certificate default_blocksize = 1 * 1024 * 1024 dev_certificate_marker = '/etc/pki/wrs/dev_certificate_enable.bin' +DEV_CERT_CONTENTS = b'Titanium patching' LOG = logging.getLogger('main_logger') cert_type_dev_str = 'dev' @@ -114,8 +115,7 @@ def get_public_certificates(): if os.path.exists(dev_certificate_marker): with open(dev_certificate_marker, 'rb') as infile: signature = infile.read() - data_hash = SHA256.new() - data_hash.update(b'Titanium patching') + data_hash = SHA256.new(DEV_CERT_CONTENTS) if verify_hash(data_hash, signature, cert_list): cert_list.append(dev_certificate) else: