Debian: Fix dev certificate handling for patching

On Debian running python3, patch dev signature verification fails because the expected string becomes malformed using the 'update' method. This fixes the issue, by not calling 'update' and instead directly passing the signature string to the constructor. Test-Plan: Verify on Debian that a sample designer patch can be imported (when the dev certificate is installed). Verify that altering the DEV_CERT_CONTENTS causes the dev certificate to be rejected and the patch to not import. Co-Authored-By: Jessica Castelino <jessica.castelino@windriver.com> Story: 2009969 Task: 44950 Signed-off-by: Al Bailey <al.bailey@windriver.com> Change-Id: I9c2d2ce3cbcf75f41d7886057959e2dbebcff084
2022-04-05 18:59:29 +00:00 · 2022-04-05 18:59:29 +00:00 · 1f819ebb40
commit 1f819ebb40
parent 99ff47153d
1 changed files with 2 additions and 2 deletions
--- a/sw-patch/cgcs-patch/cgcs_patch/patch_verify.py
+++ b/sw-patch/cgcs-patch/cgcs_patch/patch_verify.py
@ -22,6 +22,7 @@ from cgcs_patch.certificates import formal_certificate
 default_blocksize = 1 * 1024 * 1024

 dev_certificate_marker = '/etc/pki/wrs/dev_certificate_enable.bin'
+DEV_CERT_CONTENTS = b'Titanium patching'
 LOG = logging.getLogger('main_logger')

 cert_type_dev_str = 'dev'
@ -114,8 +115,7 @@ def get_public_certificates():
    if os.path.exists(dev_certificate_marker):
        with open(dev_certificate_marker, 'rb') as infile:
            signature = infile.read()
-        data_hash = SHA256.new()
-        data_hash.update(b'Titanium patching')
+        data_hash = SHA256.new(DEV_CERT_CONTENTS)
        if verify_hash(data_hash, signature, cert_list):
            cert_list.append(dev_certificate)
        else: