Add python automatic signing if keys present

esp8266 · earlephilhower · Dec 3, 2018 · Oct 6, 2018 · Oct 6, 2018 · Oct 6, 2018
commit b9344f6f00bdf8a3de06e90601c96d2c166760c3
diff --git a/platform.txt b/platform.txt
@@ -10,6 +10,7 @@ version=2.5.0-dev
 
 runtime.tools.xtensa-lx106-elf-gcc.path={runtime.platform.path}/tools/xtensa-lx106-elf
 runtime.tools.esptool.path={runtime.platform.path}/tools/esptool
+runtime.tools.signing={runtime.platform.path}/tools/signing.py
 
 compiler.warning_flags=-w
 compiler.warning_flags.none=-w
@@ -74,6 +75,8 @@ compiler.elf2hex.extra_flags=
 ## needs bash, git, and echo
 recipe.hooks.core.prebuild.1.pattern=bash -c "mkdir -p {build.path}/core && echo \#define ARDUINO_ESP8266_GIT_VER 0x`git --git-dir {runtime.platform.path}/.git rev-parse --short=8 HEAD 2>/dev/null || echo ffffffff` >{build.path}/core/core_version.h"
 recipe.hooks.core.prebuild.2.pattern=bash -c "mkdir -p {build.path}/core && echo \#define ARDUINO_ESP8266_GIT_DESC `cd "{runtime.platform.path}"; git describe --tags 2>/dev/null || echo unix-{version}` >>{build.path}/core/core_version.h"
+recipe.hooks.core.prebuild.2.pattern="{runtime.tools.signing}" --mode header --publickey "{build.source.path}/public.key" --out "{build.path}/core/Updater_Signing.h"
+
 ## windows-compatible version without git
 recipe.hooks.core.prebuild.1.pattern.windows=cmd.exe /c mkdir {build.path}\core & (echo #define ARDUINO_ESP8266_GIT_VER 0x00000000 & echo #define ARDUINO_ESP8266_GIT_DESC win-{version} ) > {build.path}\core\core_version.h
 recipe.hooks.core.prebuild.2.pattern.windows=
@@ -102,7 +105,8 @@ recipe.objcopy.eep.pattern=
 ## Create hex
 #recipe.objcopy.hex.pattern="{compiler.path}{compiler.elf2hex.cmd}" {compiler.elf2hex.flags} {compiler.elf2hex.extra_flags} "{build.path}/{build.project_name}.elf" "{build.path}/{build.project_name}.hex"
 
-recipe.objcopy.hex.pattern="{runtime.tools.esptool.path}/{compiler.esptool.cmd}" -eo "{runtime.platform.path}/bootloaders/eboot/eboot.elf" -bo "{build.path}/{build.project_name}.bin" -bm {build.flash_mode} -bf {build.flash_freq} -bz {build.flash_size} -bs .text -bp 4096 -ec -eo "{build.path}/{build.project_name}.elf" -bs .irom0.text -bs .text -bs .data -bs .rodata -bc -ec
+recipe.objcopy.hex.1.pattern="{runtime.tools.esptool.path}/{compiler.esptool.cmd}" -eo "{runtime.platform.path}/bootloaders/eboot/eboot.elf" -bo "{build.path}/{build.project_name}.bin" -bm {build.flash_mode} -bf {build.flash_freq} -bz {build.flash_size} -bs .text -bp 4096 -ec -eo "{build.path}/{build.project_name}.elf" -bs .irom0.text -bs .text -bs .data -bs .rodata -bc -ec
+recipe.objcopy.hex.2.pattern="{runtime.tools.signing}" --mode sign --privatekey "{build.source.path}/private.key" --bin "{build.path}/{build.project_name}.bin" --out "{build.path}/{build.project_name}.bin.signed"
 
 ## Save hex
 recipe.output.tmp_file={build.project_name}.bin

diff --git a/tools/signing.py b/tools/signing.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+import sys
+import argparse
+import subprocess
+import hashlib
+
+def parse_args():
+    parser = argparse.ArgumentParser(description='Binary signing tool')
+    parser.add_argument('-m', '--mode', help='Mode (header, sign)')
+    parser.add_argument('-b', '--bin', help='Unsigned binary')
+    parser.add_argument('-o', '--out', help='Output file');
+    parser.add_argument('-p', '--publickey', help='Public key file');
+    parser.add_argument('-s', '--privatekey', help='Private(secret) key file');
+    return parser.parse_args()
+
+
+def main():
+    args = parse_args()
+    if args.mode == "header":
+        val = ""
+        try:
+            with open(args.publickey, "rb") as f:
+                pub = f.read()
+                val += "#include <pgmspace.h>\n"
+                val += "#define ARDUINO_SIGNING 1\n"
+                val += "static const char signing_pubkey[] PROGMEM = {\n"
+                for i in pub:
+                    val += "0x%02x, \n" % ord(i)
+                val = val[:-3]
+                val +="\n};\n"
+                print "Enabling binary signing\n"
+        except:
+            print "Not enabling binary signing\n"
+            val += "#define ARDUINO_SIGNING 0\n"
+        with open(args.out, "w") as f:
+            f.write(val)
+        return 0
+    elif args.mode == "sign":
+        val = ""
+        try:
+            with open(args.bin, "rb") as b:
+                bin = b.read()
+                sha256 = hashlib.sha256(bin)
+                print "Binary SHA256 = " + sha256.hexdigest()
+                signcmd = [ 'openssl', 'rsautl', '-sign', '-inkey', args.privatekey ]
+                proc = subprocess.Popen(signcmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)
+                signout = proc.communicate(input=sha256.digest())[0]
+                with open(args.out, "wb") as out:
+                    out.write(bin)
+                    out.write(signout)
+                    out.write(b'\x00\x01\x00\x00')
+                    print "Signed binary: " + args.out
+        except:
+            print "Not signing the generated binary\n"
+        return 0
+    else:
+        print "ERROR: Mode not specified as header or sign\n"
+
+if __name__ == '__main__':
+    sys.exit(main())
+