Merge pull request #819 from sbellem/fix-swap-signing-semver

Fix swap image signing with --git-describe

Author: bunnie

tools/src/bin/xous-app-uf2.rs

@@ -64,6 +64,13 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
                 .required(false)
                 .help("Explicit git commit hash for swap nonce (e.g., '0d934e1...'). If not specified, uses git rev-parse HEAD."),
         )
+        .arg(
+            Arg::with_name("git-describe")
+                .long("git-describe")
+                .takes_value(true)
+                .required(false)
+                .help("Explicit git describe version for swap signing (e.g., 'v0.10.0-19-g0d934e1'). If not specified, uses git describe."),
+        )
         .get_matches();
 
     let mut process_names = ProcessNames::new();
@@ -125,14 +132,24 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     let private_key = pem::parse(DEV_KEY_PEM)?;
 
     let git_rev = matches.value_of("git-rev");
+    let semver: Option<[u8; 16]> = if let Some(git_describe_str) = matches.value_of("git-describe") {
+        Some(
+            git_describe_str
+                .parse::<SemVer>()
+                .expect("git-describe format incorrect")
+                .into(),
+        )
+    } else {
+        None
+    };
 
     if matches.is_present("swap") {
         let mut swap_buffer = SwapWriter::new();
         args.write(&mut swap_buffer)?;
 
         // Create the swap target image and encrypt swap_buffer to it
         let mut swap = Cursor::new(Vec::new());
-        swap_buffer.encrypt_to(&mut swap, &private_key, Some(anti_rollback as usize), git_rev)?;
+        swap_buffer.encrypt_to(&mut swap, &private_key, Some(anti_rollback as usize), git_rev, semver)?;
 
         // generate a uf2 file
         let swap_uf2 = "swap.uf2";

tools/src/bin/xous-create-image.rs

@@ -8,6 +8,7 @@ use std::fs::File;
 use std::io::Read;
 
 use clap::{App, Arg};
+use xous_semver::SemVer;
 use xous_tools::elf::{read_minielf, read_program};
 use xous_tools::sign_image::convert_to_uf2;
 use xous_tools::swap_writer::SwapWriter;
@@ -223,6 +224,14 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
                 .help("Explicit git commit hash for swap nonce (e.g., '0d934e1...'). If not specified, uses git rev-parse HEAD.")
                 .value_name("commit hash"),
         )
+        .arg(
+            Arg::with_name("git-describe")
+                .long("git-describe")
+                .takes_value(true)
+                .required(false)
+                .help("Explicit git describe version for swap signing (e.g., 'v0.10.0-19-g0d934e1'). If not specified, uses git describe.")
+                .value_name("version"),
+        )
         .get_matches();
 
     let mut ram_config = RamConfig {
@@ -506,6 +515,16 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     }
 
     let git_rev = matches.value_of("git-rev");
+    let semver: Option<[u8; 16]> = if let Some(git_describe_str) = matches.value_of("git-describe") {
+        Some(
+            git_describe_str
+                .parse::<SemVer>()
+                .expect("git-describe format incorrect")
+                .into(),
+        )
+    } else {
+        None
+    };
 
     if let Some(mut sargs) = swap_args {
         let mut swap_buffer = SwapWriter::new();
@@ -519,7 +538,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
             let sf = File::create(swap_filename)
                 .unwrap_or_else(|_| panic!("Couldn't create output file {}", swap_filename));
             swap_buffer
-                .encrypt_to(sf, &swap_pkey, None, git_rev)
+                .encrypt_to(sf, &swap_pkey, None, git_rev, semver)
                 .expect("Couldn't flush swap buffer to disk");
         } // drop sf, so it closes
 

tools/src/swap_writer.rs

@@ -93,6 +93,7 @@ impl SwapWriter {
         private_key: &pem::Pem,
         anti_rollback_manual: Option<usize>,
         git_rev_override: Option<&str>,
+        semver: Option<[u8; 16]>,
     ) -> Result<usize>
     where
         T: Write + Seek,
@@ -141,7 +142,7 @@ impl SwapWriter {
             private_key,
             false,
             &None,
-            None,
+            semver,
             true,
             bao1x_api::signatures::SIGBLOCK_LEN,
             Version::Bao1xV1,

xtask/src/builder.rs

@@ -1352,6 +1352,11 @@ impl Builder {
             args.push(git_rev);
         }
 
+        if let Some(ref git_describe) = self.git_describe {
+            args.push("--git-describe");
+            args.push(git_describe);
+        }
+
         let status = Command::new(cargo()).current_dir(project_root()).args(&args).status()?;
 
         if !status.success() {