share code rather than duplicate

bradh352 · bhouse-nexthop · commit 21873075f3da · 2025-07-23T08:03:02.000-04:00
Signed-off-by: Travis Brown &lt;travisb@nexthop.ai&gt;
diff --git a/scripts/verify_image_sign_common.sh b/scripts/verify_image_sign_common.sh
@@ -15,35 +15,27 @@ verify_image_sign_common() {
         no_check_time="-noattr"
     fi
     
-    # This command verifies the signing as a complete certificate chain root of trust and requires the DB Key to
-    # be a self-signed root, but the image signed with an intermediate embedded into the certificate.
     EFI_CERTS_DIR=/tmp/efi_certs
     RESULT="CMS Verification Failure"
-    LOG=$(openssl cms -verify $no_check_time -noout -CAfile $EFI_CERTS_DIR/cert.pem -binary -in ${CMS_SIG_FILE} -content ${DATA_FILE} -inform pem 2>&1 > /dev/null )
-    VALIDATION_RES=$?
-    if [ $VALIDATION_RES -eq 0 ]; then
-        RESULT="CMS Verified OK"
-        if  [ -d "${TMP_DIR}" ]; then rm -rf ${TMP_DIR}; fi
-        echo "verification ok:$RESULT"
-        # No need to continue.
-        # Exit without error if any success signature verification.
-        return 0
-    fi
 
-    # This is a backup signature verification method which does NOT trust the certificate embedded into the pkcs7
-    # signature (via the -nointern flag) and assumes the DB key directly signed the image (via the -certfile flag).
-    # Since the DB key is trusted, it doesn't need to be a root CA so we turn off root CA verification with the
-    # -noverify flag.
-    LOG=$(openssl cms -verify $no_check_time -noout -certfile $EFI_CERTS_DIR/cert.pem -binary -nointern -noverify -in ${CMS_SIG_FILE} -content ${DATA_FILE} -inform pem 2>&1 > /dev/null )
-    VALIDATION_RES=$?
-    if [ $VALIDATION_RES -eq 0 ]; then
-        RESULT="CMS Verified OK"
-        if  [ -d "${TMP_DIR}" ]; then rm -rf ${TMP_DIR}; fi
-        echo "verification ok:$RESULT"
-        # No need to continue.
-        # Exit without error if any success signature verification.
-        return 0
-    fi
+    # Verify the signature in two ways:
+    # 1. As a complete certificate chain root of trust which requires the DB Key to be a self-signed root, but the image
+    #    signed with an intermediate embedded into the certificate.
+    # 2. Assuming the DB key directly signed the image without trusting the certificate embedded into the
+    #    pkcs7 signature (-nointern). Since the DB key is trusted, it doesn't need to be a root CA so we turn off root
+    #    CA verification with the -noverify flag.
+    for variant in "-CAfile" "-nointern -noverify -certfile"; do
+        LOG=$(openssl cms -verify $no_check_time -noout ${variant} $EFI_CERTS_DIR/cert.pem -binary -in ${CMS_SIG_FILE} -content ${DATA_FILE} -inform pem 2>&1 > /dev/null )
+        VALIDATION_RES=$?
+        if [ $VALIDATION_RES -eq 0 ]; then
+            RESULT="CMS Verified OK"
+            if  [ -d "${TMP_DIR}" ]; then rm -rf ${TMP_DIR}; fi
+            echo "verification ok:$RESULT"
+            # No need to continue.
+            # Exit without error if any success signature verification.
+            return 0
+        fi
+    done
 
     if  [ -d "${TMP_DIR}" ]; then rm -rf ${TMP_DIR}; fi
     return 1
