identifying which builds are signed
Michael Stone
michael at laptop.org
Fri Aug 1 11:55:39 EDT 2008
On Fri, Aug 01, 2008 at 12:49:31AM -0400, Mikus Grinbergs wrote:
>>> I have a general question. I'm going to be helping some Ship.2 G1G1
>>> users (without developer keys) to perform off-line-upgrades of their
>>> systems. Currently I have to "data mine" through the wiki to verify
>>> which builds are "signed" (and can be "applied" from an USB stick).
>>
>> Things in
>>
>> http://download.laptop.org/xo-1/os/official/
>> http://download.laptop.org/xo-1/os/candidate/
>>
>> can be installed on locked machines.
>>
>> When we sign candidates or make candidates official, we send
>> announcements and publish the signed build in the appropriate directory.
>
>Thank you for the information.
>
>I'm concluding from your answer that there is _no_ way to tell, by
>examining the 'binary' of the build (e.g., os___.ucb), whether that
>build is "signed" or not.
NAND-reflash-lock signatures are external to the build and are contained
in the attached fs.zip.
Boot-lock signatures on the kernel, initramfs, and firmware are
contained in 'actos.zip', 'actrd.zip', 'runos.zip', and 'runrd.zip', on
the installed filesystem.
SPI-reflash-lock signatures are contained in the 'bootfw.zip'.
olpc-update is presently only runnable on machines which have already
passed the boot-lock; therefore its operation does not require any
additional signatures.
Michael
More information about the Devel
mailing list