#! /bin/bash

# The modules_sign target checks for corresponding .o files for every .ko that
# is signed. This doesn't work for package builds which re-use the same build
# directory for every flavour, and the .config may change between flavours.
# So instead of using this script to just sign lib/modules/$KernelVer/extra,
# sign all .ko in the buildroot.

# This essentially duplicates the 'modules_sign' Kbuild target and runs the
# same commands for those modules.

MODSECKEY="$1"
MODPUBKEY="$2"
KERNELSRCDIR="$4"

MOD_DIR="$3"
SCRIPTS_SIGN_BIN="scripts/sign-file"

if [ -z "${MODSECKEY}" ] || [ -z "${MODPUBKEY}" ] || [ -z "${MOD_DIR}" ] ; then
    echo "brp-kmodsign: missing parameters"
    exit 1
fi
if [ -z "${KERNELSRCDIR}" ] ; then
    KERNELSRCDIR="."
fi
if [ ! -x "${KERNELSRCDIR}/${SCRIPTS_SIGN_BIN}" ] ; then
    echo "brp-kmodsign: ${KERNELSRCDIR}/${SCRIPTS_SIGN_BIN} not found or not executable"
    exit 1
fi

MODULES=$(find "${MOD_DIR}" -name "*.ko")

for MOD in ${MODULES}
do
    "${KERNELSRCDIR}/${SCRIPTS_SIGN_BIN}" sha256 "${MODSECKEY}" "${MODPUBKEY}" "${MOD}"
    rm -f "${MOD}".{sig,dig}
done

RANDOMMOD=$(find "${MOD_DIR}" -type f -name "*.ko" | sort -R | head -n 1)
if [ "~Module signature appended~" != "$(tail -c 28 ${RANDOMMOD})" ] ; then
    echo "brp-kmodsign: modules are unsigned!"
    exit 1
fi

exit 0