From 702ed27285f3f1d4529fbe7fe5f0a2caa81359db Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Wed, 17 Feb 2016 13:13:07 -0800
Subject: [PATCH] Switch from SHA-1 to SHA-256 for new signing key certs.

This is to move OTA update package verification logic for new Android
devices from SHA-1 to SHA-256.

Prior to this change the script which generates new signing keys
used SHA-1 in certificates. This change switches the script from SHA-1
to SHA-256. The reason is that OTA updates are accepted only if they
are signed using the same digest algorithm as in the certificate.

Bug: 25643280
Bug: 20580998
Change-Id: I9babe85946a43697aeb4309837504aea25e26763
---
 tools/make_key | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/make_key b/tools/make_key
index 6d1ed4717..a6cf49c0d 100755
--- a/tools/make_key
+++ b/tools/make_key
@@ -51,7 +51,7 @@ read -p "Enter password for '$1' (blank for none; password will be visible): " \
 
 if [ "${3}" = "rsa" -o "$#" -eq 2 ]; then
   ( openssl genrsa -f4 2048 | tee ${one} > ${two} ) &
-  hash="-sha1"
+  hash="-sha256"
 elif [ "${3}" = "ec" ]; then
   ( openssl ecparam -name prime256v1 -genkey -noout | tee ${one} > ${two} ) &
   hash="-sha256"