tools: use combine_sign to compute signatures, binctl just for adding to binary

Makefile

@@ -150,13 +150,12 @@ gdb_firmware: $(FIRMWARE_BUILD_DIR)/firmware.elf ## start remote gdb session to
 
 ## misc commands:
 
-vendorheader: ## construct default vendor header
+vendorheader: ## construct and sign the default vendor header
 	./tools/build_vendorheader e28a8970753332bd72fef413e6b0b2ef1b4aadda7aa2c141f233712a6876b351:d4eec1869fb1b8a4e817516ad5a931557cb56805c3eb16e8f3a803d647df7869:772c8a442b7db06e166cfbc1ccbcbcde6f3eba76a4e98ef3ffc519502237d6ef 2 0.0 10 DEVELOPMENT assets/vendor_devel.toif embed/firmware/vendorheader.bin
-	./tools/binctl embed/firmware/vendorheader.bin -s 1:2 4444444444444444444444444444444444444444444444444444444444444444:4545454545454545454545454545454545454545454545454545454545454545
+	./tools/binctl embed/firmware/vendorheader.bin -s 1:2 `./tools/combine_sign vendorheader embed/firmware/vendorheader.bin 4444444444444444444444444444444444444444444444444444444444444444 4545454545454545454545454545454545454545454545454545454545454545`
 
 vendorheader_sl: ## construct SatoshiLabs vendor header
 	./tools/build_vendorheader 47fbdc84d8abef44fe6abde8f87b6ead821b7082ec63b9f7cc33dc53bf6c708d:03fdd9a9c3911652d5effca4540d96ed92d85850a47d256ab0a2d728c0d1a298:2218c25f8ba70c82eba8ed6a321df209c0a7643d014f33bf9317846f62923830 2 0.0 80 SatoshiLabs assets/vendor_satoshilabs.toif embed/firmware/vendorheader_sl.bin
-	./tools/binctl embed/firmware/vendorheader_sl.bin -s 1:2 trezor:trezor
 
 binctl: ## print info about binary files
 	./tools/binctl $(BOOTLOADER_BUILD_DIR)/bootloader.bin

SConscript.bootloader

@@ -146,7 +146,9 @@ env.Replace(
     ASPPFLAGS='$CFLAGS $CCFLAGS', )
 
 env.Replace(
-    BINCTL='tools/binctl', )
+    BINCTL='tools/binctl',
+    COMBINE_SIGN='tools/combine_sign',
+)
 
 #
 # Program objects
@@ -170,5 +172,5 @@ program_bin = env.Command(
     source=program_elf,
     action=[
         '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET',
-        '$BINCTL $TARGET -s 1:2 4141414141414141414141414141414141414141414141414141414141414141:4242424242424242424242424242424242424242424242424242424242424242',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN bootloader $TARGET 4141414141414141414141414141414141414141414141414141414141414141 4242424242424242424242424242424242424242424242424242424242424242`',
     ], )

SConscript.firmware

@@ -353,7 +353,9 @@ env.Replace(
     MAKEVERSIONHDR='$PYTHON vendor/micropython/py/makeversionhdr.py',
     MPY_TOOL='$PYTHON vendor/micropython/tools/mpy-tool.py',
     MPY_CROSS='vendor/micropython/mpy-cross/mpy-cross',
-    BINCTL='tools/binctl', )
+    BINCTL='tools/binctl',
+    COMBINE_SIGN='tools/combine_sign',
+)
 
 #
 # Micropython version
@@ -428,5 +430,5 @@ program_bin = env.Command(
     source=program_elf,
     action=[
         '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET',
-        '$BINCTL $TARGET -s 1:2 4747474747474747474747474747474747474747474747474747474747474747:4848484848484848484848484848484848484848484848484848484848484848',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
     ], )

tools/combine_sign

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+TOOLDIR=$(dirname $0)
+
+TYPE=$1
+FILE=$2
+shift
+shift
+SECKEYS=$*
+
+COMMITS=""
+
+for seckey in $SECKEYS; do
+    commit=$( $TOOLDIR/keyctl commit $TYPE $FILE $seckey )
+    COMMITS="$COMMITS $commit"
+done
+
+global_commit=$( $TOOLDIR/keyctl global_commit $COMMITS )
+
+SIGS=""
+
+for seckey in $SECKEYS; do
+    sig=$( $TOOLDIR/keyctl sign $TYPE $FILE $global_commit $seckey )
+    SIGS="$SIGS $sig"
+done
+
+$TOOLDIR/keyctl global_sign $FILE $global_commit $SIGS