Attention is currently required from: Matt DeVillier, Paul Menzel, Leah Rowe. Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/51168 )

Change subject: util/chromeos: Verify sha1sums of downloaded recovery images ......................................................................

Patch Set 2:

(1 comment)

File util/chromeos/crosfirmware.sh:

https://review.coreboot.org/c/coreboot/+/51168/comment/63f6a9ba_dbc62bb4 PS1, Line 51: sha1_list="$(grep sha1 ${_cfgfile} | sed 's/sha1=//g')"

Because the way the inventory is structured, there's no way to reliably do that. So I currently make an assumption that google always has the correct sha1sum defined for each image.

With that assumption in mind, the logic works just fine.

The structure of the inventory seem such that it can be done in a very reliable way. E.g. the sha1= entry is always 2 lines above the file= entry.

A checksum for a file makes sense, a checksum list of which one has to match the file partially defeats the purpose of doing it.