Loading tools/releasetools/sign_target_files_apks.py +45 −2 Original line number Original line Diff line number Diff line Loading @@ -65,6 +65,9 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files removed. Changes are processed in the order they appear. removed. Changes are processed in the order they appear. Default value is "-test-keys,-dev-keys,+release-keys". Default value is "-test-keys,-dev-keys,+release-keys". --replace_verity_keyid <path_to_X509_PEM_cert_file> Replace the veritykeyid in BOOT/cmdline of input_target_file_zip with keyid of the cert pointed by <path_to_X509_PEM_cert_file> """ """ import sys import sys Loading Loading @@ -94,6 +97,7 @@ OPTIONS.key_map = {} OPTIONS.replace_ota_keys = False OPTIONS.replace_ota_keys = False OPTIONS.replace_verity_public_key = False OPTIONS.replace_verity_public_key = False OPTIONS.replace_verity_private_key = False OPTIONS.replace_verity_private_key = False OPTIONS.replace_verity_keyid = False OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") def GetApkCerts(tf_zip): def GetApkCerts(tf_zip): Loading Loading @@ -211,7 +215,15 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, new_data = ReplaceVerityPublicKey(output_tf_zip, info.filename, new_data = ReplaceVerityPublicKey(output_tf_zip, info.filename, OPTIONS.replace_verity_public_key[1]) OPTIONS.replace_verity_public_key[1]) write_to_temp(info.filename, info.external_attr, new_data) write_to_temp(info.filename, info.external_attr, new_data) elif (info.filename == "BOOT/cmdline" and OPTIONS.replace_verity_keyid): new_cmdline = ReplaceVerityKeyId(input_tf_zip, output_tf_zip, OPTIONS.replace_verity_keyid[1]) # Writing the new cmdline to tmpdir is redundant as the bootimage # gets build in the add_image_to_target_files and rebuild_recovery # is not exercised while building the boot image for the A/B # path write_to_temp(info.filename, info.external_attr, new_cmdline) # Sign APKs. # Sign APKs. if info.filename.endswith(".apk"): if info.filename.endswith(".apk"): name = os.path.basename(info.filename) name = os.path.basename(info.filename) Loading Loading @@ -269,6 +281,10 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, "BOOT/verity_key")): "BOOT/verity_key")): pass pass elif (info.filename == "BOOT/cmdline" and OPTIONS.replace_verity_keyid): pass # Copy BOOT/, RECOVERY/, META/, ROOT/ to rebuild recovery patch. This case # Copy BOOT/, RECOVERY/, META/, ROOT/ to rebuild recovery patch. This case # must come AFTER other matching rules. # must come AFTER other matching rules. elif (info.filename.startswith("BOOT/") or elif (info.filename.startswith("BOOT/") or Loading Loading @@ -492,6 +508,30 @@ def ReplaceVerityPrivateKey(targetfile_input_zip, targetfile_output_zip, common.ZipWriteStr(targetfile_output_zip, "META/misc_info.txt", new_misc_info) common.ZipWriteStr(targetfile_output_zip, "META/misc_info.txt", new_misc_info) misc_info["verity_key"] = key_path misc_info["verity_key"] = key_path def ReplaceVerityKeyId(targetfile_input_zip, targetfile_output_zip, keypath): in_cmdline = targetfile_input_zip.read("BOOT/cmdline") # copy in_cmdline to output_zip if veritykeyid is not present in in_cmdline if "veritykeyid" not in in_cmdline: common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", in_cmdline) return in_cmdline out_cmdline = [] for param in in_cmdline.split(): if "veritykeyid" in param: # extract keyid using openssl command p = common.Run(["openssl", "x509", "-in", keypath, "-text"], stdout=subprocess.PIPE) keyid, stderr = p.communicate() keyid = re.search(r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower() print "Replacing verity keyid with %s error=%s" % (keyid, stderr) out_cmdline.append("veritykeyid=id:%s" % (keyid,)) else: out_cmdline.append(param) out_cmdline = ' '.join(out_cmdline) out_cmdline = out_cmdline.strip() print "out_cmdline %s" % (out_cmdline) common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", out_cmdline) return out_cmdline def BuildKeyMap(misc_info, key_mapping_options): def BuildKeyMap(misc_info, key_mapping_options): for s, d in key_mapping_options: for s, d in key_mapping_options: if s is None: # -d option if s is None: # -d option Loading Loading @@ -589,6 +629,8 @@ def main(argv): OPTIONS.replace_verity_public_key = (True, a) OPTIONS.replace_verity_public_key = (True, a) elif o == "--replace_verity_private_key": elif o == "--replace_verity_private_key": OPTIONS.replace_verity_private_key = (True, a) OPTIONS.replace_verity_private_key = (True, a) elif o == "--replace_verity_keyid": OPTIONS.replace_verity_keyid = (True, a) else: else: return False return False return True return True Loading @@ -601,7 +643,8 @@ def main(argv): "replace_ota_keys", "replace_ota_keys", "tag_changes=", "tag_changes=", "replace_verity_public_key=", "replace_verity_public_key=", "replace_verity_private_key="], "replace_verity_private_key=", "replace_verity_keyid="], extra_option_handler=option_handler) extra_option_handler=option_handler) if len(args) != 2: if len(args) != 2: Loading Loading
tools/releasetools/sign_target_files_apks.py +45 −2 Original line number Original line Diff line number Diff line Loading @@ -65,6 +65,9 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files removed. Changes are processed in the order they appear. removed. Changes are processed in the order they appear. Default value is "-test-keys,-dev-keys,+release-keys". Default value is "-test-keys,-dev-keys,+release-keys". --replace_verity_keyid <path_to_X509_PEM_cert_file> Replace the veritykeyid in BOOT/cmdline of input_target_file_zip with keyid of the cert pointed by <path_to_X509_PEM_cert_file> """ """ import sys import sys Loading Loading @@ -94,6 +97,7 @@ OPTIONS.key_map = {} OPTIONS.replace_ota_keys = False OPTIONS.replace_ota_keys = False OPTIONS.replace_verity_public_key = False OPTIONS.replace_verity_public_key = False OPTIONS.replace_verity_private_key = False OPTIONS.replace_verity_private_key = False OPTIONS.replace_verity_keyid = False OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") def GetApkCerts(tf_zip): def GetApkCerts(tf_zip): Loading Loading @@ -211,7 +215,15 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, new_data = ReplaceVerityPublicKey(output_tf_zip, info.filename, new_data = ReplaceVerityPublicKey(output_tf_zip, info.filename, OPTIONS.replace_verity_public_key[1]) OPTIONS.replace_verity_public_key[1]) write_to_temp(info.filename, info.external_attr, new_data) write_to_temp(info.filename, info.external_attr, new_data) elif (info.filename == "BOOT/cmdline" and OPTIONS.replace_verity_keyid): new_cmdline = ReplaceVerityKeyId(input_tf_zip, output_tf_zip, OPTIONS.replace_verity_keyid[1]) # Writing the new cmdline to tmpdir is redundant as the bootimage # gets build in the add_image_to_target_files and rebuild_recovery # is not exercised while building the boot image for the A/B # path write_to_temp(info.filename, info.external_attr, new_cmdline) # Sign APKs. # Sign APKs. if info.filename.endswith(".apk"): if info.filename.endswith(".apk"): name = os.path.basename(info.filename) name = os.path.basename(info.filename) Loading Loading @@ -269,6 +281,10 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, "BOOT/verity_key")): "BOOT/verity_key")): pass pass elif (info.filename == "BOOT/cmdline" and OPTIONS.replace_verity_keyid): pass # Copy BOOT/, RECOVERY/, META/, ROOT/ to rebuild recovery patch. This case # Copy BOOT/, RECOVERY/, META/, ROOT/ to rebuild recovery patch. This case # must come AFTER other matching rules. # must come AFTER other matching rules. elif (info.filename.startswith("BOOT/") or elif (info.filename.startswith("BOOT/") or Loading Loading @@ -492,6 +508,30 @@ def ReplaceVerityPrivateKey(targetfile_input_zip, targetfile_output_zip, common.ZipWriteStr(targetfile_output_zip, "META/misc_info.txt", new_misc_info) common.ZipWriteStr(targetfile_output_zip, "META/misc_info.txt", new_misc_info) misc_info["verity_key"] = key_path misc_info["verity_key"] = key_path def ReplaceVerityKeyId(targetfile_input_zip, targetfile_output_zip, keypath): in_cmdline = targetfile_input_zip.read("BOOT/cmdline") # copy in_cmdline to output_zip if veritykeyid is not present in in_cmdline if "veritykeyid" not in in_cmdline: common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", in_cmdline) return in_cmdline out_cmdline = [] for param in in_cmdline.split(): if "veritykeyid" in param: # extract keyid using openssl command p = common.Run(["openssl", "x509", "-in", keypath, "-text"], stdout=subprocess.PIPE) keyid, stderr = p.communicate() keyid = re.search(r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower() print "Replacing verity keyid with %s error=%s" % (keyid, stderr) out_cmdline.append("veritykeyid=id:%s" % (keyid,)) else: out_cmdline.append(param) out_cmdline = ' '.join(out_cmdline) out_cmdline = out_cmdline.strip() print "out_cmdline %s" % (out_cmdline) common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", out_cmdline) return out_cmdline def BuildKeyMap(misc_info, key_mapping_options): def BuildKeyMap(misc_info, key_mapping_options): for s, d in key_mapping_options: for s, d in key_mapping_options: if s is None: # -d option if s is None: # -d option Loading Loading @@ -589,6 +629,8 @@ def main(argv): OPTIONS.replace_verity_public_key = (True, a) OPTIONS.replace_verity_public_key = (True, a) elif o == "--replace_verity_private_key": elif o == "--replace_verity_private_key": OPTIONS.replace_verity_private_key = (True, a) OPTIONS.replace_verity_private_key = (True, a) elif o == "--replace_verity_keyid": OPTIONS.replace_verity_keyid = (True, a) else: else: return False return False return True return True Loading @@ -601,7 +643,8 @@ def main(argv): "replace_ota_keys", "replace_ota_keys", "tag_changes=", "tag_changes=", "replace_verity_public_key=", "replace_verity_public_key=", "replace_verity_private_key="], "replace_verity_private_key=", "replace_verity_keyid="], extra_option_handler=option_handler) extra_option_handler=option_handler) if len(args) != 2: if len(args) != 2: Loading
