Loading tools/releasetools/sign_target_files_apks.py +112 −11 Original line number Diff line number Diff line Loading @@ -78,6 +78,16 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files --replace_verity_keyid <path_to_X509_PEM_cert_file> Replace the veritykeyid in BOOT/cmdline of input_target_file_zip with keyid of the cert pointed by <path_to_X509_PEM_cert_file>. --avb_{boot,system,vendor,dtbo,vbmeta}_algorithm <algorithm> --avb_{boot,system,vendor,dtbo,vbmeta}_key <key> Use the specified algorithm (e.g. SHA256_RSA4096) and the key to AVB-sign the specified image. Otherwise it uses the existing values in info dict. --avb_{boot,system,vendor,dtbo,vbmeta}_extra_args <args> Specify any additional args that are needed to AVB-sign the image (e.g. "--signing_helper /path/to/helper"). The args will be appended to the existing ones in info dict. """ import sys Loading Loading @@ -109,6 +119,9 @@ OPTIONS.replace_verity_public_key = False OPTIONS.replace_verity_private_key = False OPTIONS.replace_verity_keyid = False OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") OPTIONS.avb_keys = {} OPTIONS.avb_algorithms = {} OPTIONS.avb_extra_args = {} def GetApkCerts(tf_zip): certmap = common.ReadApkCerts(tf_zip) Loading Loading @@ -291,6 +304,9 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, ReplaceVerityKeyId(input_tf_zip, output_tf_zip, OPTIONS.replace_verity_keyid[1]) # Replace the AVB signing keys, if any. ReplaceAvbSigningKeys(misc_info) # Write back misc_info with the latest values. ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info) Loading Loading @@ -522,6 +538,41 @@ def ReplaceMiscInfoTxt(input_zip, output_zip, misc_info): common.ZipWriteStr(output_zip, "META/misc_info.txt", '\n'.join(items)) def ReplaceAvbSigningKeys(misc_info): """Replaces the AVB signing keys.""" AVB_FOOTER_ARGS_BY_PARTITION = { 'boot' : 'avb_boot_add_hash_footer_args', 'dtbo' : 'avb_dtbo_add_hash_footer_args', 'system' : 'avb_system_add_hashtree_footer_args', 'vendor' : 'avb_vendor_add_hashtree_footer_args', 'vbmeta' : 'avb_vbmeta_args', } def ReplaceAvbPartitionSigningKey(partition): key = OPTIONS.avb_keys.get(partition) if not key: return algorithm = OPTIONS.avb_algorithms.get(partition) assert algorithm, 'Missing AVB signing algorithm for %s' % (partition,) print 'Replacing AVB signing key for %s with "%s" (%s)' % ( partition, key, algorithm) misc_info['avb_' + partition + '_algorithm'] = algorithm misc_info['avb_' + partition + '_key_path'] = key extra_args = OPTIONS.avb_extra_args.get(partition) if extra_args: print 'Setting extra AVB signing args for %s to "%s"' % ( partition, extra_args) args_key = AVB_FOOTER_ARGS_BY_PARTITION[partition] misc_info[args_key] = (misc_info.get(args_key, '') + ' ' + extra_args) for partition in AVB_FOOTER_ARGS_BY_PARTITION: ReplaceAvbPartitionSigningKey(partition) def BuildKeyMap(misc_info, key_mapping_options): for s, d in key_mapping_options: if s is None: # -d option Loading Loading @@ -619,20 +670,68 @@ def main(argv): OPTIONS.replace_verity_private_key = (True, a) elif o == "--replace_verity_keyid": OPTIONS.replace_verity_keyid = (True, a) elif o == "--avb_vbmeta_key": OPTIONS.avb_keys['vbmeta'] = a elif o == "--avb_vbmeta_algorithm": OPTIONS.avb_algorithms['vbmeta'] = a elif o == "--avb_vbmeta_extra_args": OPTIONS.avb_extra_args['vbmeta'] = a elif o == "--avb_boot_key": OPTIONS.avb_keys['boot'] = a elif o == "--avb_boot_algorithm": OPTIONS.avb_algorithms['boot'] = a elif o == "--avb_boot_extra_args": OPTIONS.avb_extra_args['boot'] = a elif o == "--avb_dtbo_key": OPTIONS.avb_keys['dtbo'] = a elif o == "--avb_dtbo_algorithm": OPTIONS.avb_algorithms['dtbo'] = a elif o == "--avb_dtbo_extra_args": OPTIONS.avb_extra_args['dtbo'] = a elif o == "--avb_system_key": OPTIONS.avb_keys['system'] = a elif o == "--avb_system_algorithm": OPTIONS.avb_algorithms['system'] = a elif o == "--avb_system_extra_args": OPTIONS.avb_extra_args['system'] = a elif o == "--avb_vendor_key": OPTIONS.avb_keys['vendor'] = a elif o == "--avb_vendor_algorithm": OPTIONS.avb_algorithms['vendor'] = a elif o == "--avb_vendor_extra_args": OPTIONS.avb_extra_args['vendor'] = a else: return False return True args = common.ParseOptions(argv, __doc__, args = common.ParseOptions( argv, __doc__, extra_opts="e:d:k:ot:", extra_long_opts=["extra_apks=", extra_long_opts=[ "extra_apks=", "default_key_mappings=", "key_mapping=", "replace_ota_keys", "tag_changes=", "replace_verity_public_key=", "replace_verity_private_key=", "replace_verity_keyid="], "replace_verity_keyid=", "avb_vbmeta_algorithm=", "avb_vbmeta_key=", "avb_vbmeta_extra_args=", "avb_boot_algorithm=", "avb_boot_key=", "avb_boot_extra_args=", "avb_dtbo_algorithm=", "avb_dtbo_key=", "avb_dtbo_extra_args=", "avb_system_algorithm=", "avb_system_key=", "avb_system_extra_args=", "avb_vendor_algorithm=", "avb_vendor_key=", "avb_vendor_extra_args=", ], extra_option_handler=option_handler) if len(args) != 2: Loading Loading @@ -683,3 +782,5 @@ if __name__ == '__main__': print " ERROR: %s" % (e,) print sys.exit(1) finally: common.Cleanup() Loading
tools/releasetools/sign_target_files_apks.py +112 −11 Original line number Diff line number Diff line Loading @@ -78,6 +78,16 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files --replace_verity_keyid <path_to_X509_PEM_cert_file> Replace the veritykeyid in BOOT/cmdline of input_target_file_zip with keyid of the cert pointed by <path_to_X509_PEM_cert_file>. --avb_{boot,system,vendor,dtbo,vbmeta}_algorithm <algorithm> --avb_{boot,system,vendor,dtbo,vbmeta}_key <key> Use the specified algorithm (e.g. SHA256_RSA4096) and the key to AVB-sign the specified image. Otherwise it uses the existing values in info dict. --avb_{boot,system,vendor,dtbo,vbmeta}_extra_args <args> Specify any additional args that are needed to AVB-sign the image (e.g. "--signing_helper /path/to/helper"). The args will be appended to the existing ones in info dict. """ import sys Loading Loading @@ -109,6 +119,9 @@ OPTIONS.replace_verity_public_key = False OPTIONS.replace_verity_private_key = False OPTIONS.replace_verity_keyid = False OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") OPTIONS.avb_keys = {} OPTIONS.avb_algorithms = {} OPTIONS.avb_extra_args = {} def GetApkCerts(tf_zip): certmap = common.ReadApkCerts(tf_zip) Loading Loading @@ -291,6 +304,9 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, ReplaceVerityKeyId(input_tf_zip, output_tf_zip, OPTIONS.replace_verity_keyid[1]) # Replace the AVB signing keys, if any. ReplaceAvbSigningKeys(misc_info) # Write back misc_info with the latest values. ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info) Loading Loading @@ -522,6 +538,41 @@ def ReplaceMiscInfoTxt(input_zip, output_zip, misc_info): common.ZipWriteStr(output_zip, "META/misc_info.txt", '\n'.join(items)) def ReplaceAvbSigningKeys(misc_info): """Replaces the AVB signing keys.""" AVB_FOOTER_ARGS_BY_PARTITION = { 'boot' : 'avb_boot_add_hash_footer_args', 'dtbo' : 'avb_dtbo_add_hash_footer_args', 'system' : 'avb_system_add_hashtree_footer_args', 'vendor' : 'avb_vendor_add_hashtree_footer_args', 'vbmeta' : 'avb_vbmeta_args', } def ReplaceAvbPartitionSigningKey(partition): key = OPTIONS.avb_keys.get(partition) if not key: return algorithm = OPTIONS.avb_algorithms.get(partition) assert algorithm, 'Missing AVB signing algorithm for %s' % (partition,) print 'Replacing AVB signing key for %s with "%s" (%s)' % ( partition, key, algorithm) misc_info['avb_' + partition + '_algorithm'] = algorithm misc_info['avb_' + partition + '_key_path'] = key extra_args = OPTIONS.avb_extra_args.get(partition) if extra_args: print 'Setting extra AVB signing args for %s to "%s"' % ( partition, extra_args) args_key = AVB_FOOTER_ARGS_BY_PARTITION[partition] misc_info[args_key] = (misc_info.get(args_key, '') + ' ' + extra_args) for partition in AVB_FOOTER_ARGS_BY_PARTITION: ReplaceAvbPartitionSigningKey(partition) def BuildKeyMap(misc_info, key_mapping_options): for s, d in key_mapping_options: if s is None: # -d option Loading Loading @@ -619,20 +670,68 @@ def main(argv): OPTIONS.replace_verity_private_key = (True, a) elif o == "--replace_verity_keyid": OPTIONS.replace_verity_keyid = (True, a) elif o == "--avb_vbmeta_key": OPTIONS.avb_keys['vbmeta'] = a elif o == "--avb_vbmeta_algorithm": OPTIONS.avb_algorithms['vbmeta'] = a elif o == "--avb_vbmeta_extra_args": OPTIONS.avb_extra_args['vbmeta'] = a elif o == "--avb_boot_key": OPTIONS.avb_keys['boot'] = a elif o == "--avb_boot_algorithm": OPTIONS.avb_algorithms['boot'] = a elif o == "--avb_boot_extra_args": OPTIONS.avb_extra_args['boot'] = a elif o == "--avb_dtbo_key": OPTIONS.avb_keys['dtbo'] = a elif o == "--avb_dtbo_algorithm": OPTIONS.avb_algorithms['dtbo'] = a elif o == "--avb_dtbo_extra_args": OPTIONS.avb_extra_args['dtbo'] = a elif o == "--avb_system_key": OPTIONS.avb_keys['system'] = a elif o == "--avb_system_algorithm": OPTIONS.avb_algorithms['system'] = a elif o == "--avb_system_extra_args": OPTIONS.avb_extra_args['system'] = a elif o == "--avb_vendor_key": OPTIONS.avb_keys['vendor'] = a elif o == "--avb_vendor_algorithm": OPTIONS.avb_algorithms['vendor'] = a elif o == "--avb_vendor_extra_args": OPTIONS.avb_extra_args['vendor'] = a else: return False return True args = common.ParseOptions(argv, __doc__, args = common.ParseOptions( argv, __doc__, extra_opts="e:d:k:ot:", extra_long_opts=["extra_apks=", extra_long_opts=[ "extra_apks=", "default_key_mappings=", "key_mapping=", "replace_ota_keys", "tag_changes=", "replace_verity_public_key=", "replace_verity_private_key=", "replace_verity_keyid="], "replace_verity_keyid=", "avb_vbmeta_algorithm=", "avb_vbmeta_key=", "avb_vbmeta_extra_args=", "avb_boot_algorithm=", "avb_boot_key=", "avb_boot_extra_args=", "avb_dtbo_algorithm=", "avb_dtbo_key=", "avb_dtbo_extra_args=", "avb_system_algorithm=", "avb_system_key=", "avb_system_extra_args=", "avb_vendor_algorithm=", "avb_vendor_key=", "avb_vendor_extra_args=", ], extra_option_handler=option_handler) if len(args) != 2: Loading Loading @@ -683,3 +782,5 @@ if __name__ == '__main__': print " ERROR: %s" % (e,) print sys.exit(1) finally: common.Cleanup()
