Loading core/Makefile +7 −9 Original line number Diff line number Diff line Loading @@ -1638,15 +1638,13 @@ OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem # Generate a file containing the keys that will be read by the # recovery binary. RECOVERY_INSTALL_OTA_KEYS := \ $(call intermediates-dir-for,PACKAGING,ota_keys)/keys DUMPKEY_JAR := $(HOST_OUT_JAVA_LIBRARIES)/dumpkey.jar $(call intermediates-dir-for,PACKAGING,ota_keys)/otacerts.zip $(RECOVERY_INSTALL_OTA_KEYS): PRIVATE_OTA_PUBLIC_KEYS := $(OTA_PUBLIC_KEYS) $(RECOVERY_INSTALL_OTA_KEYS): extra_keys := $(patsubst %,%.x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS)) $(RECOVERY_INSTALL_OTA_KEYS): $(OTA_PUBLIC_KEYS) $(DUMPKEY_JAR) $(extra_keys) @echo "DumpPublicKey: $@ <= $(PRIVATE_OTA_PUBLIC_KEYS) $(extra_keys)" @rm -rf $@ @mkdir -p $(dir $@) $(JAVA) -jar $(DUMPKEY_JAR) $(PRIVATE_OTA_PUBLIC_KEYS) $(extra_keys) > $@ $(RECOVERY_INSTALL_OTA_KEYS): $(SOONG_ZIP) $(OTA_PUBLIC_KEYS) $(extra_keys) $(hide) rm -f $@ $(hide) mkdir -p $(dir $@) $(hide) $(SOONG_ZIP) -o $@ $(foreach key_file, $(PRIVATE_OTA_PUBLIC_KEYS) $(extra_keys), -C $(dir $(key_file)) -f $(key_file)) RECOVERYIMAGE_ID_FILE := $(PRODUCT_OUT)/recovery.id Loading Loading @@ -1677,7 +1675,8 @@ define build-recoveryimage-target cp -f $(item) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.fstab) $(if $(strip $(recovery_wipe)), \ $(hide) cp -f $(recovery_wipe) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.wipe) $(hide) cp $(RECOVERY_INSTALL_OTA_KEYS) $(TARGET_RECOVERY_ROOT_OUT)/res/keys $(hide) mkdir -p $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security $(hide) cp $(RECOVERY_INSTALL_OTA_KEYS) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security/otacerts.zip $(hide) ln -sf prop.default $(TARGET_RECOVERY_ROOT_OUT)/default.prop $(BOARD_RECOVERY_IMAGE_PREPARE) $(hide) $(MKBOOTFS) -d $(TARGET_OUT) $(TARGET_RECOVERY_ROOT_OUT) | $(MINIGZIP) > $(recovery_ramdisk) Loading Loading @@ -3094,7 +3093,6 @@ OTATOOLS := $(HOST_OUT_EXECUTABLES)/minigzip \ $(HOST_OUT_EXECUTABLES)/zipalign \ $(HOST_OUT_EXECUTABLES)/bsdiff \ $(HOST_OUT_EXECUTABLES)/imgdiff \ $(HOST_OUT_JAVA_LIBRARIES)/dumpkey.jar \ $(HOST_OUT_JAVA_LIBRARIES)/signapk.jar \ $(HOST_OUT_JAVA_LIBRARIES)/BootSignature.jar \ $(HOST_OUT_JAVA_LIBRARIES)/VeritySigner.jar \ Loading tools/releasetools/sign_target_files_apks.py +31 −31 Original line number Diff line number Diff line Loading @@ -369,13 +369,13 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, "SYSTEM/bin/install-recovery.sh"): OPTIONS.rebuild_recovery = True # Don't copy OTA keys if we're replacing them. # Don't copy OTA certs if we're replacing them. elif ( OPTIONS.replace_ota_keys and filename in ( "BOOT/RAMDISK/res/keys", "BOOT/RAMDISK/system/etc/security/otacerts.zip", "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem", "RECOVERY/RAMDISK/res/keys", "RECOVERY/RAMDISK/system/etc/security/otacerts.zip", "SYSTEM/etc/security/otacerts.zip", "SYSTEM/etc/update_engine/update-payload-key.pub.pem")): pass Loading Loading @@ -548,6 +548,27 @@ def RewriteProps(data): return "\n".join(output) + "\n" def WriteOtacerts(output_zip, filename, keys): """Constructs a zipfile from given keys; and writes it to output_zip. Args: output_zip: The output target_files zip. filename: The archive name in the output zip. keys: A list of public keys to use during OTA package verification. """ try: from StringIO import StringIO except ImportError: from io import StringIO temp_file = StringIO() certs_zip = zipfile.ZipFile(temp_file, "w") for k in keys: common.ZipWrite(certs_zip, k) common.ZipClose(certs_zip) common.ZipWriteStr(output_zip, filename, temp_file.getvalue()) def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): try: keylist = input_tf_zip.read("META/otakeys.txt").split() Loading Loading @@ -585,39 +606,20 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): print("META/otakeys.txt has no keys; using %s for OTA package" " verification." % (mapped_keys[0],)) # recovery uses a version of the key that has been slightly # predigested (by DumpPublicKey.java) and put in res/keys. # recovery now uses the same x509.pem version of the keys. # extra_recovery_keys are used only in recovery. cmd = ([OPTIONS.java_path] + OPTIONS.java_args + ["-jar", os.path.join(OPTIONS.search_path, "framework", "dumpkey.jar")] + mapped_keys + extra_recovery_keys) p = common.Run(cmd, stdout=subprocess.PIPE) new_recovery_keys, _ = p.communicate() if p.returncode != 0: raise common.ExternalError("failed to run dumpkeys") if misc_info.get("recovery_as_boot") == "true": recovery_keys_location = "BOOT/RAMDISK/res/keys" recovery_keys_location = "BOOT/RAMDISK/system/etc/security/otacerts.zip" else: recovery_keys_location = "RECOVERY/RAMDISK/res/keys" common.ZipWriteStr(output_tf_zip, recovery_keys_location, new_recovery_keys) recovery_keys_location = "RECOVERY/RAMDISK/system/etc/security/otacerts.zip" WriteOtacerts(output_tf_zip, recovery_keys_location, mapped_keys + extra_recovery_keys) # SystemUpdateActivity uses the x509.pem version of the keys, but # put into a zipfile system/etc/security/otacerts.zip. # We DO NOT include the extra_recovery_keys (if any) here. try: from StringIO import StringIO except ImportError: from io import StringIO temp_file = StringIO() certs_zip = zipfile.ZipFile(temp_file, "w") for k in mapped_keys: common.ZipWrite(certs_zip, k) common.ZipClose(certs_zip) common.ZipWriteStr(output_tf_zip, "SYSTEM/etc/security/otacerts.zip", temp_file.getvalue()) WriteOtacerts(output_tf_zip, "SYSTEM/etc/security/otacerts.zip", mapped_keys) # For A/B devices, update the payload verification key. if misc_info.get("ab_update") == "true": Loading @@ -638,8 +640,6 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem", pubkey) return new_recovery_keys def ReplaceVerityPublicKey(output_zip, filename, key_path): """Replaces the verity public key at the given path in the given zip. Loading Loading
core/Makefile +7 −9 Original line number Diff line number Diff line Loading @@ -1638,15 +1638,13 @@ OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem # Generate a file containing the keys that will be read by the # recovery binary. RECOVERY_INSTALL_OTA_KEYS := \ $(call intermediates-dir-for,PACKAGING,ota_keys)/keys DUMPKEY_JAR := $(HOST_OUT_JAVA_LIBRARIES)/dumpkey.jar $(call intermediates-dir-for,PACKAGING,ota_keys)/otacerts.zip $(RECOVERY_INSTALL_OTA_KEYS): PRIVATE_OTA_PUBLIC_KEYS := $(OTA_PUBLIC_KEYS) $(RECOVERY_INSTALL_OTA_KEYS): extra_keys := $(patsubst %,%.x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS)) $(RECOVERY_INSTALL_OTA_KEYS): $(OTA_PUBLIC_KEYS) $(DUMPKEY_JAR) $(extra_keys) @echo "DumpPublicKey: $@ <= $(PRIVATE_OTA_PUBLIC_KEYS) $(extra_keys)" @rm -rf $@ @mkdir -p $(dir $@) $(JAVA) -jar $(DUMPKEY_JAR) $(PRIVATE_OTA_PUBLIC_KEYS) $(extra_keys) > $@ $(RECOVERY_INSTALL_OTA_KEYS): $(SOONG_ZIP) $(OTA_PUBLIC_KEYS) $(extra_keys) $(hide) rm -f $@ $(hide) mkdir -p $(dir $@) $(hide) $(SOONG_ZIP) -o $@ $(foreach key_file, $(PRIVATE_OTA_PUBLIC_KEYS) $(extra_keys), -C $(dir $(key_file)) -f $(key_file)) RECOVERYIMAGE_ID_FILE := $(PRODUCT_OUT)/recovery.id Loading Loading @@ -1677,7 +1675,8 @@ define build-recoveryimage-target cp -f $(item) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.fstab) $(if $(strip $(recovery_wipe)), \ $(hide) cp -f $(recovery_wipe) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.wipe) $(hide) cp $(RECOVERY_INSTALL_OTA_KEYS) $(TARGET_RECOVERY_ROOT_OUT)/res/keys $(hide) mkdir -p $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security $(hide) cp $(RECOVERY_INSTALL_OTA_KEYS) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security/otacerts.zip $(hide) ln -sf prop.default $(TARGET_RECOVERY_ROOT_OUT)/default.prop $(BOARD_RECOVERY_IMAGE_PREPARE) $(hide) $(MKBOOTFS) -d $(TARGET_OUT) $(TARGET_RECOVERY_ROOT_OUT) | $(MINIGZIP) > $(recovery_ramdisk) Loading Loading @@ -3094,7 +3093,6 @@ OTATOOLS := $(HOST_OUT_EXECUTABLES)/minigzip \ $(HOST_OUT_EXECUTABLES)/zipalign \ $(HOST_OUT_EXECUTABLES)/bsdiff \ $(HOST_OUT_EXECUTABLES)/imgdiff \ $(HOST_OUT_JAVA_LIBRARIES)/dumpkey.jar \ $(HOST_OUT_JAVA_LIBRARIES)/signapk.jar \ $(HOST_OUT_JAVA_LIBRARIES)/BootSignature.jar \ $(HOST_OUT_JAVA_LIBRARIES)/VeritySigner.jar \ Loading
tools/releasetools/sign_target_files_apks.py +31 −31 Original line number Diff line number Diff line Loading @@ -369,13 +369,13 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, "SYSTEM/bin/install-recovery.sh"): OPTIONS.rebuild_recovery = True # Don't copy OTA keys if we're replacing them. # Don't copy OTA certs if we're replacing them. elif ( OPTIONS.replace_ota_keys and filename in ( "BOOT/RAMDISK/res/keys", "BOOT/RAMDISK/system/etc/security/otacerts.zip", "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem", "RECOVERY/RAMDISK/res/keys", "RECOVERY/RAMDISK/system/etc/security/otacerts.zip", "SYSTEM/etc/security/otacerts.zip", "SYSTEM/etc/update_engine/update-payload-key.pub.pem")): pass Loading Loading @@ -548,6 +548,27 @@ def RewriteProps(data): return "\n".join(output) + "\n" def WriteOtacerts(output_zip, filename, keys): """Constructs a zipfile from given keys; and writes it to output_zip. Args: output_zip: The output target_files zip. filename: The archive name in the output zip. keys: A list of public keys to use during OTA package verification. """ try: from StringIO import StringIO except ImportError: from io import StringIO temp_file = StringIO() certs_zip = zipfile.ZipFile(temp_file, "w") for k in keys: common.ZipWrite(certs_zip, k) common.ZipClose(certs_zip) common.ZipWriteStr(output_zip, filename, temp_file.getvalue()) def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): try: keylist = input_tf_zip.read("META/otakeys.txt").split() Loading Loading @@ -585,39 +606,20 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): print("META/otakeys.txt has no keys; using %s for OTA package" " verification." % (mapped_keys[0],)) # recovery uses a version of the key that has been slightly # predigested (by DumpPublicKey.java) and put in res/keys. # recovery now uses the same x509.pem version of the keys. # extra_recovery_keys are used only in recovery. cmd = ([OPTIONS.java_path] + OPTIONS.java_args + ["-jar", os.path.join(OPTIONS.search_path, "framework", "dumpkey.jar")] + mapped_keys + extra_recovery_keys) p = common.Run(cmd, stdout=subprocess.PIPE) new_recovery_keys, _ = p.communicate() if p.returncode != 0: raise common.ExternalError("failed to run dumpkeys") if misc_info.get("recovery_as_boot") == "true": recovery_keys_location = "BOOT/RAMDISK/res/keys" recovery_keys_location = "BOOT/RAMDISK/system/etc/security/otacerts.zip" else: recovery_keys_location = "RECOVERY/RAMDISK/res/keys" common.ZipWriteStr(output_tf_zip, recovery_keys_location, new_recovery_keys) recovery_keys_location = "RECOVERY/RAMDISK/system/etc/security/otacerts.zip" WriteOtacerts(output_tf_zip, recovery_keys_location, mapped_keys + extra_recovery_keys) # SystemUpdateActivity uses the x509.pem version of the keys, but # put into a zipfile system/etc/security/otacerts.zip. # We DO NOT include the extra_recovery_keys (if any) here. try: from StringIO import StringIO except ImportError: from io import StringIO temp_file = StringIO() certs_zip = zipfile.ZipFile(temp_file, "w") for k in mapped_keys: common.ZipWrite(certs_zip, k) common.ZipClose(certs_zip) common.ZipWriteStr(output_tf_zip, "SYSTEM/etc/security/otacerts.zip", temp_file.getvalue()) WriteOtacerts(output_tf_zip, "SYSTEM/etc/security/otacerts.zip", mapped_keys) # For A/B devices, update the payload verification key. if misc_info.get("ab_update") == "true": Loading @@ -638,8 +640,6 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem", pubkey) return new_recovery_keys def ReplaceVerityPublicKey(output_zip, filename, key_path): """Replaces the verity public key at the given path in the given zip. Loading
