Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2df23d7f authored by Tianjie Xu's avatar Tianjie Xu
Browse files

Stop creating update_engine_payload_key 

Now the update_engine is able to read public keysfrom otacerts directly.
So the update_engine_payload_key is no longer needed.

Also remove the key replace in sign_target_files_apks.py. So we should
not use the new script to sign the old target files.

Bug: 116660991
Test: build the system image, unit tests pass
Change-Id: I9dae1f8b397f2b5efafed66a8faac1cb9087c741
parent 3654beb8

target/product/security/Android.mk

+0 −27
Original line number Diff line number Diff line
@@ -80,30 +80,3 @@ $(LOCAL_BUILT_MODULE): \ 
	    $(extra_recovery_keys)

	$(SOONG_ZIP) -o $@ -j \

	    $(foreach key_file, $(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS), -f $(key_file))
 




#######################################

# update_engine_payload_key, used by update_engine. We use the same key as otacerts but in RSA

# public key format.

include $(CLEAR_VARS)



LOCAL_MODULE := update_engine_payload_key

LOCAL_MODULE_CLASS := ETC

LOCAL_MODULE_STEM := update-payload-key.pub.pem

LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/update_engine

include $(BUILD_SYSTEM)/base_rules.mk

$(LOCAL_BUILT_MODULE): $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem

	openssl x509 -pubkey -noout -in $< > $@





#######################################

# update_engine_payload_key for recovery image, used by update_engine.

include $(CLEAR_VARS)



LOCAL_MODULE := update_engine_payload_key.recovery

LOCAL_MODULE_CLASS := ETC

LOCAL_MODULE_STEM := update-payload-key.pub.pem

LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/system/etc/update_engine

include $(BUILD_SYSTEM)/base_rules.mk

$(LOCAL_BUILT_MODULE): $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem

	openssl x509 -pubkey -noout -in $< > $@

tools/releasetools/sign_target_files_apks.py

+2 −21
Original line number Diff line number Diff line
@@ -557,14 +557,13 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, 
      OPTIONS.rebuild_recovery = True



    # Don't copy OTA certs if we're replacing them.

    # Replacement of update-payload-key.pub.pem was removed in b/116660991.

    elif (

        OPTIONS.replace_ota_keys and

        filename in (

            "BOOT/RAMDISK/system/etc/security/otacerts.zip",

            "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem",

            "RECOVERY/RAMDISK/system/etc/security/otacerts.zip",

            "SYSTEM/etc/security/otacerts.zip",

            "SYSTEM/etc/update_engine/update-payload-key.pub.pem")):

            "SYSTEM/etc/security/otacerts.zip")):

      pass



    # Skip META/misc_info.txt since we will write back the new values later.
@@ -832,24 +831,6 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): 
  # We DO NOT include the extra_recovery_keys (if any) here.

  WriteOtacerts(output_tf_zip, "SYSTEM/etc/security/otacerts.zip", mapped_keys)



  # For A/B devices, update the payload verification key.

  if misc_info.get("ab_update") == "true":

    # Unlike otacerts.zip that may contain multiple keys, we can only specify

    # ONE payload verification key.

    if len(mapped_keys) > 1:

      print("\n  WARNING: Found more than one OTA keys; Using the first one"

            " as payload verification key.\n\n")



    print("Using %s for payload verification." % (mapped_keys[0],))

    pubkey = common.ExtractPublicKey(mapped_keys[0])

    common.ZipWriteStr(

        output_tf_zip,

        "SYSTEM/etc/update_engine/update-payload-key.pub.pem",

        pubkey)

    common.ZipWriteStr(

        output_tf_zip,

        "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem",

        pubkey)





def ReplaceVerityPublicKey(output_zip, filename, key_path):