Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 36981b54 authored by Bowgo Tsai's avatar Bowgo Tsai
Browse files

Fix the signing error in gsi_arm64 builds 

After adding 'PREBUILT_IMAGES/pvmfw.img' into gsi_arm64,
the signing process fails:

common.ExternalError: Failed to run command
  '['avbtool', 'extract_public_key', '--key', 'PRESIGNED',
    '--output', '/tmp/avb-8z8y8_xn.avbpubkey']' (exit code 1):
  ~/codebase/android15-tests-dev/otatools/bin/avbtool:
    Error getting public key: b'Could not open file or uri for loading
    private key of public key from PRESIGNED: No such file or directory\n'

This is because that apex files are pre-signed in gsi_arm64
and the script currently tries to extract public key from the
non-existing 'PRESIGNED' file.

Fix this by obtaining the public key from 'apex_pubkey' of
'SYSTEM/apex/com.android.virt.apex'.

See https://source.android.com/docs/core/ota/apex#apex-format
for details.

Bug: 384813199
Test: m sign_target_files_apks
Test: sign_target_files_apks --allow_gsi_debug_sepolicy \
        --extra_apex_payload_key com.android.virt.apex= \
        -e com.android.virt.apex= \
        gsi_arm64-target_files-${build_id}.zip signed.zip
Test: `zipinfo signed.zip | grep pvmfw`, checks pvmfw.img is included.
Change-Id: I551e14fa6a0c63e3cef334b953f670cf9c465e10
parent 0ec57640

tools/releasetools/sign_target_files_apks.py

+21 −10
Original line number Diff line number Diff line
@@ -862,21 +862,32 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip: zipfile.Zip 


    # Updates pvmfw embedded public key with the virt APEX payload key.

    elif filename == "PREBUILT_IMAGES/pvmfw.img":

      # Find the name of the virt APEX in the target files.

      # Find the path of the virt APEX in the target files.

      namelist = input_tf_zip.namelist()

      apex_gen = (GetApexFilename(f) for f in namelist if IsApexFile(f))

      virt_apex_re = re.compile("^com\.([^\.]+\.)?android\.virt\.apex$")

      virt_apex = next((a for a in apex_gen if virt_apex_re.match(a)), None)

      if not virt_apex:

      apex_gen = (f for f in namelist if IsApexFile(f))

      virt_apex_re = re.compile("^.*com\.([^\.]+\.)?android\.virt\.apex$")

      virt_apex_path = next(

        (a for a in apex_gen if virt_apex_re.match(a)), None)

      if not virt_apex_path:

        print("Removing %s from ramdisk: virt APEX not found" % filename)

      else:

        print("Replacing %s embedded key with %s key" % (filename, virt_apex))

        print("Replacing %s embedded key with %s key" % (filename,

                                                         virt_apex_path))

        # Get the current and new embedded keys.

        virt_apex = GetApexFilename(virt_apex_path)

        payload_key, container_key, sign_tool = apex_keys[virt_apex]



        # b/384813199: handles the pre-signed com.android.virt.apex in GSI.

        if payload_key == 'PRESIGNED':

          with input_tf_zip.open(virt_apex_path) as apex_fp:

            with zipfile.ZipFile(apex_fp) as apex_zip:

              new_pubkey = apex_zip.read('apex_pubkey')

        else:

          new_pubkey_path = common.ExtractAvbPublicKey(

              misc_info['avb_avbtool'], payload_key)

          with open(new_pubkey_path, 'rb') as f:

            new_pubkey = f.read()



        pubkey_info = copy.copy(

            input_tf_zip.getinfo("PREBUILT_IMAGES/pvmfw_embedded.avbpubkey"))

        old_pubkey = input_tf_zip.read(pubkey_info.filename)