Loading tools/releasetools/common.py +0 −1 Original line number Diff line number Diff line Loading @@ -97,7 +97,6 @@ class Options(object): self.stash_threshold = 0.8 self.logfile = None self.host_tools = {} self.sepolicy_name = 'sepolicy.apex' OPTIONS = Options() Loading tools/releasetools/sign_apex.py +1 −2 Original line number Diff line number Diff line Loading @@ -61,7 +61,6 @@ import apex_utils import common logger = logging.getLogger(__name__) OPTIONS = common.OPTIONS def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree, Loading @@ -82,7 +81,7 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree, apk_keys=apk_keys, signing_args=signing_args, sign_tool=sign_tool, is_sepolicy=apex_file.endswith(OPTIONS.sepolicy_name), is_sepolicy=apex_file.endswith("sepolicy.apex"), sepolicy_key=sepolicy_key, sepolicy_cert=sepolicy_cert, fsverity_tool=fsverity_tool) Loading tools/releasetools/sign_target_files_apks.py +10 −80 Original line number Diff line number Diff line Loading @@ -137,15 +137,6 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files --android_jar_path <path> Path to the android.jar to repack the apex file. --sepolicy_key <key> Optional flag that specifies the sepolicy signing key, defaults to payload_key for the sepolicy.apex. --sepolicy_cert <cert> Optional flag that specifies the sepolicy signing cert. --fsverity_tool <path> Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity. --allow_gsi_debug_sepolicy Allow the existence of the file 'userdebug_plat_sepolicy.cil' under (/system/system_ext|/system_ext)/etc/selinux. Loading Loading @@ -205,9 +196,6 @@ OPTIONS.gki_signing_extra_args = None OPTIONS.android_jar_path = None OPTIONS.vendor_partitions = set() OPTIONS.vendor_otatools = None OPTIONS.sepolicy_key = None OPTIONS.sepolicy_cert = None OPTIONS.fsverity_tool = None OPTIONS.allow_gsi_debug_sepolicy = False Loading Loading @@ -247,8 +235,6 @@ ALLOWED_VENDOR_PARTITIONS = set(["vendor", "odm"]) def IsApexFile(filename): return filename.endswith(".apex") or filename.endswith(".capex") def IsSepolicyApex(filename): return filename.endswith(OPTIONS.sepolicy_name) def GetApexFilename(filename): name = os.path.basename(filename) Loading @@ -271,24 +257,6 @@ def GetApkCerts(certmap): return certmap def GetSepolicyKeys(keys_info): """Gets SEPolicy signing keys applying overrides from command line options. Args: keys_info: A dict that maps from the SEPolicy APEX filename to a tuple of (sepolicy_key, sepolicy_cert, fsverity_tool). Returns: A dict that contains the updated APEX key mapping, which should be used for the current signing. """ for name in keys_info: (sepolicy_key, sepolicy_cert, fsverity_tool) = keys_info[name] sepolicy_key = OPTIONS.sepolicy_key if OPTIONS.sepolicy_key else sepolicy_key sepolicy_cert = OPTIONS.sepolicy_cert if OPTIONS.sepolicy_cert else sepolicy_cert fsverity_tool = OPTIONS.fsverity_tool if OPTIONS.fsverity_tool else fsverity_tool keys_info[name] = (sepolicy_key, sepolicy_cert, fsverity_tool) return keys_info def GetApexKeys(keys_info, key_map): """Gets APEX payload and container signing keys by applying the mapping rules. Loading Loading @@ -551,7 +519,7 @@ def IsBuildPropFile(filename): def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, apk_keys, apex_keys, key_passwords, platform_api_level, codename_to_api_level_map, compressed_extension, sepolicy_keys): compressed_extension): # maxsize measures the maximum filename length, including the ones to be # skipped. try: Loading Loading @@ -619,17 +587,6 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, print(" : %-*s payload (%s)" % ( maxsize, name, payload_key)) sepolicy_key = None sepolicy_cert = None fsverity_tool = None if IsSepolicyApex(name): (sepolicy_key, sepolicy_cert, fsverity_tool) = sepolicy_keys[name] print(" : %-*s sepolicy key (%s)" % ( maxsize, name, sepolicy_key)) print(" : %-*s sepolicy cert (%s)" % ( maxsize, name, sepolicy_cert)) signed_apex = apex_utils.SignApex( misc_info['avb_avbtool'], data, Loading @@ -640,11 +597,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, codename_to_api_level_map, no_hashtree=None, # Let apex_util determine if hash tree is needed signing_args=OPTIONS.avb_extra_args.get('apex'), sign_tool=sign_tool, is_sepolicy=IsSepolicyApex(name), sepolicy_key=sepolicy_key, sepolicy_cert=sepolicy_cert, fsverity_tool=fsverity_tool) sign_tool=sign_tool) common.ZipWrite(output_tf_zip, signed_apex, filename) else: Loading Loading @@ -1254,24 +1207,20 @@ def GetCodenameToApiLevelMap(input_tf_zip): def ReadApexKeysInfo(tf_zip): """Parses the APEX keys info from a given target-files zip. Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns two dicts, the first one contains the mapping from APEX names (e.g. com.android.tzdata) to a tuple of (payload_key, container_key, sign_tool). The second one maps the sepolicy APEX name to a tuple containing (sepolicy_key, sepolicy_cert, fsverity_tool). Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns a dict that contains the mapping from APEX names (e.g. com.android.tzdata) to a tuple of (payload_key, container_key, sign_tool). Args: tf_zip: The input target_files ZipFile (already open). Returns: name : (payload_key, container_key, sign_tool) (payload_key, container_key, sign_tool): - payload_key contains the path to the payload signing key - container_key contains the path to the container signing key - sign_tool is an apex-specific signing tool for its payload contents name : (sepolicy_key, sepolicy_cert, fsverity_tool) """ keys = {} sepolicy_keys = {} for line in tf_zip.read('META/apexkeys.txt').decode().split('\n'): line = line.strip() if not line: Loading @@ -1282,9 +1231,6 @@ def ReadApexKeysInfo(tf_zip): r'private_key="(?P<PAYLOAD_PRIVATE_KEY>.*)"\s+' r'container_certificate="(?P<CONTAINER_CERT>.*)"\s+' r'container_private_key="(?P<CONTAINER_PRIVATE_KEY>.*?)"' r'(\s+sepolicy_key="(?P<SEPOLICY_KEY>.*?)")?' r'(\s+sepolicy_certificate="(?P<SEPOLICY_CERT>.*?)")?' r'(\s+fsverity_tool="(?P<FSVERITY_TOOL>.*?)")?' r'(\s+partition="(?P<PARTITION>.*?)")?' r'(\s+sign_tool="(?P<SIGN_TOOL>.*?)")?$', line) Loading Loading @@ -1313,18 +1259,12 @@ def ReadApexKeysInfo(tf_zip): container_private_key, OPTIONS.private_key_suffix): container_key = container_cert[:-len(OPTIONS.public_key_suffix)] else: raise ValueError("Failed to parse container keys: \n{} **** {}".format(container_cert, container_private_key)) raise ValueError("Failed to parse container keys: \n{}".format(line)) sign_tool = matches.group("SIGN_TOOL") keys[name] = (payload_private_key, container_key, sign_tool) if IsSepolicyApex(name): sepolicy_key = matches.group('SEPOLICY_KEY') sepolicy_cert = matches.group('SEPOLICY_CERT') fsverity_tool = matches.group('FSVERITY_TOOL') sepolicy_keys[name] = (sepolicy_key, sepolicy_cert, fsverity_tool) return keys, sepolicy_keys return keys def BuildVendorPartitions(output_zip_path): Loading Loading @@ -1541,12 +1481,6 @@ def main(argv): OPTIONS.vendor_otatools = a elif o == "--vendor_partitions": OPTIONS.vendor_partitions = set(a.split(",")) elif o == '--sepolicy_key': OPTIONS.sepolicy_key = a elif o == '--sepolicy_cert': OPTIONS.sepolicy_cert = a elif o == '--fsverity_tool': OPTIONS.fsverity_tool = a elif o == "--allow_gsi_debug_sepolicy": OPTIONS.allow_gsi_debug_sepolicy = True else: Loading Loading @@ -1601,9 +1535,6 @@ def main(argv): "gki_signing_extra_args=", "vendor_partitions=", "vendor_otatools=", "sepolicy_key=", "sepolicy_cert=", "fsverity_tool=", "allow_gsi_debug_sepolicy", ], extra_option_handler=option_handler) Loading @@ -1626,9 +1557,8 @@ def main(argv): apk_keys_info, compressed_extension = common.ReadApkCerts(input_zip) apk_keys = GetApkCerts(apk_keys_info) apex_keys_info, sepolicy_keys_info = ReadApexKeysInfo(input_zip) apex_keys_info = ReadApexKeysInfo(input_zip) apex_keys = GetApexKeys(apex_keys_info, apk_keys) sepolicy_keys = GetSepolicyKeys(sepolicy_keys_info) # TODO(xunchang) check for the apks inside the apex files, and abort early if # the keys are not available. Loading @@ -1646,7 +1576,7 @@ def main(argv): ProcessTargetFiles(input_zip, output_zip, misc_info, apk_keys, apex_keys, key_passwords, platform_api_level, codename_to_api_level_map, compressed_extension, sepolicy_keys) compressed_extension) common.ZipClose(input_zip) common.ZipClose(output_zip) Loading tools/releasetools/test_sign_target_files_apks.py +5 −75 Original line number Diff line number Diff line Loading @@ -476,7 +476,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', self.APEX_KEYS_TXT) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( Loading @@ -486,7 +486,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_mismatchingContainerKeys(self): # Mismatching payload public / private keys. Loading Loading @@ -516,7 +515,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( Loading @@ -526,7 +525,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_missingPayloadPublicKey(self): # Invalid lines will be skipped. Loading @@ -540,7 +538,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( Loading @@ -550,7 +548,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_presignedKeys(self): apex_keys = self.APEX_KEYS_TXT + ( Loading @@ -564,7 +561,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( Loading @@ -574,7 +571,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_presignedKeys(self): apex_keys = self.APEX_KEYS_TXT + ( Loading @@ -588,7 +584,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( Loading @@ -598,72 +594,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_withSepolicyKeys(self): apex_keys = self.APEX_KEYS_TXT + ( 'name="sepolicy.apex" ' 'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" ' 'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" ' 'container_certificate="build/make/target/product/security/testkey.x509.pem" ' 'container_private_key="build/make/target/product/security/testkey.pk8" ' 'sepolicy_key="build/make/target/product/security/testkey.key" ' 'sepolicy_certificate="build/make/target/product/security/testkey.x509.pem" ' 'fsverity_tool="fsverity"') target_files = common.MakeTempFile(suffix='.zip') with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip: target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( 'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem', 'build/make/target/product/security/testkey', None), 'apex.apexd_test_different_app.apex': ( 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), 'sepolicy.apex': ( 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({'sepolicy.apex': ( 'build/make/target/product/security/testkey.key', 'build/make/target/product/security/testkey.x509.pem', 'fsverity'), }, sepolicy_keys_info) def test_ReadApexKeysInfo_withSepolicyApex(self): apex_keys = self.APEX_KEYS_TXT + ( 'name="sepolicy.apex" ' 'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" ' 'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" ' 'container_certificate="build/make/target/product/security/testkey.x509.pem" ' 'container_private_key="build/make/target/product/security/testkey.pk8" ') target_files = common.MakeTempFile(suffix='.zip') with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip: target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( 'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem', 'build/make/target/product/security/testkey', None), 'apex.apexd_test_different_app.apex': ( 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), 'sepolicy.apex': ( 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({'sepolicy.apex': ( None, None, None), }, sepolicy_keys_info) def test_ReplaceGkiSigningKey(self): common.OPTIONS.gki_signing_key = 'release_gki_key' Loading Loading
tools/releasetools/common.py +0 −1 Original line number Diff line number Diff line Loading @@ -97,7 +97,6 @@ class Options(object): self.stash_threshold = 0.8 self.logfile = None self.host_tools = {} self.sepolicy_name = 'sepolicy.apex' OPTIONS = Options() Loading
tools/releasetools/sign_apex.py +1 −2 Original line number Diff line number Diff line Loading @@ -61,7 +61,6 @@ import apex_utils import common logger = logging.getLogger(__name__) OPTIONS = common.OPTIONS def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree, Loading @@ -82,7 +81,7 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree, apk_keys=apk_keys, signing_args=signing_args, sign_tool=sign_tool, is_sepolicy=apex_file.endswith(OPTIONS.sepolicy_name), is_sepolicy=apex_file.endswith("sepolicy.apex"), sepolicy_key=sepolicy_key, sepolicy_cert=sepolicy_cert, fsverity_tool=fsverity_tool) Loading
tools/releasetools/sign_target_files_apks.py +10 −80 Original line number Diff line number Diff line Loading @@ -137,15 +137,6 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files --android_jar_path <path> Path to the android.jar to repack the apex file. --sepolicy_key <key> Optional flag that specifies the sepolicy signing key, defaults to payload_key for the sepolicy.apex. --sepolicy_cert <cert> Optional flag that specifies the sepolicy signing cert. --fsverity_tool <path> Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity. --allow_gsi_debug_sepolicy Allow the existence of the file 'userdebug_plat_sepolicy.cil' under (/system/system_ext|/system_ext)/etc/selinux. Loading Loading @@ -205,9 +196,6 @@ OPTIONS.gki_signing_extra_args = None OPTIONS.android_jar_path = None OPTIONS.vendor_partitions = set() OPTIONS.vendor_otatools = None OPTIONS.sepolicy_key = None OPTIONS.sepolicy_cert = None OPTIONS.fsverity_tool = None OPTIONS.allow_gsi_debug_sepolicy = False Loading Loading @@ -247,8 +235,6 @@ ALLOWED_VENDOR_PARTITIONS = set(["vendor", "odm"]) def IsApexFile(filename): return filename.endswith(".apex") or filename.endswith(".capex") def IsSepolicyApex(filename): return filename.endswith(OPTIONS.sepolicy_name) def GetApexFilename(filename): name = os.path.basename(filename) Loading @@ -271,24 +257,6 @@ def GetApkCerts(certmap): return certmap def GetSepolicyKeys(keys_info): """Gets SEPolicy signing keys applying overrides from command line options. Args: keys_info: A dict that maps from the SEPolicy APEX filename to a tuple of (sepolicy_key, sepolicy_cert, fsverity_tool). Returns: A dict that contains the updated APEX key mapping, which should be used for the current signing. """ for name in keys_info: (sepolicy_key, sepolicy_cert, fsverity_tool) = keys_info[name] sepolicy_key = OPTIONS.sepolicy_key if OPTIONS.sepolicy_key else sepolicy_key sepolicy_cert = OPTIONS.sepolicy_cert if OPTIONS.sepolicy_cert else sepolicy_cert fsverity_tool = OPTIONS.fsverity_tool if OPTIONS.fsverity_tool else fsverity_tool keys_info[name] = (sepolicy_key, sepolicy_cert, fsverity_tool) return keys_info def GetApexKeys(keys_info, key_map): """Gets APEX payload and container signing keys by applying the mapping rules. Loading Loading @@ -551,7 +519,7 @@ def IsBuildPropFile(filename): def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, apk_keys, apex_keys, key_passwords, platform_api_level, codename_to_api_level_map, compressed_extension, sepolicy_keys): compressed_extension): # maxsize measures the maximum filename length, including the ones to be # skipped. try: Loading Loading @@ -619,17 +587,6 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, print(" : %-*s payload (%s)" % ( maxsize, name, payload_key)) sepolicy_key = None sepolicy_cert = None fsverity_tool = None if IsSepolicyApex(name): (sepolicy_key, sepolicy_cert, fsverity_tool) = sepolicy_keys[name] print(" : %-*s sepolicy key (%s)" % ( maxsize, name, sepolicy_key)) print(" : %-*s sepolicy cert (%s)" % ( maxsize, name, sepolicy_cert)) signed_apex = apex_utils.SignApex( misc_info['avb_avbtool'], data, Loading @@ -640,11 +597,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, codename_to_api_level_map, no_hashtree=None, # Let apex_util determine if hash tree is needed signing_args=OPTIONS.avb_extra_args.get('apex'), sign_tool=sign_tool, is_sepolicy=IsSepolicyApex(name), sepolicy_key=sepolicy_key, sepolicy_cert=sepolicy_cert, fsverity_tool=fsverity_tool) sign_tool=sign_tool) common.ZipWrite(output_tf_zip, signed_apex, filename) else: Loading Loading @@ -1254,24 +1207,20 @@ def GetCodenameToApiLevelMap(input_tf_zip): def ReadApexKeysInfo(tf_zip): """Parses the APEX keys info from a given target-files zip. Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns two dicts, the first one contains the mapping from APEX names (e.g. com.android.tzdata) to a tuple of (payload_key, container_key, sign_tool). The second one maps the sepolicy APEX name to a tuple containing (sepolicy_key, sepolicy_cert, fsverity_tool). Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns a dict that contains the mapping from APEX names (e.g. com.android.tzdata) to a tuple of (payload_key, container_key, sign_tool). Args: tf_zip: The input target_files ZipFile (already open). Returns: name : (payload_key, container_key, sign_tool) (payload_key, container_key, sign_tool): - payload_key contains the path to the payload signing key - container_key contains the path to the container signing key - sign_tool is an apex-specific signing tool for its payload contents name : (sepolicy_key, sepolicy_cert, fsverity_tool) """ keys = {} sepolicy_keys = {} for line in tf_zip.read('META/apexkeys.txt').decode().split('\n'): line = line.strip() if not line: Loading @@ -1282,9 +1231,6 @@ def ReadApexKeysInfo(tf_zip): r'private_key="(?P<PAYLOAD_PRIVATE_KEY>.*)"\s+' r'container_certificate="(?P<CONTAINER_CERT>.*)"\s+' r'container_private_key="(?P<CONTAINER_PRIVATE_KEY>.*?)"' r'(\s+sepolicy_key="(?P<SEPOLICY_KEY>.*?)")?' r'(\s+sepolicy_certificate="(?P<SEPOLICY_CERT>.*?)")?' r'(\s+fsverity_tool="(?P<FSVERITY_TOOL>.*?)")?' r'(\s+partition="(?P<PARTITION>.*?)")?' r'(\s+sign_tool="(?P<SIGN_TOOL>.*?)")?$', line) Loading Loading @@ -1313,18 +1259,12 @@ def ReadApexKeysInfo(tf_zip): container_private_key, OPTIONS.private_key_suffix): container_key = container_cert[:-len(OPTIONS.public_key_suffix)] else: raise ValueError("Failed to parse container keys: \n{} **** {}".format(container_cert, container_private_key)) raise ValueError("Failed to parse container keys: \n{}".format(line)) sign_tool = matches.group("SIGN_TOOL") keys[name] = (payload_private_key, container_key, sign_tool) if IsSepolicyApex(name): sepolicy_key = matches.group('SEPOLICY_KEY') sepolicy_cert = matches.group('SEPOLICY_CERT') fsverity_tool = matches.group('FSVERITY_TOOL') sepolicy_keys[name] = (sepolicy_key, sepolicy_cert, fsverity_tool) return keys, sepolicy_keys return keys def BuildVendorPartitions(output_zip_path): Loading Loading @@ -1541,12 +1481,6 @@ def main(argv): OPTIONS.vendor_otatools = a elif o == "--vendor_partitions": OPTIONS.vendor_partitions = set(a.split(",")) elif o == '--sepolicy_key': OPTIONS.sepolicy_key = a elif o == '--sepolicy_cert': OPTIONS.sepolicy_cert = a elif o == '--fsverity_tool': OPTIONS.fsverity_tool = a elif o == "--allow_gsi_debug_sepolicy": OPTIONS.allow_gsi_debug_sepolicy = True else: Loading Loading @@ -1601,9 +1535,6 @@ def main(argv): "gki_signing_extra_args=", "vendor_partitions=", "vendor_otatools=", "sepolicy_key=", "sepolicy_cert=", "fsverity_tool=", "allow_gsi_debug_sepolicy", ], extra_option_handler=option_handler) Loading @@ -1626,9 +1557,8 @@ def main(argv): apk_keys_info, compressed_extension = common.ReadApkCerts(input_zip) apk_keys = GetApkCerts(apk_keys_info) apex_keys_info, sepolicy_keys_info = ReadApexKeysInfo(input_zip) apex_keys_info = ReadApexKeysInfo(input_zip) apex_keys = GetApexKeys(apex_keys_info, apk_keys) sepolicy_keys = GetSepolicyKeys(sepolicy_keys_info) # TODO(xunchang) check for the apks inside the apex files, and abort early if # the keys are not available. Loading @@ -1646,7 +1576,7 @@ def main(argv): ProcessTargetFiles(input_zip, output_zip, misc_info, apk_keys, apex_keys, key_passwords, platform_api_level, codename_to_api_level_map, compressed_extension, sepolicy_keys) compressed_extension) common.ZipClose(input_zip) common.ZipClose(output_zip) Loading
tools/releasetools/test_sign_target_files_apks.py +5 −75 Original line number Diff line number Diff line Loading @@ -476,7 +476,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', self.APEX_KEYS_TXT) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( Loading @@ -486,7 +486,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_mismatchingContainerKeys(self): # Mismatching payload public / private keys. Loading Loading @@ -516,7 +515,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( Loading @@ -526,7 +525,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_missingPayloadPublicKey(self): # Invalid lines will be skipped. Loading @@ -540,7 +538,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( Loading @@ -550,7 +548,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_presignedKeys(self): apex_keys = self.APEX_KEYS_TXT + ( Loading @@ -564,7 +561,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( Loading @@ -574,7 +571,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_presignedKeys(self): apex_keys = self.APEX_KEYS_TXT + ( Loading @@ -588,7 +584,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( Loading @@ -598,72 +594,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_withSepolicyKeys(self): apex_keys = self.APEX_KEYS_TXT + ( 'name="sepolicy.apex" ' 'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" ' 'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" ' 'container_certificate="build/make/target/product/security/testkey.x509.pem" ' 'container_private_key="build/make/target/product/security/testkey.pk8" ' 'sepolicy_key="build/make/target/product/security/testkey.key" ' 'sepolicy_certificate="build/make/target/product/security/testkey.x509.pem" ' 'fsverity_tool="fsverity"') target_files = common.MakeTempFile(suffix='.zip') with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip: target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( 'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem', 'build/make/target/product/security/testkey', None), 'apex.apexd_test_different_app.apex': ( 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), 'sepolicy.apex': ( 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({'sepolicy.apex': ( 'build/make/target/product/security/testkey.key', 'build/make/target/product/security/testkey.x509.pem', 'fsverity'), }, sepolicy_keys_info) def test_ReadApexKeysInfo_withSepolicyApex(self): apex_keys = self.APEX_KEYS_TXT + ( 'name="sepolicy.apex" ' 'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" ' 'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" ' 'container_certificate="build/make/target/product/security/testkey.x509.pem" ' 'container_private_key="build/make/target/product/security/testkey.pk8" ') target_files = common.MakeTempFile(suffix='.zip') with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip: target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( 'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem', 'build/make/target/product/security/testkey', None), 'apex.apexd_test_different_app.apex': ( 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), 'sepolicy.apex': ( 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) self.assertEqual({'sepolicy.apex': ( None, None, None), }, sepolicy_keys_info) def test_ReplaceGkiSigningKey(self): common.OPTIONS.gki_signing_key = 'release_gki_key' Loading
