Loading tools/releasetools/Android.bp +0 −3 Original line number Diff line number Diff line Loading @@ -168,7 +168,6 @@ python_defaults { "apexd_host", "brillo_update_payload", "checkvintf", "generate_gki_certificate", "lz4", "toybox", "unpack_bootimg", Loading Loading @@ -245,7 +244,6 @@ python_library_host { "boot_signer", "brotli", "bsdiff", "generate_gki_certificate", "imgdiff", "lz4", "mkbootfs", Loading Loading @@ -310,7 +308,6 @@ python_defaults { "brotli", "bsdiff", "deapexer", "generate_gki_certificate", "imgdiff", "lz4", "mkbootfs", Loading tools/releasetools/common.py +0 −67 Original line number Diff line number Diff line Loading @@ -1565,50 +1565,6 @@ def GetAvbChainedPartitionArg(partition, info_dict, key=None): pubkey_path=pubkey_path) def _HasGkiCertificationArgs(): return ("gki_signing_key_path" in OPTIONS.info_dict and "gki_signing_algorithm" in OPTIONS.info_dict) def _GenerateGkiCertificate(image, image_name): key_path = OPTIONS.info_dict.get("gki_signing_key_path") algorithm = OPTIONS.info_dict.get("gki_signing_algorithm") key_path = ResolveAVBSigningPathArgs(key_path) # Checks key_path exists, before processing --gki_signing_* args. if not os.path.exists(key_path): raise ExternalError( 'gki_signing_key_path: "{}" not found'.format(key_path)) output_certificate = tempfile.NamedTemporaryFile() cmd = [ "generate_gki_certificate", "--name", image_name, "--algorithm", algorithm, "--key", key_path, "--output", output_certificate.name, image, ] signature_args = OPTIONS.info_dict.get("gki_signing_signature_args", "") signature_args = signature_args.strip() if signature_args: cmd.extend(["--additional_avb_args", signature_args]) args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "") args = args.strip() if args: cmd.extend(["--additional_avb_args", args]) RunAndCheckOutput(cmd) output_certificate.seek(os.SEEK_SET, 0) data = output_certificate.read() output_certificate.close() return data def BuildVBMeta(image_path, partitions, name, needed_partitions, resolve_rollback_index_location_conflict=False): """Creates a VBMeta image. Loading Loading @@ -1831,29 +1787,6 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, RunAndCheckOutput(cmd) if _HasGkiCertificationArgs(): if not os.path.exists(img.name): raise ValueError("Cannot find GKI boot.img") if kernel_path is None or not os.path.exists(kernel_path): raise ValueError("Cannot find GKI kernel.img") # Certify GKI images. boot_signature_bytes = b'' boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot") boot_signature_bytes += _GenerateGkiCertificate( kernel_path, "generic_kernel") BOOT_SIGNATURE_SIZE = 16 * 1024 if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE: raise ValueError( f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}") boot_signature_bytes += ( b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes))) assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE with open(img.name, 'ab') as f: f.write(boot_signature_bytes) # Sign the image if vboot is non-empty. if info_dict.get("vboot"): path = "/" + partition_name Loading tools/releasetools/sign_target_files_apks.py +4 −41 Original line number Diff line number Diff line Loading @@ -124,14 +124,8 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files --gki_signing_algorithm <algorithm> --gki_signing_key <key> Use the specified algorithm (e.g. SHA256_RSA4096) and the key to generate 'boot signature' in a v4 boot.img. Otherwise it uses the existing values in info dict. --gki_signing_extra_args <args> Specify any additional args that are needed to generate 'boot signature' (e.g. --prop foo:bar). The args will be appended to the existing ones in info dict. DEPRECATED Does nothing. --android_jar_path <path> Path to the android.jar to repack the apex file. Loading Loading @@ -221,9 +215,6 @@ OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") OPTIONS.avb_keys = {} OPTIONS.avb_algorithms = {} OPTIONS.avb_extra_args = {} OPTIONS.gki_signing_key = None OPTIONS.gki_signing_algorithm = None OPTIONS.gki_signing_extra_args = None OPTIONS.android_jar_path = None OPTIONS.vendor_partitions = set() OPTIONS.vendor_otatools = None Loading Loading @@ -595,7 +586,7 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info, [len(os.path.basename(i.filename)) for i in input_tf_zip.infolist() if GetApkFileInfo(i.filename, compressed_extension, [])[0]]) except ValueError: # Sets this to zero for targets without APK files, e.g., gki_arm64. # Sets this to zero for targets without APK files. maxsize = 0 for info in input_tf_zip.infolist(): Loading Loading @@ -818,9 +809,6 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info, if misc_info.get('avb_enable') == 'true': RewriteAvbProps(misc_info) # Replace the GKI signing key for boot.img, if any. ReplaceGkiSigningKey(misc_info) # Write back misc_info with the latest values. ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info) Loading Loading @@ -1102,27 +1090,6 @@ def RewriteAvbProps(misc_info): misc_info[args_key] = result def ReplaceGkiSigningKey(misc_info): """Replaces the GKI signing key.""" key = OPTIONS.gki_signing_key if not key: return algorithm = OPTIONS.gki_signing_algorithm if not algorithm: raise ValueError("Missing --gki_signing_algorithm") print('Replacing GKI signing key with "%s" (%s)' % (key, algorithm)) misc_info["gki_signing_algorithm"] = algorithm misc_info["gki_signing_key_path"] = key extra_args = OPTIONS.gki_signing_extra_args if extra_args: print('Setting GKI signing args: "%s"' % (extra_args)) misc_info["gki_signing_signature_args"] = extra_args def BuildKeyMap(misc_info, key_mapping_options): for s, d in key_mapping_options: if s is None: # -d option Loading Loading @@ -1477,12 +1444,6 @@ def main(argv): # 'oem=--signing_helper_with_files=/tmp/avbsigner.sh'. partition, extra_args = a.split("=", 1) OPTIONS.avb_extra_args[partition] = extra_args elif o == "--gki_signing_key": OPTIONS.gki_signing_key = a elif o == "--gki_signing_algorithm": OPTIONS.gki_signing_algorithm = a elif o == "--gki_signing_extra_args": OPTIONS.gki_signing_extra_args = a elif o == "--vendor_otatools": OPTIONS.vendor_otatools = a elif o == "--vendor_partitions": Loading @@ -1493,6 +1454,8 @@ def main(argv): OPTIONS.override_apk_keys = a elif o == "--override_apex_keys": OPTIONS.override_apex_keys = a elif o in ("--gki_signing_key", "--gki_signing_algorithm", "--gki_signing_extra_args"): print(f"{o} is deprecated and does nothing") else: return False return True Loading tools/releasetools/test_common.py +0 −34 Original line number Diff line number Diff line Loading @@ -1605,40 +1605,6 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase): self.assertEqual(3, chained_partition_args.rollback_index_location) self.assertTrue(os.path.exists(chained_partition_args.pubkey_path)) def test_GenerateGkiCertificate_KeyPathNotFound(self): pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem') self.assertFalse(os.path.exists(pubkey)) common.OPTIONS.info_dict = { 'gki_signing_key_path': pubkey, 'gki_signing_algorithm': 'SHA256_RSA4096', 'gki_signing_signature_args': '--prop foo:bar', } common.OPTIONS.search_path = None test_file = tempfile.NamedTemporaryFile() self.assertRaises(common.ExternalError, common._GenerateGkiCertificate, test_file.name, 'generic_kernel') def test_GenerateGkiCertificate_SearchKeyPathNotFound(self): pubkey = 'no_testkey_gki.pem' self.assertFalse(os.path.exists(pubkey)) # Tests it should raise ExternalError if no key found under # OPTIONS.search_path. search_path_dir = common.MakeTempDir() search_pubkey = os.path.join(search_path_dir, pubkey) self.assertFalse(os.path.exists(search_pubkey)) common.OPTIONS.search_path = search_path_dir common.OPTIONS.info_dict = { 'gki_signing_key_path': pubkey, 'gki_signing_algorithm': 'SHA256_RSA4096', 'gki_signing_signature_args': '--prop foo:bar', } test_file = tempfile.NamedTemporaryFile() self.assertRaises(common.ExternalError, common._GenerateGkiCertificate, test_file.name, 'generic_kernel') class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase): """Checks the format of install-recovery.sh. Loading tools/releasetools/test_sign_target_files_apks.py +1 −51 Original line number Diff line number Diff line Loading @@ -23,8 +23,7 @@ import common import test_utils from sign_target_files_apks import ( CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo, ReplaceCerts, ReplaceGkiSigningKey, RewriteAvbProps, RewriteProps, WriteOtacerts) ReplaceCerts, RewriteAvbProps, RewriteProps, WriteOtacerts) class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase): Loading Loading @@ -536,52 +535,3 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) def test_ReplaceGkiSigningKey(self): common.OPTIONS.gki_signing_key = 'release_gki_key' common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm' common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args' misc_info = { 'gki_signing_key_path': 'default_gki_key', 'gki_signing_algorithm': 'default_gki_algorithm', 'gki_signing_signature_args': 'default_gki_signature_args', } expected_dict = { 'gki_signing_key_path': 'release_gki_key', 'gki_signing_algorithm': 'release_gki_algorithm', 'gki_signing_signature_args': 'release_gki_signature_extra_args', } ReplaceGkiSigningKey(misc_info) self.assertDictEqual(expected_dict, misc_info) def test_ReplaceGkiSigningKey_MissingSigningAlgorithm(self): common.OPTIONS.gki_signing_key = 'release_gki_key' common.OPTIONS.gki_signing_algorithm = None common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args' misc_info = { 'gki_signing_key_path': 'default_gki_key', 'gki_signing_algorithm': 'default_gki_algorithm', 'gki_signing_signature_args': 'default_gki_signature_args', } self.assertRaises(ValueError, ReplaceGkiSigningKey, misc_info) def test_ReplaceGkiSigningKey_MissingSigningKeyNop(self): common.OPTIONS.gki_signing_key = None common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm' common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args' # No change to misc_info if common.OPTIONS.gki_signing_key is missing. misc_info = { 'gki_signing_key_path': 'default_gki_key', 'gki_signing_algorithm': 'default_gki_algorithm', 'gki_signing_signature_args': 'default_gki_signature_args', } expected_dict = { 'gki_signing_key_path': 'default_gki_key', 'gki_signing_algorithm': 'default_gki_algorithm', 'gki_signing_signature_args': 'default_gki_signature_args', } ReplaceGkiSigningKey(misc_info) self.assertDictEqual(expected_dict, misc_info) Loading
tools/releasetools/Android.bp +0 −3 Original line number Diff line number Diff line Loading @@ -168,7 +168,6 @@ python_defaults { "apexd_host", "brillo_update_payload", "checkvintf", "generate_gki_certificate", "lz4", "toybox", "unpack_bootimg", Loading Loading @@ -245,7 +244,6 @@ python_library_host { "boot_signer", "brotli", "bsdiff", "generate_gki_certificate", "imgdiff", "lz4", "mkbootfs", Loading Loading @@ -310,7 +308,6 @@ python_defaults { "brotli", "bsdiff", "deapexer", "generate_gki_certificate", "imgdiff", "lz4", "mkbootfs", Loading
tools/releasetools/common.py +0 −67 Original line number Diff line number Diff line Loading @@ -1565,50 +1565,6 @@ def GetAvbChainedPartitionArg(partition, info_dict, key=None): pubkey_path=pubkey_path) def _HasGkiCertificationArgs(): return ("gki_signing_key_path" in OPTIONS.info_dict and "gki_signing_algorithm" in OPTIONS.info_dict) def _GenerateGkiCertificate(image, image_name): key_path = OPTIONS.info_dict.get("gki_signing_key_path") algorithm = OPTIONS.info_dict.get("gki_signing_algorithm") key_path = ResolveAVBSigningPathArgs(key_path) # Checks key_path exists, before processing --gki_signing_* args. if not os.path.exists(key_path): raise ExternalError( 'gki_signing_key_path: "{}" not found'.format(key_path)) output_certificate = tempfile.NamedTemporaryFile() cmd = [ "generate_gki_certificate", "--name", image_name, "--algorithm", algorithm, "--key", key_path, "--output", output_certificate.name, image, ] signature_args = OPTIONS.info_dict.get("gki_signing_signature_args", "") signature_args = signature_args.strip() if signature_args: cmd.extend(["--additional_avb_args", signature_args]) args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "") args = args.strip() if args: cmd.extend(["--additional_avb_args", args]) RunAndCheckOutput(cmd) output_certificate.seek(os.SEEK_SET, 0) data = output_certificate.read() output_certificate.close() return data def BuildVBMeta(image_path, partitions, name, needed_partitions, resolve_rollback_index_location_conflict=False): """Creates a VBMeta image. Loading Loading @@ -1831,29 +1787,6 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, RunAndCheckOutput(cmd) if _HasGkiCertificationArgs(): if not os.path.exists(img.name): raise ValueError("Cannot find GKI boot.img") if kernel_path is None or not os.path.exists(kernel_path): raise ValueError("Cannot find GKI kernel.img") # Certify GKI images. boot_signature_bytes = b'' boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot") boot_signature_bytes += _GenerateGkiCertificate( kernel_path, "generic_kernel") BOOT_SIGNATURE_SIZE = 16 * 1024 if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE: raise ValueError( f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}") boot_signature_bytes += ( b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes))) assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE with open(img.name, 'ab') as f: f.write(boot_signature_bytes) # Sign the image if vboot is non-empty. if info_dict.get("vboot"): path = "/" + partition_name Loading
tools/releasetools/sign_target_files_apks.py +4 −41 Original line number Diff line number Diff line Loading @@ -124,14 +124,8 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files --gki_signing_algorithm <algorithm> --gki_signing_key <key> Use the specified algorithm (e.g. SHA256_RSA4096) and the key to generate 'boot signature' in a v4 boot.img. Otherwise it uses the existing values in info dict. --gki_signing_extra_args <args> Specify any additional args that are needed to generate 'boot signature' (e.g. --prop foo:bar). The args will be appended to the existing ones in info dict. DEPRECATED Does nothing. --android_jar_path <path> Path to the android.jar to repack the apex file. Loading Loading @@ -221,9 +215,6 @@ OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") OPTIONS.avb_keys = {} OPTIONS.avb_algorithms = {} OPTIONS.avb_extra_args = {} OPTIONS.gki_signing_key = None OPTIONS.gki_signing_algorithm = None OPTIONS.gki_signing_extra_args = None OPTIONS.android_jar_path = None OPTIONS.vendor_partitions = set() OPTIONS.vendor_otatools = None Loading Loading @@ -595,7 +586,7 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info, [len(os.path.basename(i.filename)) for i in input_tf_zip.infolist() if GetApkFileInfo(i.filename, compressed_extension, [])[0]]) except ValueError: # Sets this to zero for targets without APK files, e.g., gki_arm64. # Sets this to zero for targets without APK files. maxsize = 0 for info in input_tf_zip.infolist(): Loading Loading @@ -818,9 +809,6 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info, if misc_info.get('avb_enable') == 'true': RewriteAvbProps(misc_info) # Replace the GKI signing key for boot.img, if any. ReplaceGkiSigningKey(misc_info) # Write back misc_info with the latest values. ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info) Loading Loading @@ -1102,27 +1090,6 @@ def RewriteAvbProps(misc_info): misc_info[args_key] = result def ReplaceGkiSigningKey(misc_info): """Replaces the GKI signing key.""" key = OPTIONS.gki_signing_key if not key: return algorithm = OPTIONS.gki_signing_algorithm if not algorithm: raise ValueError("Missing --gki_signing_algorithm") print('Replacing GKI signing key with "%s" (%s)' % (key, algorithm)) misc_info["gki_signing_algorithm"] = algorithm misc_info["gki_signing_key_path"] = key extra_args = OPTIONS.gki_signing_extra_args if extra_args: print('Setting GKI signing args: "%s"' % (extra_args)) misc_info["gki_signing_signature_args"] = extra_args def BuildKeyMap(misc_info, key_mapping_options): for s, d in key_mapping_options: if s is None: # -d option Loading Loading @@ -1477,12 +1444,6 @@ def main(argv): # 'oem=--signing_helper_with_files=/tmp/avbsigner.sh'. partition, extra_args = a.split("=", 1) OPTIONS.avb_extra_args[partition] = extra_args elif o == "--gki_signing_key": OPTIONS.gki_signing_key = a elif o == "--gki_signing_algorithm": OPTIONS.gki_signing_algorithm = a elif o == "--gki_signing_extra_args": OPTIONS.gki_signing_extra_args = a elif o == "--vendor_otatools": OPTIONS.vendor_otatools = a elif o == "--vendor_partitions": Loading @@ -1493,6 +1454,8 @@ def main(argv): OPTIONS.override_apk_keys = a elif o == "--override_apex_keys": OPTIONS.override_apex_keys = a elif o in ("--gki_signing_key", "--gki_signing_algorithm", "--gki_signing_extra_args"): print(f"{o} is deprecated and does nothing") else: return False return True Loading
tools/releasetools/test_common.py +0 −34 Original line number Diff line number Diff line Loading @@ -1605,40 +1605,6 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase): self.assertEqual(3, chained_partition_args.rollback_index_location) self.assertTrue(os.path.exists(chained_partition_args.pubkey_path)) def test_GenerateGkiCertificate_KeyPathNotFound(self): pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem') self.assertFalse(os.path.exists(pubkey)) common.OPTIONS.info_dict = { 'gki_signing_key_path': pubkey, 'gki_signing_algorithm': 'SHA256_RSA4096', 'gki_signing_signature_args': '--prop foo:bar', } common.OPTIONS.search_path = None test_file = tempfile.NamedTemporaryFile() self.assertRaises(common.ExternalError, common._GenerateGkiCertificate, test_file.name, 'generic_kernel') def test_GenerateGkiCertificate_SearchKeyPathNotFound(self): pubkey = 'no_testkey_gki.pem' self.assertFalse(os.path.exists(pubkey)) # Tests it should raise ExternalError if no key found under # OPTIONS.search_path. search_path_dir = common.MakeTempDir() search_pubkey = os.path.join(search_path_dir, pubkey) self.assertFalse(os.path.exists(search_pubkey)) common.OPTIONS.search_path = search_path_dir common.OPTIONS.info_dict = { 'gki_signing_key_path': pubkey, 'gki_signing_algorithm': 'SHA256_RSA4096', 'gki_signing_signature_args': '--prop foo:bar', } test_file = tempfile.NamedTemporaryFile() self.assertRaises(common.ExternalError, common._GenerateGkiCertificate, test_file.name, 'generic_kernel') class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase): """Checks the format of install-recovery.sh. Loading
tools/releasetools/test_sign_target_files_apks.py +1 −51 Original line number Diff line number Diff line Loading @@ -23,8 +23,7 @@ import common import test_utils from sign_target_files_apks import ( CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo, ReplaceCerts, ReplaceGkiSigningKey, RewriteAvbProps, RewriteProps, WriteOtacerts) ReplaceCerts, RewriteAvbProps, RewriteProps, WriteOtacerts) class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase): Loading Loading @@ -536,52 +535,3 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) def test_ReplaceGkiSigningKey(self): common.OPTIONS.gki_signing_key = 'release_gki_key' common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm' common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args' misc_info = { 'gki_signing_key_path': 'default_gki_key', 'gki_signing_algorithm': 'default_gki_algorithm', 'gki_signing_signature_args': 'default_gki_signature_args', } expected_dict = { 'gki_signing_key_path': 'release_gki_key', 'gki_signing_algorithm': 'release_gki_algorithm', 'gki_signing_signature_args': 'release_gki_signature_extra_args', } ReplaceGkiSigningKey(misc_info) self.assertDictEqual(expected_dict, misc_info) def test_ReplaceGkiSigningKey_MissingSigningAlgorithm(self): common.OPTIONS.gki_signing_key = 'release_gki_key' common.OPTIONS.gki_signing_algorithm = None common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args' misc_info = { 'gki_signing_key_path': 'default_gki_key', 'gki_signing_algorithm': 'default_gki_algorithm', 'gki_signing_signature_args': 'default_gki_signature_args', } self.assertRaises(ValueError, ReplaceGkiSigningKey, misc_info) def test_ReplaceGkiSigningKey_MissingSigningKeyNop(self): common.OPTIONS.gki_signing_key = None common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm' common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args' # No change to misc_info if common.OPTIONS.gki_signing_key is missing. misc_info = { 'gki_signing_key_path': 'default_gki_key', 'gki_signing_algorithm': 'default_gki_algorithm', 'gki_signing_signature_args': 'default_gki_signature_args', } expected_dict = { 'gki_signing_key_path': 'default_gki_key', 'gki_signing_algorithm': 'default_gki_algorithm', 'gki_signing_signature_args': 'default_gki_signature_args', } ReplaceGkiSigningKey(misc_info) self.assertDictEqual(expected_dict, misc_info)
