Loading tools/releasetools/sign_target_files_apks.py +25 −2 Original line number Diff line number Diff line Loading @@ -91,6 +91,14 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files Replace the veritykeyid in BOOT/cmdline of input_target_file_zip with keyid of the cert pointed by <path_to_X509_PEM_cert_file>. --remove_avb_public_keys <key1>,<key2>,... Remove AVB public keys from the first-stage ramdisk. The key file to remove is located at either of the following dirs: - BOOT/RAMDISK/avb/ or - BOOT/RAMDISK/first_stage_ramdisk/avb/ The second dir will be used for lookup if BOARD_USES_RECOVERY_AS_BOOT is set to true. --avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system, vbmeta_vendor}_algorithm <algorithm> --avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system, Loading Loading @@ -150,6 +158,7 @@ OPTIONS.replace_ota_keys = False OPTIONS.replace_verity_public_key = False OPTIONS.replace_verity_private_key = False OPTIONS.replace_verity_keyid = False OPTIONS.remove_avb_public_keys = None OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") OPTIONS.avb_keys = {} OPTIONS.avb_algorithms = {} Loading Loading @@ -585,6 +594,18 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, filename in ("BOOT/RAMDISK/verity_key", "ROOT/verity_key")): pass elif (OPTIONS.remove_avb_public_keys and (filename.startswith("BOOT/RAMDISK/avb/") or filename.startswith("BOOT/RAMDISK/first_stage_ramdisk/avb/"))): matched_removal = False for key_to_remove in OPTIONS.remove_avb_public_keys: if filename.endswith(key_to_remove): matched_removal = True print("Removing AVB public key from ramdisk: %s" % filename) break if not matched_removal: # Copy it verbatim if we don't want to remove it. common.ZipWriteStr(output_tf_zip, out_info, data) # Skip verity keyid (for system_root_image use) if we will replace it. elif OPTIONS.replace_verity_keyid and filename == "BOOT/cmdline": Loading @@ -610,8 +631,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, # Should NOT sign boot-debug.img. elif filename in ( "BOOT/RAMDISK/force_debuggable", "RECOVERY/RAMDISK/force_debuggable" "RECOVERY/RAMDISK/first_stage_ramdisk/force_debuggable"): "BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"): raise common.ExternalError("debuggable boot.img cannot be signed") # A non-APK file; copy it verbatim. Loading Loading @@ -1135,6 +1155,8 @@ def main(argv): OPTIONS.replace_verity_private_key = (True, a) elif o == "--replace_verity_keyid": OPTIONS.replace_verity_keyid = (True, a) elif o == "--remove_avb_public_keys": OPTIONS.remove_avb_public_keys = a.split(",") elif o == "--avb_vbmeta_key": OPTIONS.avb_keys['vbmeta'] = a elif o == "--avb_vbmeta_algorithm": Loading Loading @@ -1203,6 +1225,7 @@ def main(argv): "replace_verity_public_key=", "replace_verity_private_key=", "replace_verity_keyid=", "remove_avb_public_keys=", "avb_apex_extra_args=", "avb_vbmeta_algorithm=", "avb_vbmeta_key=", Loading Loading
tools/releasetools/sign_target_files_apks.py +25 −2 Original line number Diff line number Diff line Loading @@ -91,6 +91,14 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files Replace the veritykeyid in BOOT/cmdline of input_target_file_zip with keyid of the cert pointed by <path_to_X509_PEM_cert_file>. --remove_avb_public_keys <key1>,<key2>,... Remove AVB public keys from the first-stage ramdisk. The key file to remove is located at either of the following dirs: - BOOT/RAMDISK/avb/ or - BOOT/RAMDISK/first_stage_ramdisk/avb/ The second dir will be used for lookup if BOARD_USES_RECOVERY_AS_BOOT is set to true. --avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system, vbmeta_vendor}_algorithm <algorithm> --avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system, Loading Loading @@ -150,6 +158,7 @@ OPTIONS.replace_ota_keys = False OPTIONS.replace_verity_public_key = False OPTIONS.replace_verity_private_key = False OPTIONS.replace_verity_keyid = False OPTIONS.remove_avb_public_keys = None OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") OPTIONS.avb_keys = {} OPTIONS.avb_algorithms = {} Loading Loading @@ -585,6 +594,18 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, filename in ("BOOT/RAMDISK/verity_key", "ROOT/verity_key")): pass elif (OPTIONS.remove_avb_public_keys and (filename.startswith("BOOT/RAMDISK/avb/") or filename.startswith("BOOT/RAMDISK/first_stage_ramdisk/avb/"))): matched_removal = False for key_to_remove in OPTIONS.remove_avb_public_keys: if filename.endswith(key_to_remove): matched_removal = True print("Removing AVB public key from ramdisk: %s" % filename) break if not matched_removal: # Copy it verbatim if we don't want to remove it. common.ZipWriteStr(output_tf_zip, out_info, data) # Skip verity keyid (for system_root_image use) if we will replace it. elif OPTIONS.replace_verity_keyid and filename == "BOOT/cmdline": Loading @@ -610,8 +631,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, # Should NOT sign boot-debug.img. elif filename in ( "BOOT/RAMDISK/force_debuggable", "RECOVERY/RAMDISK/force_debuggable" "RECOVERY/RAMDISK/first_stage_ramdisk/force_debuggable"): "BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"): raise common.ExternalError("debuggable boot.img cannot be signed") # A non-APK file; copy it verbatim. Loading Loading @@ -1135,6 +1155,8 @@ def main(argv): OPTIONS.replace_verity_private_key = (True, a) elif o == "--replace_verity_keyid": OPTIONS.replace_verity_keyid = (True, a) elif o == "--remove_avb_public_keys": OPTIONS.remove_avb_public_keys = a.split(",") elif o == "--avb_vbmeta_key": OPTIONS.avb_keys['vbmeta'] = a elif o == "--avb_vbmeta_algorithm": Loading Loading @@ -1203,6 +1225,7 @@ def main(argv): "replace_verity_public_key=", "replace_verity_private_key=", "replace_verity_keyid=", "remove_avb_public_keys=", "avb_apex_extra_args=", "avb_vbmeta_algorithm=", "avb_vbmeta_key=", Loading
