Merge changes from topic "sign_apex-sign_tool" am: f531336c am: 01bb4347

class ApexApkSigner(object):

  """Class to sign the apk files in a apex payload image and repack the apex"""

  """Class to sign the apk files and other files in an apex payload image and repack the apex"""

  def __init__(self, apex_path, key_passwords, codename_to_api_level_map):

  def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None):

    self.apex_path = apex_path

    if not key_passwords:

      self.key_passwords = dict()

    self.codename_to_api_level_map = codename_to_api_level_map

    self.debugfs_path = os.path.join(

        OPTIONS.search_path, "bin", "debugfs_static")

    self.avbtool = avbtool if avbtool else "avbtool"

    self.sign_tool = sign_tool

  def ProcessApexFile(self, apk_keys, payload_key, signing_args=None):

    """Scans and signs the apk files and repack the apex

    """Scans and signs the payload files and repack the apex

    Args:

      apk_keys: A dict that holds the signing keys for apk files.

    apk_entries = [name for name in entries_names if name.endswith('.apk')]

    # No need to sign and repack, return the original apex path.

    if not apk_entries:

    if not apk_entries and self.sign_tool is None:

      logger.info('No apk file to sign in %s', self.apex_path)

      return self.apex_path

        logger.warning('Apk path does not contain the intended directory name:'

                       ' %s', entry)

    payload_dir, has_signed_apk = self.ExtractApexPayloadAndSignApks(

        apk_entries, apk_keys)

    if not has_signed_apk:

      logger.info('No apk file has been signed in %s', self.apex_path)

    payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(

        apk_entries, apk_keys, payload_key)

    if not has_signed_content:

      logger.info('No contents has been signed in %s', self.apex_path)

      return self.apex_path

    return self.RepackApexPayload(payload_dir, payload_key, signing_args)

  def ExtractApexPayloadAndSignApks(self, apk_entries, apk_keys):

  def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key):

    """Extracts the payload image and signs the containing apk files."""

    if not os.path.exists(self.debugfs_path):

      raise ApexSigningError(

                   self.debugfs_path, 'extract', self.apex_path, payload_dir]

    common.RunAndCheckOutput(extract_cmd)

    has_signed_apk = False

    has_signed_content = False

    for entry in apk_entries:

      apk_path = os.path.join(payload_dir, entry)

      assert os.path.exists(self.apex_path)

      common.SignFile(

          unsigned_apk, apk_path, key_name, self.key_passwords.get(key_name),

          codename_to_api_level_map=self.codename_to_api_level_map)

      has_signed_apk = True

    return payload_dir, has_signed_apk

      has_signed_content = True

    if self.sign_tool:

      cmd = [self.sign_tool, '--avbtool', self.avbtool, payload_key, payload_dir]

      common.RunAndCheckOutput(cmd)

      has_signed_content = True

    return payload_dir, has_signed_content

  def RepackApexPayload(self, payload_dir, payload_key, signing_args=None):

    """Rebuilds the apex file with the updated payload directory."""

def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,

                         container_pw, apk_keys, codename_to_api_level_map,

                         no_hashtree, signing_args=None):

                         no_hashtree, signing_args=None, sign_tool=None):

  """Signs the current uncompressed APEX with the given payload/container keys.

  Args:

    codename_to_api_level_map: A dict that maps from codename to API level.

    no_hashtree: Don't include hashtree in the signed APEX.

    signing_args: Additional args to be passed to the payload signer.

    sign_tool: A tool to sign the contents of the APEX.

  Returns:

    The path to the signed APEX file.

  """

  # 1. Extract the apex payload image and sign the containing apk files. Repack

  # 1. Extract the apex payload image and sign the files (e.g. APKs). Repack

  # the apex file after signing.

  apk_signer = ApexApkSigner(apex_file, container_pw,

                             codename_to_api_level_map)

                             codename_to_api_level_map,

                             avbtool, sign_tool)

  apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args)

  # 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given

def SignCompressedApex(avbtool, apex_file, payload_key, container_key,

                       container_pw, apk_keys, codename_to_api_level_map,

                       no_hashtree, signing_args=None):

                       no_hashtree, signing_args=None, sign_tool=None):

  """Signs the current compressed APEX with the given payload/container keys.

  Args:

      apk_keys,

      codename_to_api_level_map,

      no_hashtree,

      signing_args)

      signing_args,

      sign_tool)

  # 3. Compress signed original apex.

  compressed_apex_file = common.MakeTempFile(prefix='apex-container-',

def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,

             apk_keys, codename_to_api_level_map,

             no_hashtree, signing_args=None):

             no_hashtree, signing_args=None, sign_tool=None):

  """Signs the current APEX with the given payload/container keys.

  Args:

          codename_to_api_level_map=codename_to_api_level_map,

          no_hashtree=no_hashtree,

          apk_keys=apk_keys,

          signing_args=signing_args)

          signing_args=signing_args,

          sign_tool=sign_tool)

    elif apex_type == 'COMPRESSED':

      return SignCompressedApex(

          avbtool,

          codename_to_api_level_map=codename_to_api_level_map,

          no_hashtree=no_hashtree,

          apk_keys=apk_keys,

          signing_args=signing_args)

          signing_args=signing_args,

          sign_tool=sign_tool)

    else:

      # TODO(b/172912232): support signing compressed apex

      raise ApexInfoError('Unsupported apex type {}'.format(apex_type))

  --codename_to_api_level_map Q:29,R:30,...

      A Mapping of codename to api level.  This is useful to provide sdk targeting

      information to APK Signer.

  --sign_tool <sign_tool>

      Optional flag that specifies a custom signing tool for the contents of the apex.

"""

import logging

def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,

                 apk_keys=None, signing_args=None, codename_to_api_level_map=None):

                 apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None):

  """Signs the given apex file."""

  with open(apex_file, 'rb') as input_fp:

    apex_data = input_fp.read()

      codename_to_api_level_map=codename_to_api_level_map,

      no_hashtree=no_hashtree,

      apk_keys=apk_keys,

      signing_args=signing_args)

      signing_args=signing_args,

      sign_tool=sign_tool)

def main(argv):

        if 'extra_apks' not in options:

          options['extra_apks'] = {}

        options['extra_apks'].update({n: key})

    elif o == '--sign_tool':

      options['sign_tool'] = a

    else:

      return False

    return True

          'payload_extra_args=',

          'payload_key=',

          'extra_apks=',

          'sign_tool=',

      ],

      extra_option_handler=option_handler)

      apk_keys=options.get('extra_apks', {}),

      signing_args=options.get('payload_extra_args'),

      codename_to_api_level_map=options.get(

          'codename_to_api_level_map', {}))

          'codename_to_api_level_map', {}),

      sign_tool=options['sign_tool'])

  shutil.copyfile(signed_apex, args[1])

  logger.info("done.")

    self.payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')

    signer.ProcessApexFile(apk_keys, self.payload_key)

  @test_utils.SkipIfExternalToolsUnavailable()

  def test_ApexApkSigner_invokesCustomSignTool(self):

    apex_path = common.MakeTempFile(suffix='.apex')

    shutil.copy(self.apex_with_apk, apex_path)

    apk_keys = {'wifi-service-resources.apk': os.path.join(

        self.testdata_dir, 'testkey')}

    self.payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')

    # pass `false` as a sign_tool to see the invocation error

    with self.assertRaises(common.ExternalError) as cm:

        signer = apex_utils.ApexApkSigner(apex_path, None, None, sign_tool='false')

        signer.ProcessApexFile(apk_keys, self.payload_key)

    the_exception = cm.exception

    self.assertIn('Failed to run command \'[\'false\'', the_exception.message)