Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9e9ccd17 authored by Jackeagle's avatar Jackeagle
Browse files

build: Add secure password handling for signing keys 

- Use ANDROID_PW_FILE environment variable (AOSP standard approach)
- Password file created in /dev/shm (RAM-only, never touches disk)
- Format: 'keypath [[[ password ]]]' for each .pk8 and .pem key
- Securely shred password file after signing completes
- Disable bash tracing (set +x) to prevent password exposure in logs
- Restrict password-protected signing to official/community releases only
- Falls back to regular signing for test/dev builds
parent 6eb4f34c

src/build.sh

+48 −2
Original line number Diff line number Diff line
@@ -424,8 +424,54 @@ if [ -n "${BRANCH_NAME}" ] && [ -n "${DEVICE}" ]; then 


      if [ "$(find $OUT/obj/PACKAGING/target_files_intermediates/ -name *-target_files*.zip -print -quit)" ]; then

        if [ "$SIGN_BUILDS" = true ]; then

          # Disable tracing to prevent password exposure in logs

          { set +x; } 2>/dev/null



          # Only use password-protected keys for official and community builds

          if [ -n "$SIGNING_KEYS_PASSWORD" ] && [[ "$RELEASE_TYPE" == "official" || "$RELEASE_TYPE" == "community" ]]; then

            echo ">> [$(date)] Setting up password file for signing keys..."

            

            # Create ANDROID_PW_FILE in RAM-backed tmpfs (never touches disk)

            # Format: keypath [[[ password ]]]

            ANDROID_PW_FILE="/dev/shm/android_pw_$$"

            

            # Generate password entries for all keys

            for keyfile in "$default_key_dir"/*.pk8; do

              if [ -f "$keyfile" ]; then

                keybase="${keyfile%.pk8}"

                echo "${keybase} [[[ ${SIGNING_KEYS_PASSWORD} ]]]" >> "$ANDROID_PW_FILE"

              fi

            done

            

            # Also add entries for APEX keys (.pem files)

            for pemfile in "$default_key_dir"/*.pem; do

              if [ -f "$pemfile" ] && [[ "$pemfile" != *.x509.pem ]]; then

                keybase="${pemfile%.pem}"

                echo "${keybase} [[[ ${SIGNING_KEYS_PASSWORD} ]]]" >> "$ANDROID_PW_FILE"

              fi

            done

            

            chmod 600 "$ANDROID_PW_FILE"

            export ANDROID_PW_FILE

            

            echo ">> [$(date)] Signing with password-protected keys..."

            sign_target_files_apks "${SIGN_TARGETS[@]}" \

              $OUT/obj/PACKAGING/target_files_intermediates/*-target_files*.zip "$OUT/$TARGET_FILES"

            sign_result=$?

            

            # Securely remove password file

            echo ">> [$(date)] Cleaning up password file..."

            shred -u "$ANDROID_PW_FILE" 2>/dev/null || rm -f "$ANDROID_PW_FILE"

            unset ANDROID_PW_FILE

            

            if [ $sign_result -ne 0 ]; then

              echo ">> [$(date)] Signing failed!"

              exit 1

            fi

          else

            sign_target_files_apks "${SIGN_TARGETS[@]}" \

              $OUT/obj/PACKAGING/target_files_intermediates/*-target_files*.zip "$OUT/$TARGET_FILES"

          fi

        else

          mv $OUT/obj/PACKAGING/target_files_intermediates/*-target_files*.zip "$OUT/$TARGET_FILES"

        fi