aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTianjie Xu2018-10-19 16:34:15 -0500
committerTianjie Xu2018-10-22 16:47:15 -0500
commitffbe6b97856968503c59515700884c6d60128717 (patch)
tree6ded58b000cb08fda962b90e80bfc19e27e86d79 /tools/releasetools/sign_target_files_apks.py
parent0f693d3f25cf9323a9cf8ceb238d5a3c2e663f23 (diff)
downloadplatform-build-ffbe6b97856968503c59515700884c6d60128717.tar.gz
platform-build-ffbe6b97856968503c59515700884c6d60128717.tar.xz
platform-build-ffbe6b97856968503c59515700884c6d60128717.zip
Install the ota keys under recovery as a zipfile
Recovery can now parse the pem encoded x509 keys from a zipfile. So instead of dumping the keys into a text file with some intermediate format, we can simply create a zipfile with the keys. Bug: 116655889 Test: make bootimage and check the generated zipfile, run sign_target_files_apks Change-Id: Ib76feecfb26d6be713a07644e80ec96133759004
Diffstat (limited to 'tools/releasetools/sign_target_files_apks.py')
-rwxr-xr-xtools/releasetools/sign_target_files_apks.py62
1 files changed, 31 insertions, 31 deletions
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index d35e9e8b3..de3ead61c 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -369,13 +369,13 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
369 "SYSTEM/bin/install-recovery.sh"): 369 "SYSTEM/bin/install-recovery.sh"):
370 OPTIONS.rebuild_recovery = True 370 OPTIONS.rebuild_recovery = True
371 371
372 # Don't copy OTA keys if we're replacing them. 372 # Don't copy OTA certs if we're replacing them.
373 elif ( 373 elif (
374 OPTIONS.replace_ota_keys and 374 OPTIONS.replace_ota_keys and
375 filename in ( 375 filename in (
376 "BOOT/RAMDISK/res/keys", 376 "BOOT/RAMDISK/system/etc/security/otacerts.zip",
377 "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem", 377 "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem",
378 "RECOVERY/RAMDISK/res/keys", 378 "RECOVERY/RAMDISK/system/etc/security/otacerts.zip",
379 "SYSTEM/etc/security/otacerts.zip", 379 "SYSTEM/etc/security/otacerts.zip",
380 "SYSTEM/etc/update_engine/update-payload-key.pub.pem")): 380 "SYSTEM/etc/update_engine/update-payload-key.pub.pem")):
381 pass 381 pass
@@ -548,6 +548,27 @@ def RewriteProps(data):
548 return "\n".join(output) + "\n" 548 return "\n".join(output) + "\n"
549 549
550 550
551def WriteOtacerts(output_zip, filename, keys):
552 """Constructs a zipfile from given keys; and writes it to output_zip.
553
554 Args:
555 output_zip: The output target_files zip.
556 filename: The archive name in the output zip.
557 keys: A list of public keys to use during OTA package verification.
558 """
559
560 try:
561 from StringIO import StringIO
562 except ImportError:
563 from io import StringIO
564 temp_file = StringIO()
565 certs_zip = zipfile.ZipFile(temp_file, "w")
566 for k in keys:
567 common.ZipWrite(certs_zip, k)
568 common.ZipClose(certs_zip)
569 common.ZipWriteStr(output_zip, filename, temp_file.getvalue())
570
571
551def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): 572def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
552 try: 573 try:
553 keylist = input_tf_zip.read("META/otakeys.txt").split() 574 keylist = input_tf_zip.read("META/otakeys.txt").split()
@@ -585,39 +606,20 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
585 print("META/otakeys.txt has no keys; using %s for OTA package" 606 print("META/otakeys.txt has no keys; using %s for OTA package"
586 " verification." % (mapped_keys[0],)) 607 " verification." % (mapped_keys[0],))
587 608
588 # recovery uses a version of the key that has been slightly 609 # recovery now uses the same x509.pem version of the keys.
589 # predigested (by DumpPublicKey.java) and put in res/keys.
590 # extra_recovery_keys are used only in recovery. 610 # extra_recovery_keys are used only in recovery.
591 cmd = ([OPTIONS.java_path] + OPTIONS.java_args +
592 ["-jar",
593 os.path.join(OPTIONS.search_path, "framework", "dumpkey.jar")] +
594 mapped_keys + extra_recovery_keys)
595 p = common.Run(cmd, stdout=subprocess.PIPE)
596 new_recovery_keys, _ = p.communicate()
597 if p.returncode != 0:
598 raise common.ExternalError("failed to run dumpkeys")
599
600 if misc_info.get("recovery_as_boot") == "true": 611 if misc_info.get("recovery_as_boot") == "true":
601 recovery_keys_location = "BOOT/RAMDISK/res/keys" 612 recovery_keys_location = "BOOT/RAMDISK/system/etc/security/otacerts.zip"
602 else: 613 else:
603 recovery_keys_location = "RECOVERY/RAMDISK/res/keys" 614 recovery_keys_location = "RECOVERY/RAMDISK/system/etc/security/otacerts.zip"
604 common.ZipWriteStr(output_tf_zip, recovery_keys_location, new_recovery_keys) 615
616 WriteOtacerts(output_tf_zip, recovery_keys_location,
617 mapped_keys + extra_recovery_keys)
605 618
606 # SystemUpdateActivity uses the x509.pem version of the keys, but 619 # SystemUpdateActivity uses the x509.pem version of the keys, but
607 # put into a zipfile system/etc/security/otacerts.zip. 620 # put into a zipfile system/etc/security/otacerts.zip.
608 # We DO NOT include the extra_recovery_keys (if any) here. 621 # We DO NOT include the extra_recovery_keys (if any) here.
609 622 WriteOtacerts(output_tf_zip, "SYSTEM/etc/security/otacerts.zip", mapped_keys)
610 try:
611 from StringIO import StringIO
612 except ImportError:
613 from io import StringIO
614 temp_file = StringIO()
615 certs_zip = zipfile.ZipFile(temp_file, "w")
616 for k in mapped_keys:
617 common.ZipWrite(certs_zip, k)
618 common.ZipClose(certs_zip)
619 common.ZipWriteStr(output_tf_zip, "SYSTEM/etc/security/otacerts.zip",
620 temp_file.getvalue())
621 623
622 # For A/B devices, update the payload verification key. 624 # For A/B devices, update the payload verification key.
623 if misc_info.get("ab_update") == "true": 625 if misc_info.get("ab_update") == "true":
@@ -638,8 +640,6 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
638 "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem", 640 "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem",
639 pubkey) 641 pubkey)
640 642
641 return new_recovery_keys
642
643 643
644def ReplaceVerityPublicKey(output_zip, filename, key_path): 644def ReplaceVerityPublicKey(output_zip, filename, key_path):
645 """Replaces the verity public key at the given path in the given zip. 645 """Replaces the verity public key at the given path in the given zip.