diff options
author | Tianjie Xu | 2018-10-19 16:34:15 -0500 |
---|---|---|
committer | Tianjie Xu | 2018-10-22 16:47:15 -0500 |
commit | ffbe6b97856968503c59515700884c6d60128717 (patch) | |
tree | 6ded58b000cb08fda962b90e80bfc19e27e86d79 /tools/releasetools/sign_target_files_apks.py | |
parent | 0f693d3f25cf9323a9cf8ceb238d5a3c2e663f23 (diff) | |
download | platform-build-ffbe6b97856968503c59515700884c6d60128717.tar.gz platform-build-ffbe6b97856968503c59515700884c6d60128717.tar.xz platform-build-ffbe6b97856968503c59515700884c6d60128717.zip |
Install the ota keys under recovery as a zipfile
Recovery can now parse the pem encoded x509 keys from a zipfile. So
instead of dumping the keys into a text file with some intermediate format,
we can simply create a zipfile with the keys.
Bug: 116655889
Test: make bootimage and check the generated zipfile, run sign_target_files_apks
Change-Id: Ib76feecfb26d6be713a07644e80ec96133759004
Diffstat (limited to 'tools/releasetools/sign_target_files_apks.py')
-rwxr-xr-x | tools/releasetools/sign_target_files_apks.py | 62 |
1 files changed, 31 insertions, 31 deletions
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py index d35e9e8b3..de3ead61c 100755 --- a/tools/releasetools/sign_target_files_apks.py +++ b/tools/releasetools/sign_target_files_apks.py | |||
@@ -369,13 +369,13 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, | |||
369 | "SYSTEM/bin/install-recovery.sh"): | 369 | "SYSTEM/bin/install-recovery.sh"): |
370 | OPTIONS.rebuild_recovery = True | 370 | OPTIONS.rebuild_recovery = True |
371 | 371 | ||
372 | # Don't copy OTA keys if we're replacing them. | 372 | # Don't copy OTA certs if we're replacing them. |
373 | elif ( | 373 | elif ( |
374 | OPTIONS.replace_ota_keys and | 374 | OPTIONS.replace_ota_keys and |
375 | filename in ( | 375 | filename in ( |
376 | "BOOT/RAMDISK/res/keys", | 376 | "BOOT/RAMDISK/system/etc/security/otacerts.zip", |
377 | "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem", | 377 | "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem", |
378 | "RECOVERY/RAMDISK/res/keys", | 378 | "RECOVERY/RAMDISK/system/etc/security/otacerts.zip", |
379 | "SYSTEM/etc/security/otacerts.zip", | 379 | "SYSTEM/etc/security/otacerts.zip", |
380 | "SYSTEM/etc/update_engine/update-payload-key.pub.pem")): | 380 | "SYSTEM/etc/update_engine/update-payload-key.pub.pem")): |
381 | pass | 381 | pass |
@@ -548,6 +548,27 @@ def RewriteProps(data): | |||
548 | return "\n".join(output) + "\n" | 548 | return "\n".join(output) + "\n" |
549 | 549 | ||
550 | 550 | ||
551 | def WriteOtacerts(output_zip, filename, keys): | ||
552 | """Constructs a zipfile from given keys; and writes it to output_zip. | ||
553 | |||
554 | Args: | ||
555 | output_zip: The output target_files zip. | ||
556 | filename: The archive name in the output zip. | ||
557 | keys: A list of public keys to use during OTA package verification. | ||
558 | """ | ||
559 | |||
560 | try: | ||
561 | from StringIO import StringIO | ||
562 | except ImportError: | ||
563 | from io import StringIO | ||
564 | temp_file = StringIO() | ||
565 | certs_zip = zipfile.ZipFile(temp_file, "w") | ||
566 | for k in keys: | ||
567 | common.ZipWrite(certs_zip, k) | ||
568 | common.ZipClose(certs_zip) | ||
569 | common.ZipWriteStr(output_zip, filename, temp_file.getvalue()) | ||
570 | |||
571 | |||
551 | def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): | 572 | def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): |
552 | try: | 573 | try: |
553 | keylist = input_tf_zip.read("META/otakeys.txt").split() | 574 | keylist = input_tf_zip.read("META/otakeys.txt").split() |
@@ -585,39 +606,20 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): | |||
585 | print("META/otakeys.txt has no keys; using %s for OTA package" | 606 | print("META/otakeys.txt has no keys; using %s for OTA package" |
586 | " verification." % (mapped_keys[0],)) | 607 | " verification." % (mapped_keys[0],)) |
587 | 608 | ||
588 | # recovery uses a version of the key that has been slightly | 609 | # recovery now uses the same x509.pem version of the keys. |
589 | # predigested (by DumpPublicKey.java) and put in res/keys. | ||
590 | # extra_recovery_keys are used only in recovery. | 610 | # extra_recovery_keys are used only in recovery. |
591 | cmd = ([OPTIONS.java_path] + OPTIONS.java_args + | ||
592 | ["-jar", | ||
593 | os.path.join(OPTIONS.search_path, "framework", "dumpkey.jar")] + | ||
594 | mapped_keys + extra_recovery_keys) | ||
595 | p = common.Run(cmd, stdout=subprocess.PIPE) | ||
596 | new_recovery_keys, _ = p.communicate() | ||
597 | if p.returncode != 0: | ||
598 | raise common.ExternalError("failed to run dumpkeys") | ||
599 | |||
600 | if misc_info.get("recovery_as_boot") == "true": | 611 | if misc_info.get("recovery_as_boot") == "true": |
601 | recovery_keys_location = "BOOT/RAMDISK/res/keys" | 612 | recovery_keys_location = "BOOT/RAMDISK/system/etc/security/otacerts.zip" |
602 | else: | 613 | else: |
603 | recovery_keys_location = "RECOVERY/RAMDISK/res/keys" | 614 | recovery_keys_location = "RECOVERY/RAMDISK/system/etc/security/otacerts.zip" |
604 | common.ZipWriteStr(output_tf_zip, recovery_keys_location, new_recovery_keys) | 615 | |
616 | WriteOtacerts(output_tf_zip, recovery_keys_location, | ||
617 | mapped_keys + extra_recovery_keys) | ||
605 | 618 | ||
606 | # SystemUpdateActivity uses the x509.pem version of the keys, but | 619 | # SystemUpdateActivity uses the x509.pem version of the keys, but |
607 | # put into a zipfile system/etc/security/otacerts.zip. | 620 | # put into a zipfile system/etc/security/otacerts.zip. |
608 | # We DO NOT include the extra_recovery_keys (if any) here. | 621 | # We DO NOT include the extra_recovery_keys (if any) here. |
609 | 622 | WriteOtacerts(output_tf_zip, "SYSTEM/etc/security/otacerts.zip", mapped_keys) | |
610 | try: | ||
611 | from StringIO import StringIO | ||
612 | except ImportError: | ||
613 | from io import StringIO | ||
614 | temp_file = StringIO() | ||
615 | certs_zip = zipfile.ZipFile(temp_file, "w") | ||
616 | for k in mapped_keys: | ||
617 | common.ZipWrite(certs_zip, k) | ||
618 | common.ZipClose(certs_zip) | ||
619 | common.ZipWriteStr(output_tf_zip, "SYSTEM/etc/security/otacerts.zip", | ||
620 | temp_file.getvalue()) | ||
621 | 623 | ||
622 | # For A/B devices, update the payload verification key. | 624 | # For A/B devices, update the payload verification key. |
623 | if misc_info.get("ab_update") == "true": | 625 | if misc_info.get("ab_update") == "true": |
@@ -638,8 +640,6 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): | |||
638 | "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem", | 640 | "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem", |
639 | pubkey) | 641 | pubkey) |
640 | 642 | ||
641 | return new_recovery_keys | ||
642 | |||
643 | 643 | ||
644 | def ReplaceVerityPublicKey(output_zip, filename, key_path): | 644 | def ReplaceVerityPublicKey(output_zip, filename, key_path): |
645 | """Replaces the verity public key at the given path in the given zip. | 645 | """Replaces the verity public key at the given path in the given zip. |