2019-03-15 23:13:01 +01:00
|
|
|
#!/usr/bin/env python
|
|
|
|
#
|
|
|
|
# Copyright (C) 2019 The Android Open Source Project
|
|
|
|
#
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
# limitations under the License.
|
|
|
|
|
|
|
|
import logging
|
|
|
|
import os.path
|
|
|
|
import re
|
|
|
|
import shlex
|
2020-01-23 19:47:54 +01:00
|
|
|
import shutil
|
2019-05-10 01:54:15 +02:00
|
|
|
import zipfile
|
2019-03-15 23:13:01 +01:00
|
|
|
|
2021-01-06 14:33:25 +01:00
|
|
|
import apex_manifest
|
2019-03-15 23:13:01 +01:00
|
|
|
import common
|
2021-01-06 14:33:25 +01:00
|
|
|
from common import UnzipTemp, RunAndCheckOutput, MakeTempFile, OPTIONS
|
|
|
|
|
|
|
|
import ota_metadata_pb2
|
|
|
|
|
2019-03-15 23:13:01 +01:00
|
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
2019-05-10 01:54:15 +02:00
|
|
|
OPTIONS = common.OPTIONS
|
|
|
|
|
2020-03-24 02:14:09 +01:00
|
|
|
APEX_PAYLOAD_IMAGE = 'apex_payload.img'
|
|
|
|
|
2021-01-20 02:32:28 +01:00
|
|
|
APEX_PUBKEY = 'apex_pubkey'
|
|
|
|
|
2019-03-15 23:13:01 +01:00
|
|
|
|
|
|
|
class ApexInfoError(Exception):
|
|
|
|
"""An Exception raised during Apex Information command."""
|
|
|
|
|
|
|
|
def __init__(self, message):
|
|
|
|
Exception.__init__(self, message)
|
|
|
|
|
|
|
|
|
|
|
|
class ApexSigningError(Exception):
|
|
|
|
"""An Exception raised during Apex Payload signing."""
|
|
|
|
|
|
|
|
def __init__(self, message):
|
|
|
|
Exception.__init__(self, message)
|
|
|
|
|
|
|
|
|
2020-01-23 19:47:54 +01:00
|
|
|
class ApexApkSigner(object):
|
2021-10-26 20:53:21 +02:00
|
|
|
"""Class to sign the apk files and other files in an apex payload image and repack the apex"""
|
2020-01-23 19:47:54 +01:00
|
|
|
|
2022-04-13 18:23:45 +02:00
|
|
|
def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None):
|
2020-01-23 19:47:54 +01:00
|
|
|
self.apex_path = apex_path
|
2020-10-05 16:04:59 +02:00
|
|
|
if not key_passwords:
|
|
|
|
self.key_passwords = dict()
|
|
|
|
else:
|
|
|
|
self.key_passwords = key_passwords
|
2020-01-23 19:47:54 +01:00
|
|
|
self.codename_to_api_level_map = codename_to_api_level_map
|
2020-08-21 20:13:13 +02:00
|
|
|
self.debugfs_path = os.path.join(
|
|
|
|
OPTIONS.search_path, "bin", "debugfs_static")
|
2021-10-26 20:53:21 +02:00
|
|
|
self.avbtool = avbtool if avbtool else "avbtool"
|
|
|
|
self.sign_tool = sign_tool
|
2020-01-23 19:47:54 +01:00
|
|
|
|
2022-06-16 18:44:27 +02:00
|
|
|
def ProcessApexFile(self, apk_keys, payload_key, signing_args=None, is_sepolicy=False):
|
2021-10-26 20:53:21 +02:00
|
|
|
"""Scans and signs the payload files and repack the apex
|
2020-01-23 19:47:54 +01:00
|
|
|
|
|
|
|
Args:
|
|
|
|
apk_keys: A dict that holds the signing keys for apk files.
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
The repacked apex file containing the signed apk files.
|
|
|
|
"""
|
2020-08-21 20:13:13 +02:00
|
|
|
if not os.path.exists(self.debugfs_path):
|
2020-08-19 20:54:42 +02:00
|
|
|
raise ApexSigningError(
|
|
|
|
"Couldn't find location of debugfs_static: " +
|
2021-01-06 14:33:25 +01:00
|
|
|
"Path {} does not exist. ".format(self.debugfs_path) +
|
2020-08-19 20:54:42 +02:00
|
|
|
"Make sure bin/debugfs_static can be found in -p <path>")
|
|
|
|
list_cmd = ['deapexer', '--debugfs_path',
|
2020-08-21 20:13:13 +02:00
|
|
|
self.debugfs_path, 'list', self.apex_path]
|
2020-01-23 19:47:54 +01:00
|
|
|
entries_names = common.RunAndCheckOutput(list_cmd).split()
|
|
|
|
apk_entries = [name for name in entries_names if name.endswith('.apk')]
|
2022-06-16 18:44:27 +02:00
|
|
|
sepolicy_entries = []
|
|
|
|
if is_sepolicy:
|
|
|
|
sepolicy_entries = [name for name in entries_names if
|
|
|
|
name.startswith('./etc/SEPolicy') and name.endswith('.zip')]
|
2020-01-23 19:47:54 +01:00
|
|
|
|
|
|
|
# No need to sign and repack, return the original apex path.
|
2022-06-16 18:44:27 +02:00
|
|
|
if not apk_entries and not sepolicy_entries and self.sign_tool is None:
|
2022-04-13 18:23:45 +02:00
|
|
|
logger.info('No apk file to sign in %s', self.apex_path)
|
2020-01-23 19:47:54 +01:00
|
|
|
return self.apex_path
|
|
|
|
|
|
|
|
for entry in apk_entries:
|
|
|
|
apk_name = os.path.basename(entry)
|
|
|
|
if apk_name not in apk_keys:
|
|
|
|
raise ApexSigningError('Failed to find signing keys for apk file {} in'
|
|
|
|
' apex {}. Use "-e <apkname>=" to specify a key'
|
|
|
|
.format(entry, self.apex_path))
|
|
|
|
if not any(dirname in entry for dirname in ['app/', 'priv-app/',
|
|
|
|
'overlay/']):
|
|
|
|
logger.warning('Apk path does not contain the intended directory name:'
|
|
|
|
' %s', entry)
|
|
|
|
|
2022-04-13 18:23:45 +02:00
|
|
|
payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(
|
2022-06-16 18:44:27 +02:00
|
|
|
apk_entries, sepolicy_entries, apk_keys, payload_key, signing_args)
|
2021-10-26 20:53:21 +02:00
|
|
|
if not has_signed_content:
|
2022-06-16 18:44:27 +02:00
|
|
|
logger.info('No contents have been signed in %s', self.apex_path)
|
2020-01-23 19:47:54 +01:00
|
|
|
return self.apex_path
|
|
|
|
|
2020-03-26 04:50:23 +01:00
|
|
|
return self.RepackApexPayload(payload_dir, payload_key, signing_args)
|
2020-01-23 19:47:54 +01:00
|
|
|
|
2022-06-16 18:44:27 +02:00
|
|
|
def ExtractApexPayloadAndSignContents(self, apk_entries, sepolicy_entries, apk_keys, payload_key, signing_args):
|
2020-01-23 19:47:54 +01:00
|
|
|
"""Extracts the payload image and signs the containing apk files."""
|
2020-08-21 20:13:13 +02:00
|
|
|
if not os.path.exists(self.debugfs_path):
|
|
|
|
raise ApexSigningError(
|
|
|
|
"Couldn't find location of debugfs_static: " +
|
2021-01-06 14:33:25 +01:00
|
|
|
"Path {} does not exist. ".format(self.debugfs_path) +
|
2020-08-21 20:13:13 +02:00
|
|
|
"Make sure bin/debugfs_static can be found in -p <path>")
|
2020-01-23 19:47:54 +01:00
|
|
|
payload_dir = common.MakeTempDir()
|
2020-08-21 20:13:13 +02:00
|
|
|
extract_cmd = ['deapexer', '--debugfs_path',
|
|
|
|
self.debugfs_path, 'extract', self.apex_path, payload_dir]
|
2020-01-23 19:47:54 +01:00
|
|
|
common.RunAndCheckOutput(extract_cmd)
|
2022-06-16 18:44:27 +02:00
|
|
|
assert os.path.exists(self.apex_path)
|
2020-01-23 19:47:54 +01:00
|
|
|
|
2021-10-26 20:53:21 +02:00
|
|
|
has_signed_content = False
|
2020-01-23 19:47:54 +01:00
|
|
|
for entry in apk_entries:
|
|
|
|
apk_path = os.path.join(payload_dir, entry)
|
|
|
|
|
|
|
|
key_name = apk_keys.get(os.path.basename(entry))
|
|
|
|
if key_name in common.SPECIAL_CERT_STRINGS:
|
|
|
|
logger.info('Not signing: %s due to special cert string', apk_path)
|
|
|
|
continue
|
|
|
|
|
|
|
|
logger.info('Signing apk file %s in apex %s', apk_path, self.apex_path)
|
|
|
|
# Rename the unsigned apk and overwrite the original apk path with the
|
|
|
|
# signed apk file.
|
|
|
|
unsigned_apk = common.MakeTempFile()
|
|
|
|
os.rename(apk_path, unsigned_apk)
|
2021-01-06 14:33:25 +01:00
|
|
|
common.SignFile(
|
|
|
|
unsigned_apk, apk_path, key_name, self.key_passwords.get(key_name),
|
|
|
|
codename_to_api_level_map=self.codename_to_api_level_map)
|
2021-10-26 20:53:21 +02:00
|
|
|
has_signed_content = True
|
|
|
|
|
2022-06-16 18:44:27 +02:00
|
|
|
for entry in sepolicy_entries:
|
|
|
|
sepolicy_path = os.path.join(payload_dir, entry)
|
|
|
|
|
|
|
|
if not 'etc' in entry:
|
|
|
|
logger.warning('Sepolicy path does not contain the intended directory name etc:'
|
|
|
|
' %s', entry)
|
|
|
|
|
|
|
|
key_name = apk_keys.get(os.path.basename(entry))
|
|
|
|
if key_name is None:
|
|
|
|
logger.warning('Failed to find signing keys for {} in'
|
|
|
|
' apex {}, payload key will be used instead.'
|
|
|
|
' Use "-e <name>=" to specify a key'
|
|
|
|
.format(entry, self.apex_path))
|
|
|
|
key_name = payload_key
|
|
|
|
|
|
|
|
if key_name in common.SPECIAL_CERT_STRINGS:
|
|
|
|
logger.info('Not signing: %s due to special cert string', sepolicy_path)
|
|
|
|
continue
|
|
|
|
|
|
|
|
if OPTIONS.sign_sepolicy_path is not None:
|
|
|
|
sig_path = os.path.join(payload_dir, sepolicy_path + '.sig')
|
|
|
|
fsv_sig_path = os.path.join(payload_dir, sepolicy_path + '.fsv_sig')
|
|
|
|
old_sig = common.MakeTempFile()
|
|
|
|
old_fsv_sig = common.MakeTempFile()
|
|
|
|
os.rename(sig_path, old_sig)
|
|
|
|
os.rename(fsv_sig_path, old_fsv_sig)
|
|
|
|
|
|
|
|
logger.info('Signing sepolicy file %s in apex %s', sepolicy_path, self.apex_path)
|
|
|
|
if common.SignSePolicy(sepolicy_path, key_name, self.key_passwords.get(key_name)):
|
|
|
|
has_signed_content = True
|
|
|
|
|
2021-10-26 20:53:21 +02:00
|
|
|
if self.sign_tool:
|
2021-10-26 20:58:09 +02:00
|
|
|
logger.info('Signing payload contents in apex %s with %s', self.apex_path, self.sign_tool)
|
2022-02-07 07:56:53 +01:00
|
|
|
# Pass avbtool to the custom signing tool
|
|
|
|
cmd = [self.sign_tool, '--avbtool', self.avbtool]
|
|
|
|
# Pass signing_args verbatim which will be forwarded to avbtool (e.g. --signing_helper=...)
|
|
|
|
if signing_args:
|
|
|
|
cmd.extend(['--signing_args', '"{}"'.format(signing_args)])
|
|
|
|
cmd.extend([payload_key, payload_dir])
|
2021-10-26 20:53:21 +02:00
|
|
|
common.RunAndCheckOutput(cmd)
|
|
|
|
has_signed_content = True
|
|
|
|
|
|
|
|
return payload_dir, has_signed_content
|
2020-01-23 19:47:54 +01:00
|
|
|
|
2020-03-26 04:50:23 +01:00
|
|
|
def RepackApexPayload(self, payload_dir, payload_key, signing_args=None):
|
2020-01-23 19:47:54 +01:00
|
|
|
"""Rebuilds the apex file with the updated payload directory."""
|
|
|
|
apex_dir = common.MakeTempDir()
|
|
|
|
# Extract the apex file and reuse its meta files as repack parameters.
|
|
|
|
common.UnzipToDir(self.apex_path, apex_dir)
|
|
|
|
arguments_dict = {
|
|
|
|
'manifest': os.path.join(apex_dir, 'apex_manifest.pb'),
|
|
|
|
'build_info': os.path.join(apex_dir, 'apex_build_info.pb'),
|
|
|
|
'key': payload_key,
|
|
|
|
}
|
|
|
|
for filename in arguments_dict.values():
|
|
|
|
assert os.path.exists(filename), 'file {} not found'.format(filename)
|
|
|
|
|
|
|
|
# The repack process will add back these files later in the payload image.
|
|
|
|
for name in ['apex_manifest.pb', 'apex_manifest.json', 'lost+found']:
|
|
|
|
path = os.path.join(payload_dir, name)
|
|
|
|
if os.path.isfile(path):
|
|
|
|
os.remove(path)
|
|
|
|
elif os.path.isdir(path):
|
2022-02-26 03:34:06 +01:00
|
|
|
shutil.rmtree(path, ignore_errors=True)
|
2020-01-23 19:47:54 +01:00
|
|
|
|
2020-03-24 02:14:09 +01:00
|
|
|
# TODO(xunchang) the signing process can be improved by using
|
|
|
|
# '--unsigned_payload_only'. But we need to parse the vbmeta earlier for
|
|
|
|
# the signing arguments, e.g. algorithm, salt, etc.
|
|
|
|
payload_img = os.path.join(apex_dir, APEX_PAYLOAD_IMAGE)
|
|
|
|
generate_image_cmd = ['apexer', '--force', '--payload_only',
|
|
|
|
'--do_not_check_keyname', '--apexer_tool_path',
|
|
|
|
os.getenv('PATH')]
|
2020-01-23 19:47:54 +01:00
|
|
|
for key, val in arguments_dict.items():
|
2020-03-24 02:14:09 +01:00
|
|
|
generate_image_cmd.extend(['--' + key, val])
|
2020-03-26 04:50:23 +01:00
|
|
|
|
|
|
|
# Add quote to the signing_args as we will pass
|
|
|
|
# --signing_args "--signing_helper_with_files=%path" to apexer
|
|
|
|
if signing_args:
|
2020-08-19 20:54:42 +02:00
|
|
|
generate_image_cmd.extend(
|
|
|
|
['--signing_args', '"{}"'.format(signing_args)])
|
2020-03-26 04:50:23 +01:00
|
|
|
|
2020-01-29 20:37:43 +01:00
|
|
|
# optional arguments for apex repacking
|
2020-01-23 19:47:54 +01:00
|
|
|
manifest_json = os.path.join(apex_dir, 'apex_manifest.json')
|
|
|
|
if os.path.exists(manifest_json):
|
2020-03-24 02:14:09 +01:00
|
|
|
generate_image_cmd.extend(['--manifest_json', manifest_json])
|
|
|
|
generate_image_cmd.extend([payload_dir, payload_img])
|
2020-01-31 02:12:05 +01:00
|
|
|
if OPTIONS.verbose:
|
2020-03-24 02:14:09 +01:00
|
|
|
generate_image_cmd.append('-v')
|
|
|
|
common.RunAndCheckOutput(generate_image_cmd)
|
2020-01-23 19:47:54 +01:00
|
|
|
|
2020-03-24 02:14:09 +01:00
|
|
|
# Add the payload image back to the apex file.
|
|
|
|
common.ZipDelete(self.apex_path, APEX_PAYLOAD_IMAGE)
|
2020-09-22 22:15:57 +02:00
|
|
|
with zipfile.ZipFile(self.apex_path, 'a', allowZip64=True) as output_apex:
|
2020-03-24 02:14:09 +01:00
|
|
|
common.ZipWrite(output_apex, payload_img, APEX_PAYLOAD_IMAGE,
|
|
|
|
compress_type=zipfile.ZIP_STORED)
|
|
|
|
return self.apex_path
|
2020-01-23 19:47:54 +01:00
|
|
|
|
|
|
|
|
2019-06-26 20:58:22 +02:00
|
|
|
def SignApexPayload(avbtool, payload_file, payload_key_path, payload_key_name,
|
2020-05-19 16:18:03 +02:00
|
|
|
algorithm, salt, hash_algorithm, no_hashtree, signing_args=None):
|
2019-03-15 23:13:01 +01:00
|
|
|
"""Signs a given payload_file with the payload key."""
|
|
|
|
# Add the new footer. Old footer, if any, will be replaced by avbtool.
|
2019-06-26 20:58:22 +02:00
|
|
|
cmd = [avbtool, 'add_hashtree_footer',
|
2019-03-15 23:13:01 +01:00
|
|
|
'--do_not_generate_fec',
|
|
|
|
'--algorithm', algorithm,
|
|
|
|
'--key', payload_key_path,
|
|
|
|
'--prop', 'apex.key:{}'.format(payload_key_name),
|
|
|
|
'--image', payload_file,
|
2020-05-19 16:18:03 +02:00
|
|
|
'--salt', salt,
|
|
|
|
'--hash_algorithm', hash_algorithm]
|
2019-09-19 16:55:02 +02:00
|
|
|
if no_hashtree:
|
|
|
|
cmd.append('--no_hashtree')
|
2019-03-15 23:13:01 +01:00
|
|
|
if signing_args:
|
|
|
|
cmd.extend(shlex.split(signing_args))
|
|
|
|
|
|
|
|
try:
|
|
|
|
common.RunAndCheckOutput(cmd)
|
|
|
|
except common.ExternalError as e:
|
2019-06-20 02:03:37 +02:00
|
|
|
raise ApexSigningError(
|
2019-03-15 23:13:01 +01:00
|
|
|
'Failed to sign APEX payload {} with {}:\n{}'.format(
|
2019-06-20 02:03:37 +02:00
|
|
|
payload_file, payload_key_path, e))
|
2019-03-15 23:13:01 +01:00
|
|
|
|
|
|
|
# Verify the signed payload image with specified public key.
|
|
|
|
logger.info('Verifying %s', payload_file)
|
2019-09-19 16:55:02 +02:00
|
|
|
VerifyApexPayload(avbtool, payload_file, payload_key_path, no_hashtree)
|
2019-03-15 23:13:01 +01:00
|
|
|
|
|
|
|
|
2019-09-19 16:55:02 +02:00
|
|
|
def VerifyApexPayload(avbtool, payload_file, payload_key, no_hashtree=False):
|
2019-03-15 23:13:01 +01:00
|
|
|
"""Verifies the APEX payload signature with the given key."""
|
2019-06-26 20:58:22 +02:00
|
|
|
cmd = [avbtool, 'verify_image', '--image', payload_file,
|
2019-03-15 23:13:01 +01:00
|
|
|
'--key', payload_key]
|
2019-09-19 16:55:02 +02:00
|
|
|
if no_hashtree:
|
|
|
|
cmd.append('--accept_zeroed_hashtree')
|
2019-03-15 23:13:01 +01:00
|
|
|
try:
|
|
|
|
common.RunAndCheckOutput(cmd)
|
|
|
|
except common.ExternalError as e:
|
2019-06-20 02:03:37 +02:00
|
|
|
raise ApexSigningError(
|
2019-03-15 23:13:01 +01:00
|
|
|
'Failed to validate payload signing for {} with {}:\n{}'.format(
|
2019-06-20 02:03:37 +02:00
|
|
|
payload_file, payload_key, e))
|
2019-03-15 23:13:01 +01:00
|
|
|
|
|
|
|
|
2019-06-26 20:58:22 +02:00
|
|
|
def ParseApexPayloadInfo(avbtool, payload_path):
|
2019-03-15 23:13:01 +01:00
|
|
|
"""Parses the APEX payload info.
|
|
|
|
|
|
|
|
Args:
|
2019-06-26 20:58:22 +02:00
|
|
|
avbtool: The AVB tool to use.
|
2019-03-15 23:13:01 +01:00
|
|
|
payload_path: The path to the payload image.
|
|
|
|
|
|
|
|
Raises:
|
|
|
|
ApexInfoError on parsing errors.
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
A dict that contains payload property-value pairs. The dict should at least
|
2019-09-19 16:55:02 +02:00
|
|
|
contain Algorithm, Salt, Tree Size and apex.key.
|
2019-03-15 23:13:01 +01:00
|
|
|
"""
|
|
|
|
if not os.path.exists(payload_path):
|
|
|
|
raise ApexInfoError('Failed to find image: {}'.format(payload_path))
|
|
|
|
|
2019-06-26 20:58:22 +02:00
|
|
|
cmd = [avbtool, 'info_image', '--image', payload_path]
|
2019-03-15 23:13:01 +01:00
|
|
|
try:
|
|
|
|
output = common.RunAndCheckOutput(cmd)
|
|
|
|
except common.ExternalError as e:
|
2019-06-20 02:03:37 +02:00
|
|
|
raise ApexInfoError(
|
2019-03-15 23:13:01 +01:00
|
|
|
'Failed to get APEX payload info for {}:\n{}'.format(
|
2019-06-20 02:03:37 +02:00
|
|
|
payload_path, e))
|
2019-03-15 23:13:01 +01:00
|
|
|
|
2020-05-19 16:18:03 +02:00
|
|
|
# Extract the Algorithm / Hash Algorithm / Salt / Prop info / Tree size from
|
|
|
|
# payload (i.e. an image signed with avbtool). For example,
|
2019-03-15 23:13:01 +01:00
|
|
|
# Algorithm: SHA256_RSA4096
|
|
|
|
PAYLOAD_INFO_PATTERN = (
|
2020-05-19 16:18:03 +02:00
|
|
|
r'^\s*(?P<key>Algorithm|Hash Algorithm|Salt|Prop|Tree Size)\:\s*(?P<value>.*?)$')
|
2019-03-15 23:13:01 +01:00
|
|
|
payload_info_matcher = re.compile(PAYLOAD_INFO_PATTERN)
|
|
|
|
|
|
|
|
payload_info = {}
|
|
|
|
for line in output.split('\n'):
|
|
|
|
line_info = payload_info_matcher.match(line)
|
|
|
|
if not line_info:
|
|
|
|
continue
|
|
|
|
|
|
|
|
key, value = line_info.group('key'), line_info.group('value')
|
|
|
|
|
|
|
|
if key == 'Prop':
|
|
|
|
# Further extract the property key-value pair, from a 'Prop:' line. For
|
|
|
|
# example,
|
|
|
|
# Prop: apex.key -> 'com.android.runtime'
|
|
|
|
# Note that avbtool writes single or double quotes around values.
|
|
|
|
PROPERTY_DESCRIPTOR_PATTERN = r'^\s*(?P<key>.*?)\s->\s*(?P<value>.*?)$'
|
|
|
|
|
|
|
|
prop_matcher = re.compile(PROPERTY_DESCRIPTOR_PATTERN)
|
|
|
|
prop = prop_matcher.match(value)
|
|
|
|
if not prop:
|
|
|
|
raise ApexInfoError(
|
|
|
|
'Failed to parse prop string {}'.format(value))
|
|
|
|
|
|
|
|
prop_key, prop_value = prop.group('key'), prop.group('value')
|
|
|
|
if prop_key == 'apex.key':
|
|
|
|
# avbtool dumps the prop value with repr(), which contains single /
|
|
|
|
# double quotes that we don't want.
|
|
|
|
payload_info[prop_key] = prop_value.strip('\"\'')
|
|
|
|
|
|
|
|
else:
|
|
|
|
payload_info[key] = value
|
|
|
|
|
2020-07-28 15:31:06 +02:00
|
|
|
# Validation check.
|
2020-05-19 16:18:03 +02:00
|
|
|
for key in ('Algorithm', 'Salt', 'apex.key', 'Hash Algorithm'):
|
2019-03-15 23:13:01 +01:00
|
|
|
if key not in payload_info:
|
|
|
|
raise ApexInfoError(
|
|
|
|
'Failed to find {} prop in {}'.format(key, payload_path))
|
|
|
|
|
|
|
|
return payload_info
|
2019-05-10 01:54:15 +02:00
|
|
|
|
|
|
|
|
2021-01-20 02:32:28 +01:00
|
|
|
def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
|
2021-01-12 01:03:02 +01:00
|
|
|
container_pw, apk_keys, codename_to_api_level_map,
|
2022-06-16 18:44:27 +02:00
|
|
|
no_hashtree, signing_args=None, sign_tool=None,
|
|
|
|
is_sepolicy=False):
|
2021-01-12 01:03:02 +01:00
|
|
|
"""Signs the current uncompressed APEX with the given payload/container keys.
|
2019-05-10 01:54:15 +02:00
|
|
|
|
|
|
|
Args:
|
2021-01-20 02:32:28 +01:00
|
|
|
apex_file: Uncompressed APEX file.
|
2019-05-10 01:54:15 +02:00
|
|
|
payload_key: The path to payload signing key (w/ extension).
|
|
|
|
container_key: The path to container signing key (w/o extension).
|
|
|
|
container_pw: The matching password of the container_key, or None.
|
2020-01-23 19:47:54 +01:00
|
|
|
apk_keys: A dict that holds the signing keys for apk files.
|
2019-05-10 01:54:15 +02:00
|
|
|
codename_to_api_level_map: A dict that maps from codename to API level.
|
2019-09-19 16:55:02 +02:00
|
|
|
no_hashtree: Don't include hashtree in the signed APEX.
|
2019-05-10 01:54:15 +02:00
|
|
|
signing_args: Additional args to be passed to the payload signer.
|
2021-10-26 20:53:21 +02:00
|
|
|
sign_tool: A tool to sign the contents of the APEX.
|
2022-06-16 18:44:27 +02:00
|
|
|
is_sepolicy: Indicates if the apex is a sepolicy.apex
|
2019-05-10 01:54:15 +02:00
|
|
|
|
|
|
|
Returns:
|
|
|
|
The path to the signed APEX file.
|
|
|
|
"""
|
2021-10-26 20:53:21 +02:00
|
|
|
# 1. Extract the apex payload image and sign the files (e.g. APKs). Repack
|
2020-01-23 19:47:54 +01:00
|
|
|
# the apex file after signing.
|
|
|
|
apk_signer = ApexApkSigner(apex_file, container_pw,
|
2021-10-26 20:53:21 +02:00
|
|
|
codename_to_api_level_map,
|
2022-04-13 18:23:45 +02:00
|
|
|
avbtool, sign_tool)
|
2022-06-16 18:44:27 +02:00
|
|
|
apex_file = apk_signer.ProcessApexFile(
|
|
|
|
apk_keys, payload_key, signing_args, is_sepolicy)
|
2020-01-23 19:47:54 +01:00
|
|
|
|
|
|
|
# 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
|
2019-05-10 01:54:15 +02:00
|
|
|
# payload_key.
|
|
|
|
payload_dir = common.MakeTempDir(prefix='apex-payload-')
|
|
|
|
with zipfile.ZipFile(apex_file) as apex_fd:
|
|
|
|
payload_file = apex_fd.extract(APEX_PAYLOAD_IMAGE, payload_dir)
|
2019-08-25 21:01:44 +02:00
|
|
|
zip_items = apex_fd.namelist()
|
2019-05-10 01:54:15 +02:00
|
|
|
|
2019-06-26 20:58:22 +02:00
|
|
|
payload_info = ParseApexPayloadInfo(avbtool, payload_file)
|
2021-08-03 01:58:14 +02:00
|
|
|
if no_hashtree is None:
|
|
|
|
no_hashtree = payload_info.get("Tree Size", 0) == 0
|
2019-05-10 01:54:15 +02:00
|
|
|
SignApexPayload(
|
2019-06-26 20:58:22 +02:00
|
|
|
avbtool,
|
2019-05-10 01:54:15 +02:00
|
|
|
payload_file,
|
|
|
|
payload_key,
|
|
|
|
payload_info['apex.key'],
|
|
|
|
payload_info['Algorithm'],
|
|
|
|
payload_info['Salt'],
|
2020-05-19 16:18:03 +02:00
|
|
|
payload_info['Hash Algorithm'],
|
2019-09-19 16:55:02 +02:00
|
|
|
no_hashtree,
|
2019-05-10 01:54:15 +02:00
|
|
|
signing_args)
|
|
|
|
|
2020-01-23 19:47:54 +01:00
|
|
|
# 2b. Update the embedded payload public key.
|
2020-03-24 02:14:09 +01:00
|
|
|
payload_public_key = common.ExtractAvbPublicKey(avbtool, payload_key)
|
2019-05-10 01:54:15 +02:00
|
|
|
common.ZipDelete(apex_file, APEX_PAYLOAD_IMAGE)
|
2019-08-25 21:01:44 +02:00
|
|
|
if APEX_PUBKEY in zip_items:
|
|
|
|
common.ZipDelete(apex_file, APEX_PUBKEY)
|
2020-09-22 22:15:57 +02:00
|
|
|
apex_zip = zipfile.ZipFile(apex_file, 'a', allowZip64=True)
|
2019-05-10 01:54:15 +02:00
|
|
|
common.ZipWrite(apex_zip, payload_file, arcname=APEX_PAYLOAD_IMAGE)
|
|
|
|
common.ZipWrite(apex_zip, payload_public_key, arcname=APEX_PUBKEY)
|
2022-10-26 21:49:03 +02:00
|
|
|
apex_zip.close()
|
2019-05-10 01:54:15 +02:00
|
|
|
|
2021-07-22 11:21:25 +02:00
|
|
|
# 3. Sign the APEX container with container_key.
|
2019-05-10 01:54:15 +02:00
|
|
|
signed_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
|
|
|
|
|
|
|
|
# Specify the 4K alignment when calling SignApk.
|
|
|
|
extra_signapk_args = OPTIONS.extra_signapk_args[:]
|
2021-07-12 06:23:52 +02:00
|
|
|
extra_signapk_args.extend(['-a', '4096', '--align-file-size'])
|
2019-05-10 01:54:15 +02:00
|
|
|
|
2021-01-12 00:50:31 +01:00
|
|
|
password = container_pw.get(container_key) if container_pw else None
|
2019-05-10 01:54:15 +02:00
|
|
|
common.SignFile(
|
2021-07-22 11:21:25 +02:00
|
|
|
apex_file,
|
2019-05-10 01:54:15 +02:00
|
|
|
signed_apex,
|
|
|
|
container_key,
|
2021-01-12 00:50:31 +01:00
|
|
|
password,
|
2019-05-10 01:54:15 +02:00
|
|
|
codename_to_api_level_map=codename_to_api_level_map,
|
|
|
|
extra_signapk_args=extra_signapk_args)
|
|
|
|
|
|
|
|
return signed_apex
|
2021-01-12 01:03:02 +01:00
|
|
|
|
|
|
|
|
2021-01-20 02:32:28 +01:00
|
|
|
def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
|
2021-08-03 01:58:14 +02:00
|
|
|
container_pw, apk_keys, codename_to_api_level_map,
|
2022-06-16 18:44:27 +02:00
|
|
|
no_hashtree, signing_args=None, sign_tool=None,
|
|
|
|
is_sepolicy=False):
|
2021-01-20 02:32:28 +01:00
|
|
|
"""Signs the current compressed APEX with the given payload/container keys.
|
|
|
|
|
|
|
|
Args:
|
|
|
|
apex_file: Raw uncompressed APEX data.
|
|
|
|
payload_key: The path to payload signing key (w/ extension).
|
|
|
|
container_key: The path to container signing key (w/o extension).
|
|
|
|
container_pw: The matching password of the container_key, or None.
|
|
|
|
apk_keys: A dict that holds the signing keys for apk files.
|
|
|
|
codename_to_api_level_map: A dict that maps from codename to API level.
|
|
|
|
no_hashtree: Don't include hashtree in the signed APEX.
|
|
|
|
signing_args: Additional args to be passed to the payload signer.
|
2022-06-16 18:44:27 +02:00
|
|
|
is_sepolicy: Indicates if the apex is a sepolicy.apex
|
2021-01-20 02:32:28 +01:00
|
|
|
|
|
|
|
Returns:
|
|
|
|
The path to the signed APEX file.
|
|
|
|
"""
|
|
|
|
debugfs_path = os.path.join(OPTIONS.search_path, 'bin', 'debugfs_static')
|
|
|
|
|
|
|
|
# 1. Decompress original_apex inside compressed apex.
|
|
|
|
original_apex_file = common.MakeTempFile(prefix='original-apex-',
|
|
|
|
suffix='.apex')
|
|
|
|
# Decompression target path should not exist
|
|
|
|
os.remove(original_apex_file)
|
|
|
|
common.RunAndCheckOutput(['deapexer', '--debugfs_path', debugfs_path,
|
|
|
|
'decompress', '--input', apex_file,
|
|
|
|
'--output', original_apex_file])
|
|
|
|
|
|
|
|
# 2. Sign original_apex
|
|
|
|
signed_original_apex_file = SignUncompressedApex(
|
|
|
|
avbtool,
|
|
|
|
original_apex_file,
|
|
|
|
payload_key,
|
|
|
|
container_key,
|
|
|
|
container_pw,
|
|
|
|
apk_keys,
|
|
|
|
codename_to_api_level_map,
|
|
|
|
no_hashtree,
|
2021-10-26 20:53:21 +02:00
|
|
|
signing_args,
|
2022-06-16 18:44:27 +02:00
|
|
|
sign_tool,
|
|
|
|
is_sepolicy)
|
2021-01-20 02:32:28 +01:00
|
|
|
|
|
|
|
# 3. Compress signed original apex.
|
|
|
|
compressed_apex_file = common.MakeTempFile(prefix='apex-container-',
|
|
|
|
suffix='.capex')
|
|
|
|
common.RunAndCheckOutput(['apex_compression_tool',
|
|
|
|
'compress',
|
|
|
|
'--apex_compression_tool_path', os.getenv('PATH'),
|
|
|
|
'--input', signed_original_apex_file,
|
|
|
|
'--output', compressed_apex_file])
|
|
|
|
|
2021-07-22 11:21:25 +02:00
|
|
|
# 4. Sign the APEX container with container_key.
|
2021-01-20 02:32:28 +01:00
|
|
|
signed_apex = common.MakeTempFile(prefix='apex-container-', suffix='.capex')
|
|
|
|
|
|
|
|
password = container_pw.get(container_key) if container_pw else None
|
|
|
|
common.SignFile(
|
2021-07-22 11:21:25 +02:00
|
|
|
compressed_apex_file,
|
2021-01-20 02:32:28 +01:00
|
|
|
signed_apex,
|
|
|
|
container_key,
|
|
|
|
password,
|
|
|
|
codename_to_api_level_map=codename_to_api_level_map,
|
2021-07-22 11:21:25 +02:00
|
|
|
extra_signapk_args=OPTIONS.extra_signapk_args)
|
2021-01-20 02:32:28 +01:00
|
|
|
|
|
|
|
return signed_apex
|
|
|
|
|
|
|
|
|
2021-01-12 01:03:02 +01:00
|
|
|
def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
|
2022-06-16 18:44:27 +02:00
|
|
|
apk_keys, codename_to_api_level_map, no_hashtree,
|
|
|
|
signing_args=None, sign_tool=None, is_sepolicy=False):
|
2021-01-12 01:03:02 +01:00
|
|
|
"""Signs the current APEX with the given payload/container keys.
|
|
|
|
|
|
|
|
Args:
|
|
|
|
apex_file: Path to apex file path.
|
|
|
|
payload_key: The path to payload signing key (w/ extension).
|
|
|
|
container_key: The path to container signing key (w/o extension).
|
|
|
|
container_pw: The matching password of the container_key, or None.
|
|
|
|
apk_keys: A dict that holds the signing keys for apk files.
|
|
|
|
codename_to_api_level_map: A dict that maps from codename to API level.
|
|
|
|
no_hashtree: Don't include hashtree in the signed APEX.
|
|
|
|
signing_args: Additional args to be passed to the payload signer.
|
2022-06-16 18:44:27 +02:00
|
|
|
is_sepolicy: Indicates if the apex is a sepolicy.apex
|
2021-01-12 01:03:02 +01:00
|
|
|
|
|
|
|
Returns:
|
|
|
|
The path to the signed APEX file.
|
|
|
|
"""
|
|
|
|
apex_file = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
|
|
|
|
with open(apex_file, 'wb') as output_fp:
|
|
|
|
output_fp.write(apex_data)
|
|
|
|
|
2021-01-20 02:32:28 +01:00
|
|
|
debugfs_path = os.path.join(OPTIONS.search_path, 'bin', 'debugfs_static')
|
2021-01-12 01:03:02 +01:00
|
|
|
cmd = ['deapexer', '--debugfs_path', debugfs_path,
|
|
|
|
'info', '--print-type', apex_file]
|
|
|
|
|
|
|
|
try:
|
|
|
|
apex_type = common.RunAndCheckOutput(cmd).strip()
|
|
|
|
if apex_type == 'UNCOMPRESSED':
|
|
|
|
return SignUncompressedApex(
|
|
|
|
avbtool,
|
2021-01-20 02:32:28 +01:00
|
|
|
apex_file,
|
|
|
|
payload_key=payload_key,
|
|
|
|
container_key=container_key,
|
2022-09-15 00:02:46 +02:00
|
|
|
container_pw=container_pw,
|
2021-01-20 02:32:28 +01:00
|
|
|
codename_to_api_level_map=codename_to_api_level_map,
|
|
|
|
no_hashtree=no_hashtree,
|
|
|
|
apk_keys=apk_keys,
|
2021-10-26 20:53:21 +02:00
|
|
|
signing_args=signing_args,
|
2022-06-16 18:44:27 +02:00
|
|
|
sign_tool=sign_tool,
|
|
|
|
is_sepolicy=is_sepolicy)
|
2021-01-20 02:32:28 +01:00
|
|
|
elif apex_type == 'COMPRESSED':
|
|
|
|
return SignCompressedApex(
|
|
|
|
avbtool,
|
|
|
|
apex_file,
|
2021-01-12 01:03:02 +01:00
|
|
|
payload_key=payload_key,
|
|
|
|
container_key=container_key,
|
2022-09-15 00:02:46 +02:00
|
|
|
container_pw=container_pw,
|
2021-01-12 01:03:02 +01:00
|
|
|
codename_to_api_level_map=codename_to_api_level_map,
|
|
|
|
no_hashtree=no_hashtree,
|
|
|
|
apk_keys=apk_keys,
|
2021-10-26 20:53:21 +02:00
|
|
|
signing_args=signing_args,
|
2022-06-16 18:44:27 +02:00
|
|
|
sign_tool=sign_tool,
|
|
|
|
is_sepolicy=is_sepolicy)
|
2021-01-12 01:03:02 +01:00
|
|
|
else:
|
|
|
|
# TODO(b/172912232): support signing compressed apex
|
|
|
|
raise ApexInfoError('Unsupported apex type {}'.format(apex_type))
|
|
|
|
|
|
|
|
except common.ExternalError as e:
|
|
|
|
raise ApexInfoError(
|
2021-01-06 14:33:25 +01:00
|
|
|
'Failed to get type for {}:\n{}'.format(apex_file, e))
|
|
|
|
|
2021-08-03 01:58:14 +02:00
|
|
|
|
2021-04-16 01:39:22 +02:00
|
|
|
def GetApexInfoFromTargetFiles(input_file, partition, compressed_only=True):
|
2021-01-06 14:33:25 +01:00
|
|
|
"""
|
|
|
|
Get information about system APEX stored in the input_file zip
|
|
|
|
|
|
|
|
Args:
|
|
|
|
input_file: The filename of the target build target-files zip or directory.
|
|
|
|
|
|
|
|
Return:
|
|
|
|
A list of ota_metadata_pb2.ApexInfo() populated using the APEX stored in
|
|
|
|
/system partition of the input_file
|
|
|
|
"""
|
|
|
|
|
|
|
|
# Extract the apex files so that we can run checks on them
|
|
|
|
if not isinstance(input_file, str):
|
|
|
|
raise RuntimeError("must pass filepath to target-files zip or directory")
|
|
|
|
|
2021-04-16 01:39:22 +02:00
|
|
|
apex_subdir = os.path.join(partition.upper(), 'apex')
|
2021-01-06 14:33:25 +01:00
|
|
|
if os.path.isdir(input_file):
|
|
|
|
tmp_dir = input_file
|
|
|
|
else:
|
2021-04-16 01:39:22 +02:00
|
|
|
tmp_dir = UnzipTemp(input_file, [os.path.join(apex_subdir, '*')])
|
|
|
|
target_dir = os.path.join(tmp_dir, apex_subdir)
|
2021-01-06 14:33:25 +01:00
|
|
|
|
2021-02-17 22:22:21 +01:00
|
|
|
# Partial target-files packages for vendor-only builds may not contain
|
|
|
|
# a system apex directory.
|
|
|
|
if not os.path.exists(target_dir):
|
2021-04-16 01:39:22 +02:00
|
|
|
logger.info('No APEX directory at path: %s', target_dir)
|
2021-02-17 22:22:21 +01:00
|
|
|
return []
|
|
|
|
|
2021-01-06 14:33:25 +01:00
|
|
|
apex_infos = []
|
2021-01-27 20:17:14 +01:00
|
|
|
|
|
|
|
debugfs_path = "debugfs"
|
|
|
|
if OPTIONS.search_path:
|
|
|
|
debugfs_path = os.path.join(OPTIONS.search_path, "bin", "debugfs_static")
|
|
|
|
deapexer = 'deapexer'
|
|
|
|
if OPTIONS.search_path:
|
2021-01-29 20:38:24 +01:00
|
|
|
deapexer_path = os.path.join(OPTIONS.search_path, "bin", "deapexer")
|
2021-01-27 20:17:14 +01:00
|
|
|
if os.path.isfile(deapexer_path):
|
|
|
|
deapexer = deapexer_path
|
2021-01-06 14:33:25 +01:00
|
|
|
for apex_filename in os.listdir(target_dir):
|
|
|
|
apex_filepath = os.path.join(target_dir, apex_filename)
|
|
|
|
if not os.path.isfile(apex_filepath) or \
|
2021-08-03 01:58:14 +02:00
|
|
|
not zipfile.is_zipfile(apex_filepath):
|
2021-01-06 14:33:25 +01:00
|
|
|
logger.info("Skipping %s because it's not a zipfile", apex_filepath)
|
|
|
|
continue
|
|
|
|
apex_info = ota_metadata_pb2.ApexInfo()
|
|
|
|
# Open the apex file to retrieve information
|
|
|
|
manifest = apex_manifest.fromApex(apex_filepath)
|
|
|
|
apex_info.package_name = manifest.name
|
|
|
|
apex_info.version = manifest.version
|
|
|
|
# Check if the file is compressed or not
|
|
|
|
apex_type = RunAndCheckOutput([
|
|
|
|
deapexer, "--debugfs_path", debugfs_path,
|
|
|
|
'info', '--print-type', apex_filepath]).rstrip()
|
|
|
|
if apex_type == 'COMPRESSED':
|
|
|
|
apex_info.is_compressed = True
|
|
|
|
elif apex_type == 'UNCOMPRESSED':
|
|
|
|
apex_info.is_compressed = False
|
|
|
|
else:
|
|
|
|
raise RuntimeError('Not an APEX file: ' + apex_type)
|
|
|
|
|
|
|
|
# Decompress compressed APEX to determine its size
|
|
|
|
if apex_info.is_compressed:
|
|
|
|
decompressed_file_path = MakeTempFile(prefix="decompressed-",
|
|
|
|
suffix=".apex")
|
|
|
|
# Decompression target path should not exist
|
|
|
|
os.remove(decompressed_file_path)
|
|
|
|
RunAndCheckOutput([deapexer, 'decompress', '--input', apex_filepath,
|
|
|
|
'--output', decompressed_file_path])
|
|
|
|
apex_info.decompressed_size = os.path.getsize(decompressed_file_path)
|
|
|
|
|
2021-04-16 01:39:22 +02:00
|
|
|
if not compressed_only or apex_info.is_compressed:
|
2021-01-27 20:17:14 +01:00
|
|
|
apex_infos.append(apex_info)
|
2021-01-06 14:33:25 +01:00
|
|
|
|
|
|
|
return apex_infos
|