tequilaOS/platform_build
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Add support for signing a compressed apex"

Browse source
This commit is contained in:
Nikita Ioffe 2021-01-27 19:45:33 +00:00 committed by Gerrit Code Review
commit 8e0c592f89
3 changed files with 106 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
core/Makefile
View file

@ -4130,6 +4130,7 @@ INTERNAL_OTATOOLS_MODULES := \
# Additional tools to unpack and repack the apex file. # Additional tools to unpack and repack the apex file.
INTERNAL_OTATOOLS_MODULES += \ INTERNAL_OTATOOLS_MODULES += \
apexer \ apexer \
apex_compression_tool \
deapexer \ deapexer \
debugfs_static \ debugfs_static \
merge_zips \ merge_zips \

101
tools/releasetools/apex_utils.py
View file

@ -34,6 +34,8 @@ OPTIONS = common.OPTIONS
APEX_PAYLOAD_IMAGE = 'apex_payload.img' APEX_PAYLOAD_IMAGE = 'apex_payload.img'
APEX_PUBKEY = 'apex_pubkey'
class ApexInfoError(Exception): class ApexInfoError(Exception):
"""An Exception raised during Apex Information command.""" """An Exception raised during Apex Information command."""
@ -306,13 +308,13 @@ def ParseApexPayloadInfo(avbtool, payload_path):
return payload_info return payload_info
def SignUncompressedApex(avbtool, apex_data, payload_key, container_key, def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
container_pw, apk_keys, codename_to_api_level_map, container_pw, apk_keys, codename_to_api_level_map,
no_hashtree, signing_args=None): no_hashtree, signing_args=None):
"""Signs the current uncompressed APEX with the given payload/container keys. """Signs the current uncompressed APEX with the given payload/container keys.
Args: Args:
apex_data: Raw uncompressed APEX data. apex_file: Uncompressed APEX file.
payload_key: The path to payload signing key (w/ extension). payload_key: The path to payload signing key (w/ extension).
container_key: The path to container signing key (w/o extension). container_key: The path to container signing key (w/o extension).
container_pw: The matching password of the container_key, or None. container_pw: The matching password of the container_key, or None.
@ -324,12 +326,6 @@ def SignUncompressedApex(avbtool, apex_data, payload_key, container_key,
Returns: Returns:
The path to the signed APEX file. The path to the signed APEX file.
""" """
apex_file = common.MakeTempFile(prefix='apex-', suffix='.apex')
with open(apex_file, 'wb') as apex_fp:
apex_fp.write(apex_data)
APEX_PUBKEY = 'apex_pubkey'
# 1. Extract the apex payload image and sign the containing apk files. Repack # 1. Extract the apex payload image and sign the containing apk files. Repack
# the apex file after signing. # the apex file after signing.
apk_signer = ApexApkSigner(apex_file, container_pw, apk_signer = ApexApkSigner(apex_file, container_pw,
@ -388,6 +384,80 @@ def SignUncompressedApex(avbtool, apex_data, payload_key, container_key,
return signed_apex return signed_apex
def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
container_pw, apk_keys, codename_to_api_level_map,
no_hashtree, signing_args=None):
"""Signs the current compressed APEX with the given payload/container keys.
Args:
apex_file: Raw uncompressed APEX data.
payload_key: The path to payload signing key (w/ extension).
container_key: The path to container signing key (w/o extension).
container_pw: The matching password of the container_key, or None.
apk_keys: A dict that holds the signing keys for apk files.
codename_to_api_level_map: A dict that maps from codename to API level.
no_hashtree: Don't include hashtree in the signed APEX.
signing_args: Additional args to be passed to the payload signer.
Returns:
The path to the signed APEX file.
"""
debugfs_path = os.path.join(OPTIONS.search_path, 'bin', 'debugfs_static')
# 1. Decompress original_apex inside compressed apex.
original_apex_file = common.MakeTempFile(prefix='original-apex-',
suffix='.apex')
# Decompression target path should not exist
os.remove(original_apex_file)
common.RunAndCheckOutput(['deapexer', '--debugfs_path', debugfs_path,
'decompress', '--input', apex_file,
'--output', original_apex_file])
# 2. Sign original_apex
signed_original_apex_file = SignUncompressedApex(
avbtool,
original_apex_file,
payload_key,
container_key,
container_pw,
apk_keys,
codename_to_api_level_map,
no_hashtree,
signing_args)
# 3. Compress signed original apex.
compressed_apex_file = common.MakeTempFile(prefix='apex-container-',
suffix='.capex')
common.RunAndCheckOutput(['apex_compression_tool',
'compress',
'--apex_compression_tool_path', os.getenv('PATH'),
'--input', signed_original_apex_file,
'--output', compressed_apex_file])
# 4. Align apex
aligned_apex = common.MakeTempFile(prefix='apex-container-', suffix='.capex')
common.RunAndCheckOutput(['zipalign', '-f', '4096', compressed_apex_file,
aligned_apex])
# 5. Sign the APEX container with container_key.
signed_apex = common.MakeTempFile(prefix='apex-container-', suffix='.capex')
# Specify the 4K alignment when calling SignApk.
extra_signapk_args = OPTIONS.extra_signapk_args[:]
extra_signapk_args.extend(['-a', '4096'])
password = container_pw.get(container_key) if container_pw else None
common.SignFile(
aligned_apex,
signed_apex,
container_key,
password,
codename_to_api_level_map=codename_to_api_level_map,
extra_signapk_args=extra_signapk_args)
return signed_apex
def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
apk_keys, codename_to_api_level_map, apk_keys, codename_to_api_level_map,
no_hashtree, signing_args=None): no_hashtree, signing_args=None):
@ -410,7 +480,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
with open(apex_file, 'wb') as output_fp: with open(apex_file, 'wb') as output_fp:
output_fp.write(apex_data) output_fp.write(apex_data)
debugfs_path = os.path.join(OPTIONS.search_path, "bin", "debugfs_static") debugfs_path = os.path.join(OPTIONS.search_path, 'bin', 'debugfs_static')
cmd = ['deapexer', '--debugfs_path', debugfs_path, cmd = ['deapexer', '--debugfs_path', debugfs_path,
'info', '--print-type', apex_file] 'info', '--print-type', apex_file]
@ -419,7 +489,18 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
if apex_type == 'UNCOMPRESSED': if apex_type == 'UNCOMPRESSED':
return SignUncompressedApex( return SignUncompressedApex(
avbtool, avbtool,
apex_data, apex_file,
payload_key=payload_key,
container_key=container_key,
container_pw=None,
codename_to_api_level_map=codename_to_api_level_map,
no_hashtree=no_hashtree,
apk_keys=apk_keys,
signing_args=signing_args)
elif apex_type == 'COMPRESSED':
return SignCompressedApex(
avbtool,
apex_file,
payload_key=payload_key, payload_key=payload_key,
container_key=container_key, container_key=container_key,
container_pw=None, container_pw=None,

14
tools/releasetools/test_sign_apex.py
View file

@ -57,3 +57,17 @@ class SignApexTest(test_utils.ReleaseToolsTestCase):
False, False,
apk_keys) apk_keys)
self.assertTrue(os.path.exists(signed_test_apex)) self.assertTrue(os.path.exists(signed_test_apex))
@test_utils.SkipIfExternalToolsUnavailable()
def test_SignCompressedApexFile(self):
apex = os.path.join(test_utils.get_current_dir(), 'com.android.apex.compressed.v1.capex')
payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')
container_key = os.path.join(self.testdata_dir, 'testkey')
signed_apex = sign_apex.SignApexFile(
'avbtool',
apex,
payload_key,
container_key,
False,
codename_to_api_level_map={'S': 31})
self.assertTrue(os.path.exists(signed_apex))