From c6ebe9fcd7ca0c991f5ae0e711a251959d0d41f4 Mon Sep 17 00:00:00 2001
From: Alex Deymo <deymo@google.com>
Date: Wed, 3 Aug 2016 20:52:54 -0700
Subject: [PATCH 1/2] Install the update-payload-key in the recovery image as
 well.

The update-payload-key is required to verify the contents of the OTA in
recovery while sideloading an update.

Bug: 27178350
TEST=`make` builds a boot.img with the payload key in recovery.

Change-Id: I04616979023b84aa4a1feb6916db2b2725b25c54
---
 core/Makefile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core/Makefile b/core/Makefile
index a071302e1f..d6dae0ab8d 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -767,6 +767,10 @@ $(TARGET_OUT_ETC)/update_engine/update-payload-key.pub.pem: $(addsuffix .x509.pe
 	$(hide) rm -f $@
 	$(hide) mkdir -p $(dir $@)
 	$(hide) openssl x509 -pubkey -noout -in $< > $@
+
+ALL_DEFAULT_INSTALLED_MODULES += $(TARGET_RECOVERY_ROOT_OUT)/etc/update_engine/update-payload-key.pub.pem
+$(TARGET_RECOVERY_ROOT_OUT)/etc/update_engine/update-payload-key.pub.pem: $(TARGET_OUT_ETC)/update_engine/update-payload-key.pub.pem
+	$(hide) cp -f $< $@
 endif
 endif
 

From b3e8ce6d1d936cddb6eb4a5052de8ed7ba85d68e Mon Sep 17 00:00:00 2001
From: Alex Deymo <deymo@google.com>
Date: Thu, 4 Aug 2016 16:06:12 -0700
Subject: [PATCH 2/2] Replace OTA sideload verification key when signing A/B
 devices.

The update-payload-key is used by update_engine_sideload from recovery
to verify an update payload.

Bug: 27178350
Change-Id: I7a0a307ae565e5e9cbf2c9b58fbcc055e87771ce
---
 tools/releasetools/sign_target_files_apks.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index b11225c180..3ab4a2c1d7 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -255,6 +255,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
     elif (OPTIONS.replace_ota_keys and
           info.filename in (
               "BOOT/RAMDISK/res/keys",
+              "BOOT/RAMDISK/etc/update_engine/update-payload-key.pub.pem",
               "RECOVERY/RAMDISK/res/keys",
               "SYSTEM/etc/security/otacerts.zip",
               "SYSTEM/etc/update_engine/update-payload-key.pub.pem")):
@@ -510,6 +511,10 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
         output_tf_zip,
         "SYSTEM/etc/update_engine/update-payload-key.pub.pem",
         pubkey)
+    common.ZipWriteStr(
+        output_tf_zip,
+        "BOOT/RAMDISK/etc/update_engine/update-payload-key.pub.pem",
+        pubkey)
 
   return new_recovery_keys