Add flags to override all apex/apk keys

Currently, if we want to override all apex/apk key, we must specify all apk/apex names exhaustively. This causes CLI arguments to be very long and sometimes exceeds OS's limit. Test: run signing test locally on build 8862875 on git_master Bug: 239991438 Change-Id: Idbd3b7eef9b2a27236f4ca7a27449fcdf0d2dd3f
2022-08-01 15:58:51 -07:00 · 2022-08-01 15:58:51 -07:00 · e50bb51fa9
commit e50bb51fa9
parent 1fabb2a942
1 changed files with 27 additions and 0 deletions
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@ -141,6 +141,12 @@ Usage:  sign_target_files_apks [flags] input_target_files output_target_files
      Allow the existence of the file 'userdebug_plat_sepolicy.cil' under
      (/system/system_ext|/system_ext)/etc/selinux.
      If not set, error out when the file exists.
+
+  --override_apk_keys <path>
+      Replace all APK keys with this private key
+
+  --override_apex_keys <path>
+      Replace all APEX keys with this private key
 """

 from __future__ import print_function
@ -197,6 +203,8 @@ OPTIONS.android_jar_path = None
 OPTIONS.vendor_partitions = set()
 OPTIONS.vendor_otatools = None
 OPTIONS.allow_gsi_debug_sepolicy = False
+OPTIONS.override_apk_keys = None
+OPTIONS.override_apex_keys = None


 AVB_FOOTER_ARGS_BY_PARTITION = {
@ -245,6 +253,10 @@ def GetApexFilename(filename):


 def GetApkCerts(certmap):
+  if OPTIONS.override_apk_keys is not None:
+    for apk in certmap.keys():
+      certmap[apk] = OPTIONS.override_apk_keys
+
  # apply the key remapping to the contents of the file
  for apk, cert in certmap.items():
    certmap[apk] = OPTIONS.key_map.get(cert, cert)
@ -275,6 +287,15 @@ def GetApexKeys(keys_info, key_map):
  Raises:
    AssertionError: On invalid container / payload key overrides.
  """
+  if OPTIONS.override_apex_keys is not None:
+    for apex in keys_info.keys():
+      keys_info[apex] = (OPTIONS.override_apex_keys, keys_info[apex][1], keys_info[apex][2])
+
+  if OPTIONS.override_apk_keys is not None:
+    key = key_map.get(OPTIONS.override_apk_keys, OPTIONS.override_apk_keys)
+    for apex in keys_info.keys():
+      keys_info[apex] = (keys_info[apex][0], key, keys_info[apex][2])
+
  # Apply all the --extra_apex_payload_key options to override the payload
  # signing keys in the given keys_info.
  for apex, key in OPTIONS.extra_apex_payload_keys.items():
@ -1485,6 +1506,10 @@ def main(argv):
      OPTIONS.vendor_partitions = set(a.split(","))
    elif o == "--allow_gsi_debug_sepolicy":
      OPTIONS.allow_gsi_debug_sepolicy = True
+    elif o == "--override_apk_keys":
+      OPTIONS.override_apk_keys = a
+    elif o == "--override_apex_keys":
+      OPTIONS.override_apex_keys = a
    else:
      return False
    return True
@ -1538,6 +1563,8 @@ def main(argv):
          "vendor_partitions=",
          "vendor_otatools=",
          "allow_gsi_debug_sepolicy",
+          "override_apk_keys=",
+          "override_apex_keys=",
      ],
      extra_option_handler=option_handler)