Commit graph

10 commits

Author SHA1 Message Date
Tao Bao
6d9e3da5f9 releasetools: Remove the sanity check on APEX payload key names.
Unlike container keys/certs, we'll always carry full names for APEX
payload signing keys.

Test: Run sign_target_files_apks.py on a target_files.zip with
      mismatching payload signing keys (e.g. shim apexes).
Test: `python -m unittest test_sign_target_files_apks`
Change-Id: Ifa329478f43b4f5ae665821564dbc14af7841330
2019-03-26 13:05:46 -07:00
Tao Bao
e134399cab releasetools: Allow skipping PRESIGNED APEXes.
This CL adds support that allows treating an APEX as pre-signed. We can
skip signing an APEX with `-e <apex-name>=` and
`--extra_apex_payload_key <apex-name>=`. Note that the payload_key and
container_key must be in consistent state - either they're both
PRESIGNED or none of them is. CheckApkAndApexKeysAvailable() has been
updated to perform the sanity check.

Bug: 123716522
Test: Run sign_target_files_apks.py with the above flags.
Test: python -m unittest test_sign_target_files_apks
Change-Id: Id1e2f3f2facd4a97a385983cc9b78c028f7e7e73
2019-03-19 12:25:02 -07:00
Tao Bao
aa7e993a22 releasetools: Support signing APEXes.
Bug: 123716522
Test: Run sign_target_files_apks.py to sign a target_files with APEXes.
Test: Run check_target_files_signatures.py on signed artifact.
Test: python -m unittest test_sign_target_files_apks
Change-Id: I3fa13e3d9461cf5e0838e0572d436e218164fe41
2019-03-15 22:15:51 -07:00
Tao Bao
65b94e92be releasetools: Add a common base class for unittests.
All the releasetools unittests extend the common base class of
test_utils.ReleaseToolsTestCase. Define tearDown() in the base class to
do the clean-up works.

Test: `pylint --rcfile=pylintrc test_*.py`
Test: `python -m unittest discover .`
Change-Id: I51775d964ef032dcdf3bb89c55e1a31371cde708
2018-10-11 23:01:09 -07:00
Tao Bao
93c2a01268 releasetools: Skip signing APKs with given prefixes.
We may pack prebuilts that end with ".apk" into target_files zip, via
PRODUCT_COPY_FILES. META/apkcerts.txt won't contain the cert info for
such files, and we want to keep them as is while signing, despite of the
".apk" extension.

This CL adds "--skip_apks_with_path_prefix" option to
sign_target_files_apks.py. APKs with matching prefixes will be copied
verbatim into the signed images. The prefix should match the entry names
in the target_files (e.g. "SYSTEM_OTHER/preloads/"). The option may be
repeated to specify multiple prefixes.

Note that although we may skip signing an APK file with "-e ApkName=".
This would skip *all* the APK files with the matching basename.
"--skip_apks_with_path_prefix" allows matching the exact prefix.

For example:
$ ./build/make/tools/releasetools/sign_target_files_apks.py     \
    --skip_apks_with_path_prefix SYSTEM_OTHER/preloads/         \
    --skip_apks_with_path_prefix PRODUCT/prebuilts/PrebuiltApp1 \
    --skip_apks_with_path_prefix VENDOR/app/PrebuiltApp2.apk    \
    target_files.zip                                            \
    signed-target_files.zip

Bug: 110201128
Test: Run the command above and check the logs.
Test: `python -m unittest test_sign_target_files_apks`
Change-Id: I7bd80b360917cef137cf1e7e8cfa796968831f47
2018-06-20 13:49:57 -07:00
Tao Bao
11f955c506 releasetools: Factor out the check for (compressed) APK file.
Test: Run sign_target_files.py to sign a target_files.zip.
Test: `python -m unittest test_sign_target_files_apks`
Change-Id: Ie795d1bce7bae6af427832283e3d10bfecad80c5
2018-06-19 14:50:23 -07:00
Tao Bao
66472637ad releasetools: Check for duplicate entries in ReplaceCerts().
testdata/{media,platform}.x509.pem files are copied from
build/target/product/security/.

Fixes: 69479366
Test: python -m unittest test_sign_target_files_apks
Change-Id: I8ba42b6f5b5432ee4b8786b241daff11db792c14
2018-02-20 10:22:30 -08:00
Tao Bao
de1d479ace releasetools: Clean up test_sign_target_files_apks.py.
Since we have been carrying test certificates in testdata/ for other
tests, do the same for test_sign_target_files_apks.py. Copy
verity.x509.pem from build/target/product/security/ to testdata/ for
that purpose.

Also capture the stderr output in ReplaceVerityKeyId().

Test: python -m unittest test_sign_target_files_apks
Change-Id: Ie11e042086952e8a4a5a63950cb0b16cc436b7e6
2018-02-20 10:12:15 -08:00
Tao Bao
e838d1446c releasetools: Clean up ReplaceVerityKeyId and add tests.
Test: python -m unittest test_sign_target_files_apks
Test: Run sign_target_files_apks.py on marlin target_files.zip.
Change-Id: Ic3c3f4f14c73f8f8e48a8341e024e0861e665989
2018-01-02 12:29:31 -08:00
Tao Bao
a7054eede1 releasetools: Fix the tag replacement for ro.build.vendor.fingerprint.
For devices using derived fingerprint (i.e. /system/build.prop doesn't
contain ro.build.fingerprint, but has ro.build.thumbprint instead), the
current code (in android.os.Build) doesn't have a matching logic to do
the same for ro.vendor.build.fingerprint. This means we will see
ro.build.thumbprint in /system/build.prop, while there's no matching
ro.vendor.build.thumbprint in /vendor/build.prop.

From signing script point of view, it should just apply the tag
replacement (e.g. test-keys -> release-keys) for whatever it sees when
signing a target_files.zip.

This CL also adds unit tests for EditTags() and RewriteProps().

Fixes: 27950003
Test: Use 'sign_target_files_apks.py' to sign a target that uses derived
      fingerprint and vendor partition. Check VENDOR/build.prop.
Test: python -m unittest test_sign_target_files_apks
Change-Id: I09019da970840cd82f54b68a32b4e94984bc1d8d
2017-12-08 15:19:47 -08:00