Commit graph

17 commits

Author SHA1 Message Date
Tianjie
a9a50cf6e3 Use apksigner in check_target_files_signatures
Some apk files, e.g. Chrome.apk has switched to use v2+ scheme.
And the apk file no longer has a META-INF/CERT.RSA. So, the
signature parsing script should use apksigner to dump the cert
info.

Leave the parsing of META-INF/CERT.RSA as a fallback, as some apks
fail the `apksigner verify`. The script also switches to store the
digest of the cert instead of the raw bytes.

Bug: 157735036
Test: run check_target_files_signatures on aosp|signed target-files

Change-Id: I910cd1aa91d1e446bef7097871af4171c285685d
2020-07-14 17:23:07 -07:00
changho.shin
0f12536e6b Switch to aapt2 for getting minSdkVersion
aapt does not support parsing some referencing attributes.
Switch to latest tool, aapt2, which works better.

Test: aapt2 dump badging test.apk and returned 0.
Test: Run check_target_files_signatures.py with a target_files.zip.
Test: Run sign_target_files_apks.py with a target_files.zip.
Change-Id: Ib3a4740506f29ebab6930767f2aa8a0b5c4ba053
2019-07-19 20:26:42 +00:00
Tao Bao
a67e12d66f releasetools: Clean up check_target_files_signatures.py.
And make it Python 3 compatibile.

Bug: 131631303
Test: python check_target_files_signatures.py target-files.zip
Test: python3 check_target_files_signatures.py target-files.zip
Change-Id: I38e868c3124387f5543ad68c92c75917e40b7d8f
2019-06-27 10:24:10 -07:00
Tao Bao
359862db12 Revert^2 "releasetools: check_target_files_signatures.py checks APEXes."
This reverts commit 5516d37f41.

The previous issue in unzipping non-matching files has been addressed
with commit a49054ca2f2959f50f3188914ec0faebc90ebcbe. This CL rolls
forward to allow dumping container certifcates for APEXes.

Bug: 128848294
Test: Run check_target_files_signatures.py on target_files.zips w/ and
      w/o APEX files.
Change-Id: I662aab3d96fc40ac8e5e206e32b73ac763220b70
2019-03-20 12:40:34 -07:00
Tao Bao
5516d37f41 Revert "releasetools: check_target_files_signatures.py checks APEXes."
This reverts commit d8469727bc. The script
is broken on target_files.zip that don't contain any APEX.

Bug: 128848294
Test: Run check_target_files_signatures.py on target_files.zip w/o APEX.
2019-03-19 09:30:08 -07:00
Tao Bao
d8469727bc releasetools: check_target_files_signatures.py checks APEXes.
Only the container certs will be checked and reported. For the payload
within an APEX, we can't easily extract the cert info.

It needs to go along a longer path, if ever needed, by:
 - extracting public keys from all the available certs;
 - using each of them to verify against an APEX payload to find a match
   (`avbtool verify_image --image payload --key public_key`).

Bug: 123716522
Test: Run check_target_files_signatures.py on target_files with APEXes.
Change-Id: I2ef318e05433d2d65ab84e2dff9e01fb6ee3373d
2019-03-15 20:56:13 -07:00
Tao Bao
badceb2d60 releasetools: Initalize logger when signing.
Other modules have switched to logging module. sign_target_files_apks.py
needs to init the logger to get the logs.

Test: Run `sign_target_files_apks.py -v`. Check outputs.
Test: Run `check_target_files_signatures.py -v`.
Change-Id: Ic68c019f6fb14840561885f1194ad6efdfdb7d82
2019-03-15 09:53:00 -07:00
Tao Bao
767543a659 releasetools: Call Cleanup() in check_target_files_signatures.py.
Also minor cleanups to make it pylint clean.

Test: Run check_target_files_signatures.py with a target-files.zip.
Test: pylint --rcfile=pylintrc check_target_files_signatures.py
Change-Id: Ife3b54c7805c2f2562e87e91ab4b4de355782012
2018-03-01 10:12:39 -08:00
Tao Bao
dba59eeabd releasetools: Don't return ZipFile from common.UnzipTemp().
In addition to the unzipping work, common.UnzipTemp() kindly bundles an
open ZipFile object as part of the return value. It doesn't look very
helpful to the callers though. It also looks less obvious that the
caller needs to properly close the handle (missing the close here is
benign though). This CL just removes the ZipFile object out of the
return value, and leaves the work to callers.

Test: `m dist` on both of A/B and non-A/B target.
Test: python -m unittest test_add_img_to_target_files
Test: python -m unittest test_common
Test: python -m unittest test_ota_from_target_files
Test: Check the callers to common.UnzipTemp() in code search.
Change-Id: Id47da3fd42a0e76d6ae8851f05780db319ee48cf
2018-03-01 10:03:31 -08:00
Tao Bao
d32e78fd3c releasetools: Add a note for the ZipInfo._decodeExtra() workaround.
Test: N/A
Change-Id: I9e84fc27230182f17c2fda0df57a2c149281dcda
2018-01-17 10:10:00 -08:00
Narayan Kamath
a07bf049b9 releasetools: Add support for compressed APKs.
Compressed APKs can be identified by a "compressed=<ext>" entry in
the apkcerts.txt file. When we encounter such an entry, we need to
decompress the file to a temporary location before we process its
certs. When we're signing, we should also recompress the package
after it's signed.

Bug: 64531948
Test: ./build/tools/releasetools/check_target_files_signatures.py
Test: ./build/tools/releasetools/sign_target_files_apks.py
Test: compared signed output before / after this change, verify that
      it's bitwise identical when no compressed APKs are present.

Change-Id: Id32e52f9c11023955330c113117daaf6b73bd8c2
2017-08-21 13:21:20 +01:00
Tao Bao
6b0b2f9db0 Revert "Revert "releasetools: Use pattern filter when unzipping.""
This reverts commit a7316ce094.

This CL differs from the original CL by not unzipping RADIO/*. This is
because: a) AOSP targets don't have RADIO/ entries in the TF.zip; b)
we're not using the unzipped RADIO files (but reading them from the zip
files directly) - checked all the device-specific releasetools for
angler, bullhead, ryu, shamu, volantis, fugu, marlin and sailfish.

Test: `m dist` with AOSP targets (tested fugu and bullhead).
Change-Id: I4d0c67214ddd6202fc27c71bb79f52b5f4d40c64
2017-03-05 13:11:42 -08:00
Tao Bao
a7316ce094 Revert "releasetools: Use pattern filter when unzipping."
This reverts commit aa3a04f19d.

Reason for revert: Some AOSP targets don't include RADIO/ in the TF.zip. We may possibly skip unzipping RADIO/, or by always creating a dummy RADIO folder in TF.zip. Revert this CL for now.

Change-Id: I8e90d322706a4fe82129bdfab5ffa1eab989c648
2017-03-05 17:43:33 +00:00
Tao Bao
aa3a04f19d releasetools: Use pattern filter when unzipping.
When building BBOTAs, it only needs *some* unzipped entries in the given
target_files zip(s). In particular, it needs 'IMAGES/*', 'META/*',
'RADIO/*'. (It also reads 'SYSTEM/build.prop' and 'OTA/bin/updater', but
directly from the zip file.)

This CL specifies the entries to unzip. It saves the I/O cost, as well as
the temporary storage.

Test: ota_from_target_files.py gives the same package w/ and w/o the CL.
Test: check_target_files_signatures.py still works.
Change-Id: I728428aa0e138879e49f9efbdb46a85892fc7038
2017-03-03 16:38:17 -08:00
Tao Bao
6a54299fbd Handle multiple APKs from the same package in check_target_files_signatures.py.
We were using the package name as the key to index APKs. APKs from the
same package got messed up and gave wrong signature summary. Switch to
using the package filename as the key, which is identical in a given build.

Also fix the trailing space when printing the signature summary.

Bug: 30418268
Test: Run with a target_files.zip that has multiple APKs from the same package.

Change-Id: I6317e8c05e987c5690915e05c294153d10e2f0ab
2016-07-27 19:52:28 -07:00
Tao Bao
726b7f338f Fix the broken signing script
check_target_files_signatures.py was accidentally broken due to the
renaming of a variable in last commit. It escaped the checking from
pylint because it was a keyword ('all').

Bug: 21611858
Change-Id: I58c983e59c4a3e0018481d3c9ba328ed76f5c08a
2015-06-03 17:36:12 -07:00
Dan Albert
8b72aefb5a Make releasetools pylint clean.
This caught a few bugs/syntax errors (a few character classes were not
escaped properly in regex patterns, some indentation was illegal,
etc).

Change-Id: I50637607524e68c4fb9cad7167f58a46b8d26b2c
2015-03-24 11:05:16 -07:00