Commit graph

18 commits

Author SHA1 Message Date
Thiébaud Weksteen
62865caf1b Revert "Add sign_sepolicy_path for a binary to sign sepolicy.apex."
This reverts commit e0a977affd.

Test: atest --host releasetools_test
Bug: 297794885
Change-Id: I951277e4aa3ae1f90474a1f7a036fc8693453c53
2023-10-18 11:41:25 +11:00
Kelvin Zhang
137807d69d Support container password for apex signing
Some partners need the ability to sign apexes with passwords enabled.

Test: th
Bug: 206007131
Change-Id: I6abb0775031a4c6bf8aaae679f5c7ad8f4cffe46
2022-09-30 09:19:57 -07:00
Melisa Carranza Zuniga
e0a977affd Add sign_sepolicy_path for a binary to sign sepolicy.apex.
Bug: b/217570541
Test: sign_apex --container_key=testdata/testkey
--payload_key=testdata/testkey_RSA4096.key
--codename_to_api_level_map=S:31,T:32,UpsideDownCake:33
-e SEPolicy-33.zip=testdata/testkey com.android.sepolicy.apex
signed_sepolicy.apex

Change-Id: Ifdd1c6e7db07cbc4674450ab0e2226494c98605a
2022-06-27 11:03:26 +02:00
Melisa Carranza Zúñiga
8e3198ace3 Revert "Merge "Adding flags and logic to sign updateable SEPolicy in APEX" am: 77c1dfa6d9 am: 5a0d81a0be am: 54e08307dc"
Test: mma and run sign_apex

This reverts commit 8fe9e3a2c7.

Reason for revert: Updateable SEPolicy is punted.

Change-Id: I28ae2afbb1083e215f4e0a27a9164133cd73dd76
Merged-In: I28ae2afbb1083e215f4e0a27a9164133cd73dd76
2022-06-01 12:01:03 +02:00
Melisa Carranza Zúñiga
da308bf773 Revert "Merge "Adding sepolicy sign params to sign_target_files_apks." am: fb042449e0 am: bd8c313275 am: a2db49becd"
Test: sign_target_files_apks target_files.zip target_out.zip

This reverts commit 6e6c22c70e.

Reason for revert: Updateable SEPolicy is punted.

Change-Id: I99524d13811028a4036aa85c74cf10974fe08165
Merged-In: I99524d13811028a4036aa85c74cf10974fe08165
2022-05-31 09:55:22 +00:00
Melisa Carranza Zuniga
e6d4fb5ae6 Adding sepolicy sign params to sign_target_files_apks.
Bug: b/217570541
Test: sign_target_files_apks --sepolicy_key=build/make/tools/releasetools/testdata/testkey_RSA4096.key
--sepolicy_cert=build/make/tools/releasetools/testdata/testkey.x509.pem target_files.zip target_out.zip
Change-Id: I4ae9f2a3297d10de68c6444dea1cd9996ad9dd11

Change-Id: I4a1ac7009ae0d6bb53c74bd34f8c74f12ea0a3b8
2022-03-21 22:56:33 +00:00
Treehugger Robot
14ec6f4157 Merge "Remove catch + sys.exit idiom" 2022-02-25 00:35:45 +00:00
Melisa Carranza Zuniga
46930d7a85 Adding flags and logic to sign updateable SEPolicy in APEX
Verify with command:
sign_apex --container_key=testdata/testkey
--payload_key=testdata/testkey_RSA4096.key
--sepolicy_key=testdata/testkey_RSA4096.key
--sepolicy_cert=testdata/testkey.x509.pem
$OUT/system/apex/com.android.sepolicy.apex
$OUT/test/sepolicy.apex

Test: mma and run sign_apex
Change-Id: I8cc5bbc09058b57e463b1d40d4953d62e0438389
2022-02-19 00:01:09 +01:00
Kelvin Zhang
07c71ac1b9 Remove catch + sys.exit idiom
This is bad, python already prints exceptino message and exit with
non-zero code when an exception is raised, no need to catch the
exception just to print it. In addition, printing an exception does not
print stacktrace, so catch + sys.exit provide less information than
python's default behavior.

Test: th
Change-Id: If6cf2e34d4ebc9f7d172063b4396bf4377dad447
2022-02-17 21:46:21 -08:00
Baligh Uddin
06cc018629 --sign_tool is an optional flag applicable to virtApex.
For not virtApex, this results in a KeyError.
line 151, in <module>\n', '  File
"/usr/local/google/home/baligh/clients/goog/master/out/host/linux-x86/bin/sign_apex/sign_apex.py",
line 144, in main\n', "KeyError: 'sign_tool'\n"]

BUG: 193504286
Test: TH
Change-Id: Id982e5c57086ada78168163d2293813df121847d
2021-12-24 06:17:47 +00:00
Jooyung Han
0f5a41da56 sign_apex --sign_tool
A new argument is a custom signing tool for APEX contents. When
specified, apex_util invokes the tool with payload's key and payload
directory.

For now, the Virt APEX has its own custom signing tool (sign_virt_apex)
to re-sign filesystem images in it.

Bug: 193504286
Test: atest releasetools_test
Test: m sign_apex sign_virt_apex
Test: sign_apex --sign_tool sign_virt_apex --payload_key ..
  --container_key .. resigned.apex
      adb install resigned.apex
      reboot & vm run-app
Change-Id: Ic4d369c2ba42a8295044a0a75e054dc8def93208
2021-10-27 16:56:22 +09:00
Baligh Uddin
d9fcafd612 Allow passing in codename_to_api_level_map to sign_apex.
BUG: 154517483
Change-Id: I93a90ae066b0e9eeb1b2ff26d9cb9b07a11fe68c
Merged-In: I93a90ae066b0e9eeb1b2ff26d9cb9b07a11fe68c
2020-05-01 13:56:04 +00:00
Tianjie Xu
88a759d651 Resign apks contained in apex
Some apex payload images contain apk files. And these apks need to be
signed during the signing processed when sign_target_files_apks is
called. To support the signing, we can extract the payload and repack
the apex file with the (de)apexer tool. Add the signing support in the
apex_util.

Bug: 146508800
Test: unit tests pass, run sign_apex, sign_target_files_apks
Change-Id: If6d58975248709a144b07dbabf47c27916e5695e
2020-01-27 19:48:39 +00:00
Baligh Uddin
ac936fd573 Fix syntax error for SignApexFile
BUG: 145662097
TEST: Local smoke test which invokes sign_apex for local apex files.
2019-12-04 08:30:32 -08:00
Tao Bao
448004af9d Don't generate hashtree when signing bundled APEXes.
Bug: 139957269
Test: Sign a target_files.zip. Extract a re-signed APEX and check the
      hashtree size (being zero).
Test: Use sign_apex to sign an APEX file. Check the hashtree size (not
      being zero).
Test: python -m unittest test_apex_utils
Test: python -m unittest test_sign_apex
Change-Id: I927b7681d66920d7732b700ec3a8f7a65b4cb351
2019-09-19 14:41:34 -07:00
Tao Bao
1ac886e181 releasetools: Prefer the avbtool specified in target_files.
This allows a consistent logic in using the avbtool which could be
board-specific.

Test: `atest releasetools_test`
Test: Run sign_target_files_apks.py on a target_files.zip.
Change-Id: I8cd93b8e71146985734f85c31f4662f5e2e9534c
2019-06-26 17:18:48 -07:00
Tao Bao
c9c1b864ba releasetools: Add sanity test for sign_apex.
This ensures a matching interface between sign_apex and apex_utils.

The test apex `testdata/foo.apex` is generated by running
`system/apex/apexer/runtests.sh`.

Test: python -m unittest test_sign_apex
Test: atest releasetools_test
Change-Id: I7c14b1df2a3038ad206aa3e5aac084c47baaa00b
2019-06-26 17:17:09 -07:00
Tao Bao
e7354ba447 Add sign_apex.py that signs a given APEX file.
This CL moves SignApex() from sign_target_files_apks into apex_utils,
and adds sign_apex that allows signing a standalone APEX file directly.

Test: Run the following command and check the output file.
$ build/make/tools/releasetools/sign_apex.py \
     -v \
     --container_key \
         build/make/target/product/security/testkey.x509.pem \
     --payload_key external/avb/test/data/testkey_rsa4096.pem \
     --payload_extra_args \
         "--signing_helper_with_files ./signing-helper.sh" \
     foo.apex \
     signed-foo.apex
Test: Run sign_target_files_apks.py on crosshatch target_files.zip.
Change-Id: I4b2422fd5cb1c60a3aa94511475e2a0e5b1666ca
2019-05-13 12:41:26 -07:00