93c2a01268
We may pack prebuilts that end with ".apk" into target_files zip, via PRODUCT_COPY_FILES. META/apkcerts.txt won't contain the cert info for such files, and we want to keep them as is while signing, despite of the ".apk" extension. This CL adds "--skip_apks_with_path_prefix" option to sign_target_files_apks.py. APKs with matching prefixes will be copied verbatim into the signed images. The prefix should match the entry names in the target_files (e.g. "SYSTEM_OTHER/preloads/"). The option may be repeated to specify multiple prefixes. Note that although we may skip signing an APK file with "-e ApkName=". This would skip *all* the APK files with the matching basename. "--skip_apks_with_path_prefix" allows matching the exact prefix. For example: $ ./build/make/tools/releasetools/sign_target_files_apks.py \ --skip_apks_with_path_prefix SYSTEM_OTHER/preloads/ \ --skip_apks_with_path_prefix PRODUCT/prebuilts/PrebuiltApp1 \ --skip_apks_with_path_prefix VENDOR/app/PrebuiltApp2.apk \ target_files.zip \ signed-target_files.zip Bug: 110201128 Test: Run the command above and check the logs. Test: `python -m unittest test_sign_target_files_apks` Change-Id: I7bd80b360917cef137cf1e7e8cfa796968831f47
352 lines
13 KiB
Python
352 lines
13 KiB
Python
#
|
|
# Copyright (C) 2017 The Android Open Source Project
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
from __future__ import print_function
|
|
|
|
import base64
|
|
import os.path
|
|
import unittest
|
|
import zipfile
|
|
|
|
import common
|
|
import test_utils
|
|
from sign_target_files_apks import (
|
|
CheckAllApksSigned, EditTags, GetApkFileInfo, ReplaceCerts,
|
|
ReplaceVerityKeyId, RewriteProps)
|
|
|
|
|
|
class SignTargetFilesApksTest(unittest.TestCase):
|
|
|
|
MAC_PERMISSIONS_XML = """<?xml version="1.0" encoding="iso-8859-1"?>
|
|
<policy>
|
|
<signer signature="{}"><seinfo value="platform"/></signer>
|
|
<signer signature="{}"><seinfo value="media"/></signer>
|
|
</policy>"""
|
|
|
|
def setUp(self):
|
|
self.testdata_dir = test_utils.get_testdata_dir()
|
|
|
|
def tearDown(self):
|
|
common.Cleanup()
|
|
|
|
def test_EditTags(self):
|
|
self.assertEqual(EditTags('dev-keys'), ('release-keys'))
|
|
self.assertEqual(EditTags('test-keys'), ('release-keys'))
|
|
|
|
# Multiple tags.
|
|
self.assertEqual(EditTags('abc,dev-keys,xyz'), ('abc,release-keys,xyz'))
|
|
|
|
# Tags are sorted.
|
|
self.assertEqual(EditTags('xyz,abc,dev-keys,xyz'), ('abc,release-keys,xyz'))
|
|
|
|
def test_RewriteProps(self):
|
|
props = (
|
|
('', '\n'),
|
|
('ro.build.fingerprint=foo/bar/dev-keys',
|
|
'ro.build.fingerprint=foo/bar/release-keys\n'),
|
|
('ro.build.thumbprint=foo/bar/dev-keys',
|
|
'ro.build.thumbprint=foo/bar/release-keys\n'),
|
|
('ro.vendor.build.fingerprint=foo/bar/dev-keys',
|
|
'ro.vendor.build.fingerprint=foo/bar/release-keys\n'),
|
|
('ro.vendor.build.thumbprint=foo/bar/dev-keys',
|
|
'ro.vendor.build.thumbprint=foo/bar/release-keys\n'),
|
|
('# comment line 1', '# comment line 1\n'),
|
|
('ro.bootimage.build.fingerprint=foo/bar/dev-keys',
|
|
'ro.bootimage.build.fingerprint=foo/bar/release-keys\n'),
|
|
('ro.build.description='
|
|
'sailfish-user 8.0.0 OPR6.170623.012 4283428 dev-keys',
|
|
'ro.build.description='
|
|
'sailfish-user 8.0.0 OPR6.170623.012 4283428 release-keys\n'),
|
|
('ro.build.tags=dev-keys', 'ro.build.tags=release-keys\n'),
|
|
('# comment line 2', '# comment line 2\n'),
|
|
('ro.build.display.id=OPR6.170623.012 dev-keys',
|
|
'ro.build.display.id=OPR6.170623.012\n'),
|
|
('# comment line 3', '# comment line 3\n'),
|
|
)
|
|
|
|
# Assert the case for each individual line.
|
|
for prop, output in props:
|
|
self.assertEqual(RewriteProps(prop), output)
|
|
|
|
# Concatenate all the input lines.
|
|
self.assertEqual(RewriteProps('\n'.join([prop[0] for prop in props])),
|
|
''.join([prop[1] for prop in props]))
|
|
|
|
def test_ReplaceVerityKeyId(self):
|
|
BOOT_CMDLINE1 = (
|
|
"console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 "
|
|
"androidboot.hardware=marlin user_debug=31 ehci-hcd.park=3 "
|
|
"lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff loop.max_part=7 "
|
|
"buildvariant=userdebug "
|
|
"veritykeyid=id:7e4333f9bba00adfe0ede979e28ed1920492b40f\n")
|
|
|
|
BOOT_CMDLINE2 = (
|
|
"console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 "
|
|
"androidboot.hardware=marlin user_debug=31 ehci-hcd.park=3 "
|
|
"lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff loop.max_part=7 "
|
|
"buildvariant=userdebug "
|
|
"veritykeyid=id:d24f2590e9abab5cff5f59da4c4f0366e3f43e94\n")
|
|
|
|
input_file = common.MakeTempFile(suffix='.zip')
|
|
with zipfile.ZipFile(input_file, 'w') as input_zip:
|
|
input_zip.writestr('BOOT/cmdline', BOOT_CMDLINE1)
|
|
|
|
# Test with the first certificate.
|
|
cert_file = os.path.join(self.testdata_dir, 'verity.x509.pem')
|
|
|
|
output_file = common.MakeTempFile(suffix='.zip')
|
|
with zipfile.ZipFile(input_file, 'r') as input_zip, \
|
|
zipfile.ZipFile(output_file, 'w') as output_zip:
|
|
ReplaceVerityKeyId(input_zip, output_zip, cert_file)
|
|
|
|
with zipfile.ZipFile(output_file) as output_zip:
|
|
self.assertEqual(BOOT_CMDLINE1, output_zip.read('BOOT/cmdline'))
|
|
|
|
# Test with the second certificate.
|
|
cert_file = os.path.join(self.testdata_dir, 'testkey.x509.pem')
|
|
|
|
with zipfile.ZipFile(input_file, 'r') as input_zip, \
|
|
zipfile.ZipFile(output_file, 'w') as output_zip:
|
|
ReplaceVerityKeyId(input_zip, output_zip, cert_file)
|
|
|
|
with zipfile.ZipFile(output_file) as output_zip:
|
|
self.assertEqual(BOOT_CMDLINE2, output_zip.read('BOOT/cmdline'))
|
|
|
|
def test_ReplaceVerityKeyId_no_veritykeyid(self):
|
|
BOOT_CMDLINE = (
|
|
"console=ttyHSL0,115200,n8 androidboot.hardware=bullhead boot_cpus=0-5 "
|
|
"lpm_levels.sleep_disabled=1 msm_poweroff.download_mode=0 "
|
|
"loop.max_part=7\n")
|
|
|
|
input_file = common.MakeTempFile(suffix='.zip')
|
|
with zipfile.ZipFile(input_file, 'w') as input_zip:
|
|
input_zip.writestr('BOOT/cmdline', BOOT_CMDLINE)
|
|
|
|
output_file = common.MakeTempFile(suffix='.zip')
|
|
with zipfile.ZipFile(input_file, 'r') as input_zip, \
|
|
zipfile.ZipFile(output_file, 'w') as output_zip:
|
|
ReplaceVerityKeyId(input_zip, output_zip, None)
|
|
|
|
with zipfile.ZipFile(output_file) as output_zip:
|
|
self.assertEqual(BOOT_CMDLINE, output_zip.read('BOOT/cmdline'))
|
|
|
|
def test_ReplaceCerts(self):
|
|
cert1_path = os.path.join(self.testdata_dir, 'platform.x509.pem')
|
|
with open(cert1_path) as cert1_fp:
|
|
cert1 = cert1_fp.read()
|
|
cert2_path = os.path.join(self.testdata_dir, 'media.x509.pem')
|
|
with open(cert2_path) as cert2_fp:
|
|
cert2 = cert2_fp.read()
|
|
cert3_path = os.path.join(self.testdata_dir, 'testkey.x509.pem')
|
|
with open(cert3_path) as cert3_fp:
|
|
cert3 = cert3_fp.read()
|
|
|
|
# Replace cert1 with cert3.
|
|
input_xml = self.MAC_PERMISSIONS_XML.format(
|
|
base64.b16encode(common.ParseCertificate(cert1)).lower(),
|
|
base64.b16encode(common.ParseCertificate(cert2)).lower())
|
|
|
|
output_xml = self.MAC_PERMISSIONS_XML.format(
|
|
base64.b16encode(common.ParseCertificate(cert3)).lower(),
|
|
base64.b16encode(common.ParseCertificate(cert2)).lower())
|
|
|
|
common.OPTIONS.key_map = {
|
|
cert1_path[:-9] : cert3_path[:-9],
|
|
}
|
|
|
|
self.assertEqual(output_xml, ReplaceCerts(input_xml))
|
|
|
|
def test_ReplaceCerts_duplicateEntries(self):
|
|
cert1_path = os.path.join(self.testdata_dir, 'platform.x509.pem')
|
|
with open(cert1_path) as cert1_fp:
|
|
cert1 = cert1_fp.read()
|
|
cert2_path = os.path.join(self.testdata_dir, 'media.x509.pem')
|
|
with open(cert2_path) as cert2_fp:
|
|
cert2 = cert2_fp.read()
|
|
|
|
# Replace cert1 with cert2, which leads to duplicate entries.
|
|
input_xml = self.MAC_PERMISSIONS_XML.format(
|
|
base64.b16encode(common.ParseCertificate(cert1)).lower(),
|
|
base64.b16encode(common.ParseCertificate(cert2)).lower())
|
|
|
|
common.OPTIONS.key_map = {
|
|
cert1_path[:-9] : cert2_path[:-9],
|
|
}
|
|
self.assertRaises(AssertionError, ReplaceCerts, input_xml)
|
|
|
|
def test_ReplaceCerts_skipNonExistentCerts(self):
|
|
cert1_path = os.path.join(self.testdata_dir, 'platform.x509.pem')
|
|
with open(cert1_path) as cert1_fp:
|
|
cert1 = cert1_fp.read()
|
|
cert2_path = os.path.join(self.testdata_dir, 'media.x509.pem')
|
|
with open(cert2_path) as cert2_fp:
|
|
cert2 = cert2_fp.read()
|
|
cert3_path = os.path.join(self.testdata_dir, 'testkey.x509.pem')
|
|
with open(cert3_path) as cert3_fp:
|
|
cert3 = cert3_fp.read()
|
|
|
|
input_xml = self.MAC_PERMISSIONS_XML.format(
|
|
base64.b16encode(common.ParseCertificate(cert1)).lower(),
|
|
base64.b16encode(common.ParseCertificate(cert2)).lower())
|
|
|
|
output_xml = self.MAC_PERMISSIONS_XML.format(
|
|
base64.b16encode(common.ParseCertificate(cert3)).lower(),
|
|
base64.b16encode(common.ParseCertificate(cert2)).lower())
|
|
|
|
common.OPTIONS.key_map = {
|
|
cert1_path[:-9] : cert3_path[:-9],
|
|
'non-existent' : cert3_path[:-9],
|
|
cert2_path[:-9] : 'non-existent',
|
|
}
|
|
self.assertEqual(output_xml, ReplaceCerts(input_xml))
|
|
|
|
def test_CheckAllApksSigned(self):
|
|
input_file = common.MakeTempFile(suffix='.zip')
|
|
with zipfile.ZipFile(input_file, 'w') as input_zip:
|
|
input_zip.writestr('SYSTEM/app/App1.apk', "App1-content")
|
|
input_zip.writestr('SYSTEM/app/App2.apk.gz', "App2-content")
|
|
|
|
apk_key_map = {
|
|
'App1.apk' : 'key1',
|
|
'App2.apk' : 'key2',
|
|
'App3.apk' : 'key3',
|
|
}
|
|
with zipfile.ZipFile(input_file) as input_zip:
|
|
CheckAllApksSigned(input_zip, apk_key_map, None)
|
|
CheckAllApksSigned(input_zip, apk_key_map, '.gz')
|
|
|
|
# 'App2.apk.gz' won't be considered as an APK.
|
|
CheckAllApksSigned(input_zip, apk_key_map, None)
|
|
CheckAllApksSigned(input_zip, apk_key_map, '.xz')
|
|
|
|
del apk_key_map['App2.apk']
|
|
self.assertRaises(
|
|
AssertionError, CheckAllApksSigned, input_zip, apk_key_map, '.gz')
|
|
|
|
def test_GetApkFileInfo(self):
|
|
(is_apk, is_compressed, should_be_skipped) = GetApkFileInfo(
|
|
"PRODUCT/apps/Chats.apk", None, [])
|
|
self.assertTrue(is_apk)
|
|
self.assertFalse(is_compressed)
|
|
self.assertFalse(should_be_skipped)
|
|
|
|
(is_apk, is_compressed, should_be_skipped) = GetApkFileInfo(
|
|
"PRODUCT/apps/Chats.apk", None, [])
|
|
self.assertTrue(is_apk)
|
|
self.assertFalse(is_compressed)
|
|
self.assertFalse(should_be_skipped)
|
|
|
|
(is_apk, is_compressed, should_be_skipped) = GetApkFileInfo(
|
|
"PRODUCT/apps/Chats.dat", None, [])
|
|
self.assertFalse(is_apk)
|
|
self.assertFalse(is_compressed)
|
|
self.assertFalse(should_be_skipped)
|
|
|
|
def test_GetApkFileInfo_withCompressedApks(self):
|
|
(is_apk, is_compressed, should_be_skipped) = GetApkFileInfo(
|
|
"PRODUCT/apps/Chats.apk.gz", ".gz", [])
|
|
self.assertTrue(is_apk)
|
|
self.assertTrue(is_compressed)
|
|
self.assertFalse(should_be_skipped)
|
|
|
|
(is_apk, is_compressed, should_be_skipped) = GetApkFileInfo(
|
|
"PRODUCT/apps/Chats.apk.gz", ".xz", [])
|
|
self.assertFalse(is_apk)
|
|
self.assertFalse(is_compressed)
|
|
self.assertFalse(should_be_skipped)
|
|
|
|
self.assertRaises(
|
|
AssertionError, GetApkFileInfo, "PRODUCT/apps/Chats.apk", "", [])
|
|
|
|
self.assertRaises(
|
|
AssertionError, GetApkFileInfo, "PRODUCT/apps/Chats.apk", "apk", [])
|
|
|
|
def test_GetApkFileInfo_withSkippedPrefixes(self):
|
|
(is_apk, is_compressed, should_be_skipped) = GetApkFileInfo(
|
|
"PRODUCT/preloads/apps/Chats.apk", None, set())
|
|
self.assertTrue(is_apk)
|
|
self.assertFalse(is_compressed)
|
|
self.assertFalse(should_be_skipped)
|
|
|
|
(is_apk, is_compressed, should_be_skipped) = GetApkFileInfo(
|
|
"PRODUCT/preloads/apps/Chats.apk",
|
|
None,
|
|
set(["PRODUCT/preloads/"]))
|
|
self.assertTrue(is_apk)
|
|
self.assertFalse(is_compressed)
|
|
self.assertTrue(should_be_skipped)
|
|
|
|
(is_apk, is_compressed, should_be_skipped) = GetApkFileInfo(
|
|
"SYSTEM_OTHER/preloads/apps/Chats.apk",
|
|
None,
|
|
set(["SYSTEM/preloads/", "SYSTEM_OTHER/preloads/"]))
|
|
self.assertTrue(is_apk)
|
|
self.assertFalse(is_compressed)
|
|
self.assertTrue(should_be_skipped)
|
|
|
|
(is_apk, is_compressed, should_be_skipped) = GetApkFileInfo(
|
|
"SYSTEM_OTHER/preloads/apps/Chats.apk.gz",
|
|
".gz",
|
|
set(["PRODUCT/prebuilts/", "SYSTEM_OTHER/preloads/"]))
|
|
self.assertTrue(is_apk)
|
|
self.assertTrue(is_compressed)
|
|
self.assertTrue(should_be_skipped)
|
|
|
|
(is_apk, is_compressed, should_be_skipped) = GetApkFileInfo(
|
|
"SYSTEM_OTHER/preloads/apps/Chats.dat",
|
|
None,
|
|
set(["SYSTEM_OTHER/preloads/"]))
|
|
self.assertFalse(is_apk)
|
|
self.assertFalse(is_compressed)
|
|
self.assertFalse(should_be_skipped)
|
|
|
|
def test_GetApkFileInfo_checkSkippedPrefixesInput(self):
|
|
# set
|
|
(is_apk, is_compressed, should_be_skipped) = GetApkFileInfo(
|
|
"SYSTEM_OTHER/preloads/apps/Chats.apk",
|
|
None,
|
|
set(["SYSTEM_OTHER/preloads/"]))
|
|
self.assertTrue(is_apk)
|
|
self.assertFalse(is_compressed)
|
|
self.assertTrue(should_be_skipped)
|
|
|
|
# tuple
|
|
(is_apk, is_compressed, should_be_skipped) = GetApkFileInfo(
|
|
"SYSTEM_OTHER/preloads/apps/Chats.apk",
|
|
None,
|
|
("SYSTEM_OTHER/preloads/",))
|
|
self.assertTrue(is_apk)
|
|
self.assertFalse(is_compressed)
|
|
self.assertTrue(should_be_skipped)
|
|
|
|
# list
|
|
(is_apk, is_compressed, should_be_skipped) = GetApkFileInfo(
|
|
"SYSTEM_OTHER/preloads/apps/Chats.apk",
|
|
None,
|
|
["SYSTEM_OTHER/preloads/"])
|
|
self.assertTrue(is_apk)
|
|
self.assertFalse(is_compressed)
|
|
self.assertTrue(should_be_skipped)
|
|
|
|
# str is invalid.
|
|
self.assertRaises(
|
|
AssertionError, GetApkFileInfo, "SYSTEM_OTHER/preloads/apps/Chats.apk",
|
|
None, "SYSTEM_OTHER/preloads/")
|
|
|
|
# None is invalid.
|
|
self.assertRaises(
|
|
AssertionError, GetApkFileInfo, "SYSTEM_OTHER/preloads/apps/Chats.apk",
|
|
None, None)
|