sign_apex --sign_tool

A new argument is a custom signing tool for APEX contents. When specified, apex_util invokes the tool with payload's key and payload directory. For now, the Virt APEX has its own custom signing tool (sign_virt_apex) to re-sign filesystem images in it. Bug: 193504286 Test: atest releasetools_test Test: m sign_apex sign_virt_apex Test: sign_apex --sign_tool sign_virt_apex --payload_key .. --container_key .. resigned.apex adb install resigned.apex reboot & vm run-app Change-Id: Ic4d369c2ba42a8295044a0a75e054dc8def93208
2021-10-27 03:53:21 +09:00
parent c4b7b34b4b
commit 0f5a41da56
3 changed files with 60 additions and 23 deletions
--- a/tools/releasetools/apex_utils.py
+++ b/tools/releasetools/apex_utils.py
@@ -52,9 +52,9 @@ class ApexSigningError(Exception):


 class ApexApkSigner(object):
-  """Class to sign the apk files in a apex payload image and repack the apex"""
+  """Class to sign the apk files and other files in an apex payload image and repack the apex"""

-  def __init__(self, apex_path, key_passwords, codename_to_api_level_map):
+  def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None):
    self.apex_path = apex_path
    if not key_passwords:
      self.key_passwords = dict()
@@ -63,9 +63,11 @@ class ApexApkSigner(object):
    self.codename_to_api_level_map = codename_to_api_level_map
    self.debugfs_path = os.path.join(
        OPTIONS.search_path, "bin", "debugfs_static")
+    self.avbtool = avbtool if avbtool else "avbtool"
+    self.sign_tool = sign_tool

  def ProcessApexFile(self, apk_keys, payload_key, signing_args=None):
-    """Scans and signs the apk files and repack the apex
+    """Scans and signs the payload files and repack the apex

    Args:
      apk_keys: A dict that holds the signing keys for apk files.
@@ -84,7 +86,7 @@ class ApexApkSigner(object):
    apk_entries = [name for name in entries_names if name.endswith('.apk')]

    # No need to sign and repack, return the original apex path.
-    if not apk_entries:
+    if not apk_entries and self.sign_tool is None:
      logger.info('No apk file to sign in %s', self.apex_path)
      return self.apex_path

@@ -99,15 +101,15 @@ class ApexApkSigner(object):
        logger.warning('Apk path does not contain the intended directory name:'
                       ' %s', entry)

-    payload_dir, has_signed_apk = self.ExtractApexPayloadAndSignApks(
-        apk_entries, apk_keys)
-    if not has_signed_apk:
-      logger.info('No apk file has been signed in %s', self.apex_path)
+    payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(
+        apk_entries, apk_keys, payload_key)
+    if not has_signed_content:
+      logger.info('No contents has been signed in %s', self.apex_path)
      return self.apex_path

    return self.RepackApexPayload(payload_dir, payload_key, signing_args)

-  def ExtractApexPayloadAndSignApks(self, apk_entries, apk_keys):
+  def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key):
    """Extracts the payload image and signs the containing apk files."""
    if not os.path.exists(self.debugfs_path):
      raise ApexSigningError(
@@ -119,7 +121,7 @@ class ApexApkSigner(object):
                   self.debugfs_path, 'extract', self.apex_path, payload_dir]
    common.RunAndCheckOutput(extract_cmd)

-    has_signed_apk = False
+    has_signed_content = False
    for entry in apk_entries:
      apk_path = os.path.join(payload_dir, entry)
      assert os.path.exists(self.apex_path)
@@ -137,8 +139,14 @@ class ApexApkSigner(object):
      common.SignFile(
          unsigned_apk, apk_path, key_name, self.key_passwords.get(key_name),
          codename_to_api_level_map=self.codename_to_api_level_map)
-      has_signed_apk = True
-    return payload_dir, has_signed_apk
+      has_signed_content = True
+
+    if self.sign_tool:
+      cmd = [self.sign_tool, '--avbtool', self.avbtool, payload_key, payload_dir]
+      common.RunAndCheckOutput(cmd)
+      has_signed_content = True
+
+    return payload_dir, has_signed_content

  def RepackApexPayload(self, payload_dir, payload_key, signing_args=None):
    """Rebuilds the apex file with the updated payload directory."""
@@ -310,7 +318,7 @@ def ParseApexPayloadInfo(avbtool, payload_path):

 def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
                         container_pw, apk_keys, codename_to_api_level_map,
-                         no_hashtree, signing_args=None):
+                         no_hashtree, signing_args=None, sign_tool=None):
  """Signs the current uncompressed APEX with the given payload/container keys.

  Args:
@@ -322,14 +330,16 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
    codename_to_api_level_map: A dict that maps from codename to API level.
    no_hashtree: Don't include hashtree in the signed APEX.
    signing_args: Additional args to be passed to the payload signer.
+    sign_tool: A tool to sign the contents of the APEX.

  Returns:
    The path to the signed APEX file.
  """
-  # 1. Extract the apex payload image and sign the containing apk files. Repack
+  # 1. Extract the apex payload image and sign the files (e.g. APKs). Repack
  # the apex file after signing.
  apk_signer = ApexApkSigner(apex_file, container_pw,
-                             codename_to_api_level_map)
+                             codename_to_api_level_map,
+                             avbtool, sign_tool)
  apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args)

  # 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
@@ -384,7 +394,7 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,

 def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
                       container_pw, apk_keys, codename_to_api_level_map,
-                       no_hashtree, signing_args=None):
+                       no_hashtree, signing_args=None, sign_tool=None):
  """Signs the current compressed APEX with the given payload/container keys.

  Args:
@@ -421,7 +431,8 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
      apk_keys,
      codename_to_api_level_map,
      no_hashtree,
-      signing_args)
+      signing_args,
+      sign_tool)

  # 3. Compress signed original apex.
  compressed_apex_file = common.MakeTempFile(prefix='apex-container-',
@@ -449,7 +460,7 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key,

 def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
             apk_keys, codename_to_api_level_map,
-             no_hashtree, signing_args=None):
+             no_hashtree, signing_args=None, sign_tool=None):
  """Signs the current APEX with the given payload/container keys.

  Args:
@@ -485,7 +496,8 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
          codename_to_api_level_map=codename_to_api_level_map,
          no_hashtree=no_hashtree,
          apk_keys=apk_keys,
-          signing_args=signing_args)
+          signing_args=signing_args,
+          sign_tool=sign_tool)
    elif apex_type == 'COMPRESSED':
      return SignCompressedApex(
          avbtool,
@@ -496,7 +508,8 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
          codename_to_api_level_map=codename_to_api_level_map,
          no_hashtree=no_hashtree,
          apk_keys=apk_keys,
-          signing_args=signing_args)
+          signing_args=signing_args,
+          sign_tool=sign_tool)
    else:
      # TODO(b/172912232): support signing compressed apex
      raise ApexInfoError('Unsupported apex type {}'.format(apex_type))