StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sign_apex --sign_tool

Browse Source 
A new argument is a custom signing tool for APEX contents. When
specified, apex_util invokes the tool with payload's key and payload
directory.

For now, the Virt APEX has its own custom signing tool (sign_virt_apex)
to re-sign filesystem images in it.

Bug: 193504286
Test: atest releasetools_test
Test: m sign_apex sign_virt_apex
Test: sign_apex --sign_tool sign_virt_apex --payload_key ..
  --container_key .. resigned.apex
      adb install resigned.apex
      reboot & vm run-app
Change-Id: Ic4d369c2ba42a8295044a0a75e054dc8def93208
This commit is contained in:
Jooyung Han
2021-10-27 03:53:21 +09:00
parent c4b7b34b4b
commit 0f5a41da56
3 changed files with 60 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
tools/releasetools/apex_utils.py
View File

@@ -52,9 +52,9 @@ class ApexSigningError(Exception):
class ApexApkSigner(object): class ApexApkSigner(object):
"""Class to sign the apk files in a apex payload image and repack the apex""" """Class to sign the apk files and other files in an apex payload image and repack the apex"""
def __init__(self, apex_path, key_passwords, codename_to_api_level_map): def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None):
self.apex_path = apex_path self.apex_path = apex_path
if not key_passwords: if not key_passwords:
self.key_passwords = dict() self.key_passwords = dict()
@@ -63,9 +63,11 @@ class ApexApkSigner(object):
self.codename_to_api_level_map = codename_to_api_level_map self.codename_to_api_level_map = codename_to_api_level_map
self.debugfs_path = os.path.join( self.debugfs_path = os.path.join(
OPTIONS.search_path, "bin", "debugfs_static") OPTIONS.search_path, "bin", "debugfs_static")
self.avbtool = avbtool if avbtool else "avbtool"
self.sign_tool = sign_tool
def ProcessApexFile(self, apk_keys, payload_key, signing_args=None): def ProcessApexFile(self, apk_keys, payload_key, signing_args=None):
"""Scans and signs the apk files and repack the apex """Scans and signs the payload files and repack the apex
Args: Args:
apk_keys: A dict that holds the signing keys for apk files. apk_keys: A dict that holds the signing keys for apk files.
@@ -84,7 +86,7 @@ class ApexApkSigner(object):
apk_entries = [name for name in entries_names if name.endswith('.apk')] apk_entries = [name for name in entries_names if name.endswith('.apk')]
# No need to sign and repack, return the original apex path. # No need to sign and repack, return the original apex path.
if not apk_entries: if not apk_entries and self.sign_tool is None:
logger.info('No apk file to sign in %s', self.apex_path) logger.info('No apk file to sign in %s', self.apex_path)
return self.apex_path return self.apex_path
@@ -99,15 +101,15 @@ class ApexApkSigner(object):
logger.warning('Apk path does not contain the intended directory name:' logger.warning('Apk path does not contain the intended directory name:'
' %s', entry) ' %s', entry)
payload_dir, has_signed_apk = self.ExtractApexPayloadAndSignApks( payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(
apk_entries, apk_keys) apk_entries, apk_keys, payload_key)
if not has_signed_apk: if not has_signed_content:
logger.info('No apk file has been signed in %s', self.apex_path) logger.info('No contents has been signed in %s', self.apex_path)
return self.apex_path return self.apex_path
return self.RepackApexPayload(payload_dir, payload_key, signing_args) return self.RepackApexPayload(payload_dir, payload_key, signing_args)
def ExtractApexPayloadAndSignApks(self, apk_entries, apk_keys): def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key):
"""Extracts the payload image and signs the containing apk files.""" """Extracts the payload image and signs the containing apk files."""
if not os.path.exists(self.debugfs_path): if not os.path.exists(self.debugfs_path):
raise ApexSigningError( raise ApexSigningError(
@@ -119,7 +121,7 @@ class ApexApkSigner(object):
self.debugfs_path, 'extract', self.apex_path, payload_dir] self.debugfs_path, 'extract', self.apex_path, payload_dir]
common.RunAndCheckOutput(extract_cmd) common.RunAndCheckOutput(extract_cmd)
has_signed_apk = False has_signed_content = False
for entry in apk_entries: for entry in apk_entries:
apk_path = os.path.join(payload_dir, entry) apk_path = os.path.join(payload_dir, entry)
assert os.path.exists(self.apex_path) assert os.path.exists(self.apex_path)
@@ -137,8 +139,14 @@ class ApexApkSigner(object):
common.SignFile( common.SignFile(
unsigned_apk, apk_path, key_name, self.key_passwords.get(key_name), unsigned_apk, apk_path, key_name, self.key_passwords.get(key_name),
codename_to_api_level_map=self.codename_to_api_level_map) codename_to_api_level_map=self.codename_to_api_level_map)
has_signed_apk = True has_signed_content = True
return payload_dir, has_signed_apk
if self.sign_tool:
cmd = [self.sign_tool, '--avbtool', self.avbtool, payload_key, payload_dir]
common.RunAndCheckOutput(cmd)
has_signed_content = True
return payload_dir, has_signed_content
def RepackApexPayload(self, payload_dir, payload_key, signing_args=None): def RepackApexPayload(self, payload_dir, payload_key, signing_args=None):
"""Rebuilds the apex file with the updated payload directory.""" """Rebuilds the apex file with the updated payload directory."""
@@ -310,7 +318,7 @@ def ParseApexPayloadInfo(avbtool, payload_path):
def SignUncompressedApex(avbtool, apex_file, payload_key, container_key, def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
container_pw, apk_keys, codename_to_api_level_map, container_pw, apk_keys, codename_to_api_level_map,
no_hashtree, signing_args=None): no_hashtree, signing_args=None, sign_tool=None):
"""Signs the current uncompressed APEX with the given payload/container keys. """Signs the current uncompressed APEX with the given payload/container keys.
Args: Args:
@@ -322,14 +330,16 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
codename_to_api_level_map: A dict that maps from codename to API level. codename_to_api_level_map: A dict that maps from codename to API level.
no_hashtree: Don't include hashtree in the signed APEX. no_hashtree: Don't include hashtree in the signed APEX.
signing_args: Additional args to be passed to the payload signer. signing_args: Additional args to be passed to the payload signer.
sign_tool: A tool to sign the contents of the APEX.
Returns: Returns:
The path to the signed APEX file. The path to the signed APEX file.
""" """
# 1. Extract the apex payload image and sign the containing apk files. Repack # 1. Extract the apex payload image and sign the files (e.g. APKs). Repack
# the apex file after signing. # the apex file after signing.
apk_signer = ApexApkSigner(apex_file, container_pw, apk_signer = ApexApkSigner(apex_file, container_pw,
codename_to_api_level_map) codename_to_api_level_map,
avbtool, sign_tool)
apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args) apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args)
# 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given # 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
@@ -384,7 +394,7 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
def SignCompressedApex(avbtool, apex_file, payload_key, container_key, def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
container_pw, apk_keys, codename_to_api_level_map, container_pw, apk_keys, codename_to_api_level_map,
no_hashtree, signing_args=None): no_hashtree, signing_args=None, sign_tool=None):
"""Signs the current compressed APEX with the given payload/container keys. """Signs the current compressed APEX with the given payload/container keys.
Args: Args:
@@ -421,7 +431,8 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
apk_keys, apk_keys,
codename_to_api_level_map, codename_to_api_level_map,
no_hashtree, no_hashtree,
signing_args) signing_args,
sign_tool)
# 3. Compress signed original apex. # 3. Compress signed original apex.
compressed_apex_file = common.MakeTempFile(prefix='apex-container-', compressed_apex_file = common.MakeTempFile(prefix='apex-container-',
@@ -449,7 +460,7 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
apk_keys, codename_to_api_level_map, apk_keys, codename_to_api_level_map,
no_hashtree, signing_args=None): no_hashtree, signing_args=None, sign_tool=None):
"""Signs the current APEX with the given payload/container keys. """Signs the current APEX with the given payload/container keys.
Args: Args:
@@ -485,7 +496,8 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
codename_to_api_level_map=codename_to_api_level_map, codename_to_api_level_map=codename_to_api_level_map,
no_hashtree=no_hashtree, no_hashtree=no_hashtree,
apk_keys=apk_keys, apk_keys=apk_keys,
signing_args=signing_args) signing_args=signing_args,
sign_tool=sign_tool)
elif apex_type == 'COMPRESSED': elif apex_type == 'COMPRESSED':
return SignCompressedApex( return SignCompressedApex(
avbtool, avbtool,
@@ -496,7 +508,8 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
codename_to_api_level_map=codename_to_api_level_map, codename_to_api_level_map=codename_to_api_level_map,
no_hashtree=no_hashtree, no_hashtree=no_hashtree,
apk_keys=apk_keys, apk_keys=apk_keys,
signing_args=signing_args) signing_args=signing_args,
sign_tool=sign_tool)
else: else:
# TODO(b/172912232): support signing compressed apex # TODO(b/172912232): support signing compressed apex
raise ApexInfoError('Unsupported apex type {}'.format(apex_type)) raise ApexInfoError('Unsupported apex type {}'.format(apex_type))

14
tools/releasetools/sign_apex.py
View File

@@ -39,6 +39,9 @@ Usage: sign_apex [flags] input_apex_file output_apex_file
--codename_to_api_level_map Q:29,R:30,... --codename_to_api_level_map Q:29,R:30,...
A Mapping of codename to api level. This is useful to provide sdk targeting A Mapping of codename to api level. This is useful to provide sdk targeting
information to APK Signer. information to APK Signer.
--sign_tool <sign_tool>
Optional flag that specifies a custom signing tool for the contents of the apex.
""" """
import logging import logging
@@ -52,7 +55,7 @@ logger = logging.getLogger(__name__)
def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree, def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
apk_keys=None, signing_args=None, codename_to_api_level_map=None): apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None):
"""Signs the given apex file.""" """Signs the given apex file."""
with open(apex_file, 'rb') as input_fp: with open(apex_file, 'rb') as input_fp:
apex_data = input_fp.read() apex_data = input_fp.read()
@@ -66,7 +69,8 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
codename_to_api_level_map=codename_to_api_level_map, codename_to_api_level_map=codename_to_api_level_map,
no_hashtree=no_hashtree, no_hashtree=no_hashtree,
apk_keys=apk_keys, apk_keys=apk_keys,
signing_args=signing_args) signing_args=signing_args,
sign_tool=sign_tool)
def main(argv): def main(argv):
@@ -100,6 +104,8 @@ def main(argv):
if 'extra_apks' not in options: if 'extra_apks' not in options:
options['extra_apks'] = {} options['extra_apks'] = {}
options['extra_apks'].update({n: key}) options['extra_apks'].update({n: key})
elif o == '--sign_tool':
options['sign_tool'] = a
else: else:
return False return False
return True return True
@@ -114,6 +120,7 @@ def main(argv):
'payload_extra_args=', 'payload_extra_args=',
'payload_key=', 'payload_key=',
'extra_apks=', 'extra_apks=',
'sign_tool=',
], ],
extra_option_handler=option_handler) extra_option_handler=option_handler)
@@ -133,7 +140,8 @@ def main(argv):
apk_keys=options.get('extra_apks', {}), apk_keys=options.get('extra_apks', {}),
signing_args=options.get('payload_extra_args'), signing_args=options.get('payload_extra_args'),
codename_to_api_level_map=options.get( codename_to_api_level_map=options.get(
'codename_to_api_level_map', {})) 'codename_to_api_level_map', {}),
sign_tool=options['sign_tool'])
shutil.copyfile(signed_apex, args[1]) shutil.copyfile(signed_apex, args[1])
logger.info("done.") logger.info("done.")

16
tools/releasetools/test_apex_utils.py
View File

@@ -187,3 +187,19 @@ class ApexUtilsTest(test_utils.ReleaseToolsTestCase):
self.payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key') self.payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')
signer.ProcessApexFile(apk_keys, self.payload_key) signer.ProcessApexFile(apk_keys, self.payload_key)
@test_utils.SkipIfExternalToolsUnavailable()
def test_ApexApkSigner_invokesCustomSignTool(self):
apex_path = common.MakeTempFile(suffix='.apex')
shutil.copy(self.apex_with_apk, apex_path)
apk_keys = {'wifi-service-resources.apk': os.path.join(
self.testdata_dir, 'testkey')}
self.payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')
# pass `false` as a sign_tool to see the invocation error
with self.assertRaises(common.ExternalError) as cm:
signer = apex_utils.ApexApkSigner(apex_path, None, None, sign_tool='false')
signer.ProcessApexFile(apk_keys, self.payload_key)
the_exception = cm.exception
self.assertIn('Failed to run command \'[\'false\'', the_exception.message)