From 21122f901cb67e69b72d3a0d0ae3a9d3aa401fbe Mon Sep 17 00:00:00 2001 From: Colin Cross Date: Fri, 14 Sep 2018 21:51:11 -0700 Subject: [PATCH] Use soong_zip for otatools.zip and otacerts.zip soong_zip produces more reproducible zip files that are not affected by umask values or timestamps. This partially reapplies I2eca2f7618e06c0b5893ff54c79261921fe051d6. Bug: 69500920 Test: m checkbuild Test: contents of zips is unchanged Change-Id: Idf6fbc94e257dc34af4f5b115d740b7cb9bac015 --- core/Makefile | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/core/Makefile b/core/Makefile index 5262475245..3794d2b446 100644 --- a/core/Makefile +++ b/core/Makefile @@ -685,7 +685,7 @@ $(call dist-for-goals,droidcore,$(PGO_PROFILE_MISSING)) # for future OTA packages installed by this system. Actual product # deliverables will be re-signed by hand. We expect this file to # exist with the suffixes ".x509.pem" and ".pk8". -DEFAULT_KEY_CERT_PAIR := $(DEFAULT_SYSTEM_DEV_CERTIFICATE) +DEFAULT_KEY_CERT_PAIR := $(strip $(DEFAULT_SYSTEM_DEV_CERTIFICATE)) # Rules that need to be present for the all targets, even @@ -1140,12 +1140,12 @@ $(winpthreads_notice_file): \ # This rule adds to ALL_DEFAULT_INSTALLED_MODULES, so it needs to come # before the rules that use that variable to build the image. ALL_DEFAULT_INSTALLED_MODULES += $(TARGET_OUT_ETC)/security/otacerts.zip -$(TARGET_OUT_ETC)/security/otacerts.zip: KEY_CERT_PAIR := $(DEFAULT_KEY_CERT_PAIR) -$(TARGET_OUT_ETC)/security/otacerts.zip: $(addsuffix .x509.pem,$(DEFAULT_KEY_CERT_PAIR)) | $(ZIPTIME) +$(TARGET_OUT_ETC)/security/otacerts.zip: PRIVATE_CERT := $(DEFAULT_KEY_CERT_PAIR).x509.pem +$(TARGET_OUT_ETC)/security/otacerts.zip: $(SOONG_ZIP) +$(TARGET_OUT_ETC)/security/otacerts.zip: $(DEFAULT_KEY_CERT_PAIR).x509.pem $(hide) rm -f $@ $(hide) mkdir -p $(dir $@) - $(hide) zip -qjX $@ $< - $(remove-timestamps-from-package) + $(hide) $(SOONG_ZIP) -o $@ -C $(dir $(PRIVATE_CERT)) -f $(PRIVATE_CERT) # Carry the public key for update_engine if it's a non-IoT target that # uses the AB updater. We use the same key as otacerts but in RSA public key @@ -1153,7 +1153,7 @@ $(TARGET_OUT_ETC)/security/otacerts.zip: $(addsuffix .x509.pem,$(DEFAULT_KEY_CER ifeq ($(AB_OTA_UPDATER),true) ifneq ($(PRODUCT_IOT),true) ALL_DEFAULT_INSTALLED_MODULES += $(TARGET_OUT_ETC)/update_engine/update-payload-key.pub.pem -$(TARGET_OUT_ETC)/update_engine/update-payload-key.pub.pem: $(addsuffix .x509.pem,$(DEFAULT_KEY_CERT_PAIR)) +$(TARGET_OUT_ETC)/update_engine/update-payload-key.pub.pem: $(DEFAULT_KEY_CERT_PAIR).x509.pem $(hide) rm -f $@ $(hide) mkdir -p $(dir $@) $(hide) openssl x509 -pubkey -noout -in $< > $@ @@ -3141,15 +3141,15 @@ OTATOOLS_DEPS += \ $(sort $(shell find external/vboot_reference/tests/devkeys -type f)) endif -$(BUILT_OTATOOLS_PACKAGE): $(OTATOOLS) $(OTATOOLS_DEPS) $(OTATOOLS_RELEASETOOLS) | $(ACP) +$(BUILT_OTATOOLS_PACKAGE): $(OTATOOLS) $(OTATOOLS_DEPS) $(OTATOOLS_RELEASETOOLS) $(SOONG_ZIP) @echo "Package OTA tools: $@" $(hide) rm -rf $@ $(zip_root) $(hide) mkdir -p $(dir $@) $(zip_root)/bin $(zip_root)/framework $(zip_root)/releasetools $(call copy-files-with-structure,$(OTATOOLS),$(HOST_OUT)/,$(zip_root)) - $(hide) $(ACP) -r -d -p build/make/tools/releasetools/* $(zip_root)/releasetools + $(hide) cp -r -d -p build/make/tools/releasetools/* $(zip_root)/releasetools $(hide) rm -rf $@ $(zip_root)/releasetools/*.pyc - $(hide) (cd $(zip_root) && zip -qryX $(abspath $@) *) - $(hide) echo $(OTATOOLS_DEPS) | xargs zip -qryX $(abspath $@)>/dev/null || true + $(hide) $(SOONG_ZIP) -o $@ -C $(zip_root) -D $(zip_root) \ + -C . $(addprefix -f ,$(OTATOOLS_DEPS)) .PHONY: otatools-package otatools-package: $(BUILT_OTATOOLS_PACKAGE)