StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Add sign_sepolicy_path for a binary to sign sepolicy.apex."

Browse Source 
This reverts commit e0a977affd.

Test: atest --host releasetools_test
Bug: 297794885
Change-Id: I951277e4aa3ae1f90474a1f7a036fc8693453c53
This commit is contained in:
Thiébaud Weksteen
2023-10-18 11:08:47 +11:00
parent e7bf32f0de
commit 62865caf1b
5 changed files with 16 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
tools/releasetools/apex_utils.py
View File

@@ -68,7 +68,7 @@ class ApexApkSigner(object):
self.avbtool = avbtool if avbtool else "avbtool"
self.sign_tool = sign_tool
def ProcessApexFile(self, apk_keys, payload_key, signing_args=None, is_sepolicy=False):
def ProcessApexFile(self, apk_keys, payload_key, signing_args=None):
"""Scans and signs the payload files and repack the apex
Args:
@@ -86,13 +86,9 @@ class ApexApkSigner(object):
'list', self.apex_path]
entries_names = common.RunAndCheckOutput(list_cmd).split()
apk_entries = [name for name in entries_names if name.endswith('.apk')]
sepolicy_entries = []
if is_sepolicy:
sepolicy_entries = [name for name in entries_names if
name.startswith('./etc/SEPolicy') and name.endswith('.zip')]
# No need to sign and repack, return the original apex path.
if not apk_entries and not sepolicy_entries and self.sign_tool is None:
if not apk_entries and self.sign_tool is None:
logger.info('No apk file to sign in %s', self.apex_path)
return self.apex_path
@@ -108,14 +104,14 @@ class ApexApkSigner(object):
' %s', entry)
payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(
apk_entries, sepolicy_entries, apk_keys, payload_key, signing_args)
apk_entries, apk_keys, payload_key, signing_args)
if not has_signed_content:
logger.info('No contents have been signed in %s', self.apex_path)
logger.info('No contents has been signed in %s', self.apex_path)
return self.apex_path
return self.RepackApexPayload(payload_dir, payload_key, signing_args)
def ExtractApexPayloadAndSignContents(self, apk_entries, sepolicy_entries, apk_keys, payload_key, signing_args):
def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key, signing_args):
"""Extracts the payload image and signs the containing apk files."""
if not os.path.exists(self.debugfs_path):
raise ApexSigningError(
@@ -133,11 +129,11 @@ class ApexApkSigner(object):
'extract',
self.apex_path, payload_dir]
common.RunAndCheckOutput(extract_cmd)
assert os.path.exists(self.apex_path)
has_signed_content = False
for entry in apk_entries:
apk_path = os.path.join(payload_dir, entry)
assert os.path.exists(self.apex_path)
key_name = apk_keys.get(os.path.basename(entry))
if key_name in common.SPECIAL_CERT_STRINGS:
@@ -154,37 +150,6 @@ class ApexApkSigner(object):
codename_to_api_level_map=self.codename_to_api_level_map)
has_signed_content = True
for entry in sepolicy_entries:
sepolicy_path = os.path.join(payload_dir, entry)
if not 'etc' in entry:
logger.warning('Sepolicy path does not contain the intended directory name etc:'
' %s', entry)
key_name = apk_keys.get(os.path.basename(entry))
if key_name is None:
logger.warning('Failed to find signing keys for {} in'
' apex {}, payload key will be used instead.'
' Use "-e <name>=" to specify a key'
.format(entry, self.apex_path))
key_name = payload_key
if key_name in common.SPECIAL_CERT_STRINGS:
logger.info('Not signing: %s due to special cert string', sepolicy_path)
continue
if OPTIONS.sign_sepolicy_path is not None:
sig_path = os.path.join(payload_dir, sepolicy_path + '.sig')
fsv_sig_path = os.path.join(payload_dir, sepolicy_path + '.fsv_sig')
old_sig = common.MakeTempFile()
old_fsv_sig = common.MakeTempFile()
os.rename(sig_path, old_sig)
os.rename(fsv_sig_path, old_fsv_sig)
logger.info('Signing sepolicy file %s in apex %s', sepolicy_path, self.apex_path)
if common.SignSePolicy(sepolicy_path, key_name, self.key_passwords.get(key_name)):
has_signed_content = True
if self.sign_tool:
logger.info('Signing payload contents in apex %s with %s', self.apex_path, self.sign_tool)
# Pass avbtool to the custom signing tool
@@ -368,8 +333,7 @@ def ParseApexPayloadInfo(avbtool, payload_path):
def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
container_pw, apk_keys, codename_to_api_level_map,
no_hashtree, signing_args=None, sign_tool=None,
is_sepolicy=False):
no_hashtree, signing_args=None, sign_tool=None):
"""Signs the current uncompressed APEX with the given payload/container keys.
Args:
@@ -382,7 +346,6 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
no_hashtree: Don't include hashtree in the signed APEX.
signing_args: Additional args to be passed to the payload signer.
sign_tool: A tool to sign the contents of the APEX.
is_sepolicy: Indicates if the apex is a sepolicy.apex
Returns:
The path to the signed APEX file.
@@ -392,8 +355,7 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
apk_signer = ApexApkSigner(apex_file, container_pw,
codename_to_api_level_map,
avbtool, sign_tool)
apex_file = apk_signer.ProcessApexFile(
apk_keys, payload_key, signing_args, is_sepolicy)
apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args)
# 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
# payload_key.
@@ -447,8 +409,7 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
container_pw, apk_keys, codename_to_api_level_map,
no_hashtree, signing_args=None, sign_tool=None,
is_sepolicy=False):
no_hashtree, signing_args=None, sign_tool=None):
"""Signs the current compressed APEX with the given payload/container keys.
Args:
@@ -460,7 +421,6 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
codename_to_api_level_map: A dict that maps from codename to API level.
no_hashtree: Don't include hashtree in the signed APEX.
signing_args: Additional args to be passed to the payload signer.
is_sepolicy: Indicates if the apex is a sepolicy.apex
Returns:
The path to the signed APEX file.
@@ -487,8 +447,7 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
codename_to_api_level_map,
no_hashtree,
signing_args,
sign_tool,
is_sepolicy)
sign_tool)
# 3. Compress signed original apex.
compressed_apex_file = common.MakeTempFile(prefix='apex-container-',
@@ -515,8 +474,8 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
apk_keys, codename_to_api_level_map, no_hashtree,
signing_args=None, sign_tool=None, is_sepolicy=False):
apk_keys, codename_to_api_level_map,
no_hashtree, signing_args=None, sign_tool=None):
"""Signs the current APEX with the given payload/container keys.
Args:
@@ -528,7 +487,6 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
codename_to_api_level_map: A dict that maps from codename to API level.
no_hashtree: Don't include hashtree in the signed APEX.
signing_args: Additional args to be passed to the payload signer.
is_sepolicy: Indicates if the apex is a sepolicy.apex
Returns:
The path to the signed APEX file.
@@ -554,8 +512,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
no_hashtree=no_hashtree,
apk_keys=apk_keys,
signing_args=signing_args,
sign_tool=sign_tool,
is_sepolicy=is_sepolicy)
sign_tool=sign_tool)
elif apex_type == 'COMPRESSED':
return SignCompressedApex(
avbtool,
@@ -567,8 +524,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
no_hashtree=no_hashtree,
apk_keys=apk_keys,
signing_args=signing_args,
sign_tool=sign_tool,
is_sepolicy=is_sepolicy)
sign_tool=sign_tool)
else:
# TODO(b/172912232): support signing compressed apex
raise ApexInfoError('Unsupported apex type {}'.format(apex_type))

42
tools/releasetools/common.py
View File

@@ -75,9 +75,7 @@ class Options(object):
if "ANDROID_HOST_OUT" in os.environ:
self.search_path = os.environ["ANDROID_HOST_OUT"]
self.signapk_shared_library_path = "lib64" # Relative to search_path
self.sign_sepolicy_path = None
self.extra_signapk_args = []
self.extra_sign_sepolicy_args = []
self.aapt2_path = "aapt2"
self.java_path = "java" # Use the one on the path by default.
self.java_args = ["-Xmx4096m"] # The default JVM args.
@@ -97,7 +95,6 @@ class Options(object):
self.cache_size = None
self.stash_threshold = 0.8
self.logfile = None
self.sepolicy_name = 'sepolicy.apex'
OPTIONS = Options()
@@ -2629,38 +2626,6 @@ def SignFile(input_name, output_name, key, password, min_api_level=None,
proc.returncode, stdoutdata))
def SignSePolicy(sepolicy, key, password):
"""Sign the sepolicy zip, producing an fsverity .fsv_sig and
an RSA .sig signature files.
"""
if OPTIONS.sign_sepolicy_path is None:
logger.info("No sign_sepolicy_path specified, %s was not signed", sepolicy)
return False
java_library_path = os.path.join(
OPTIONS.search_path, OPTIONS.signapk_shared_library_path)
cmd = ([OPTIONS.java_path] + OPTIONS.java_args +
["-Djava.library.path=" + java_library_path,
"-jar", os.path.join(OPTIONS.search_path, OPTIONS.sign_sepolicy_path)] +
OPTIONS.extra_sign_sepolicy_args)
cmd.extend([key + OPTIONS.public_key_suffix,
key + OPTIONS.private_key_suffix,
sepolicy, os.path.dirname(sepolicy)])
proc = Run(cmd, stdin=subprocess.PIPE)
if password is not None:
password += "\n"
stdoutdata, _ = proc.communicate(password)
if proc.returncode != 0:
raise ExternalError(
"Failed to run sign sepolicy: return code {}:\n{}".format(
proc.returncode, stdoutdata))
return True
def CheckSize(data, target, info_dict):
"""Checks the data string passed against the max size limit.
@@ -2836,8 +2801,7 @@ def ParseOptions(argv,
opts, args = getopt.getopt(
argv, "hvp:s:x:" + extra_opts,
["help", "verbose", "path=", "signapk_path=",
"signapk_shared_library_path=", "extra_signapk_args=",
"sign_sepolicy_path=", "extra_sign_sepolicy_args=", "aapt2_path=",
"signapk_shared_library_path=", "extra_signapk_args=", "aapt2_path=",
"java_path=", "java_args=", "android_jar_path=", "public_key_suffix=",
"private_key_suffix=", "boot_signer_path=", "boot_signer_args=",
"verity_signer_path=", "verity_signer_args=", "device_specific=",
@@ -2861,10 +2825,6 @@ def ParseOptions(argv,
OPTIONS.signapk_shared_library_path = a
elif o in ("--extra_signapk_args",):
OPTIONS.extra_signapk_args = shlex.split(a)
elif o in ("--sign_sepolicy_path",):
OPTIONS.sign_sepolicy_path = a
elif o in ("--extra_sign_sepolicy_args",):
OPTIONS.extra_sign_sepolicy_args = shlex.split(a)
elif o in ("--aapt2_path",):
OPTIONS.aapt2_path = a
elif o in ("--java_path",):

4
tools/releasetools/sign_apex.py
View File

@@ -56,7 +56,6 @@ import apex_utils
import common
logger = logging.getLogger(__name__)
OPTIONS = common.OPTIONS
def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
@@ -75,8 +74,7 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
no_hashtree=no_hashtree,
apk_keys=apk_keys,
signing_args=signing_args,
sign_tool=sign_tool,
is_sepolicy=apex_file.endswith(OPTIONS.sepolicy_name))
sign_tool=sign_tool)
def main(argv):

15
tools/releasetools/test_sign_apex.py
View File

@@ -58,21 +58,6 @@ class SignApexTest(test_utils.ReleaseToolsTestCase):
apk_keys)
self.assertTrue(os.path.exists(signed_test_apex))
@test_utils.SkipIfExternalToolsUnavailable()
def test_SignSepolicyApex(self):
test_apex = os.path.join(self.testdata_dir, 'sepolicy.apex')
payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')
container_key = os.path.join(self.testdata_dir, 'testkey')
apk_keys = {'SEPolicy-33.zip': os.path.join(self.testdata_dir, 'testkey')}
signed_test_apex = sign_apex.SignApexFile(
'avbtool',
test_apex,
payload_key,
container_key,
False,
None)
self.assertTrue(os.path.exists(signed_test_apex))
@test_utils.SkipIfExternalToolsUnavailable()
def test_SignCompressedApexFile(self):
apex = os.path.join(test_utils.get_current_dir(), 'com.android.apex.compressed.v1.capex')

BIN
tools/releasetools/testdata/sepolicy.apex vendored
View File

Binary file not shown.