From 38812d684b73b4e2bbd2a4277fd9b0d8b3c7a810 Mon Sep 17 00:00:00 2001 From: Tao Bao Date: Wed, 20 Jan 2016 20:58:20 -0800 Subject: [PATCH] Makefile: Add the payload public key into system image. For non-Brillo devices using AB update, add the payload signing public key to the system image (system/etc/update_engine/update-payload-key.pub.pem). We first need to sign the payload with some private key, and pack it into an Android OTA package. Then the whole zip package will be signed again with the device key. This is to comply with the two existing OTA flows (Android and CrOS). We use the same device key to do the two signings, but update_engine expects the key in RSA public key format. This CL extracts the public key from x509 certificate and adds it to the system image. Bug: 25715402 Change-Id: I6f6c1148534250ddb6d9e554175c7a35bceda99e --- core/Makefile | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/core/Makefile b/core/Makefile index ee15f1261c..a18344417c 100644 --- a/core/Makefile +++ b/core/Makefile @@ -695,6 +695,19 @@ $(TARGET_OUT_ETC)/security/otacerts.zip: $(addsuffix .x509.pem,$(DEFAULT_KEY_CER $(hide) zip -qjX $@ $< $(remove-timestamps-from-package) +# Carry the public key for update_engine if it's a non-Brillo target that +# uses the AB updater. We use the same key as otacerts but in RSA public key +# format. +ifeq ($(AB_OTA_UPDATER),true) +ifeq ($(BRILLO),) +ALL_DEFAULT_INSTALLED_MODULES += $(TARGET_OUT_ETC)/security/update_engine/update-payload-key.pub.pem +$(TARGET_OUT_ETC)/security/update_engine/update-payload-key.pub.pem: $(addsuffix .x509.pem,$(DEFAULT_KEY_CERT_PAIR)) + $(hide) rm -f $@ + $(hide) mkdir -p $(dir $@) + $(hide) openssl x509 -pubkey -noout -in $< > $@ +endif +endif + .PHONY: otacerts otacerts: $(TARGET_OUT_ETC)/security/otacerts.zip