diff --git a/core/build_id.mk b/core/build_id.mk index a0190ceaf6..5a8223808a 100644 --- a/core/build_id.mk +++ b/core/build_id.mk @@ -18,4 +18,4 @@ # (like "CRB01"). It must be a single word, and is # capitalized by convention. -BUILD_ID=TP1A.220413.003 +BUILD_ID=TP1A.220414.001 diff --git a/tools/releasetools/apex_utils.py b/tools/releasetools/apex_utils.py index 3f13a4a5de..941edc600d 100644 --- a/tools/releasetools/apex_utils.py +++ b/tools/releasetools/apex_utils.py @@ -54,7 +54,7 @@ class ApexSigningError(Exception): class ApexApkSigner(object): """Class to sign the apk files and other files in an apex payload image and repack the apex""" - def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None, fsverity_tool=None): + def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None): self.apex_path = apex_path if not key_passwords: self.key_passwords = dict() @@ -65,9 +65,8 @@ class ApexApkSigner(object): OPTIONS.search_path, "bin", "debugfs_static") self.avbtool = avbtool if avbtool else "avbtool" self.sign_tool = sign_tool - self.fsverity_tool = fsverity_tool if fsverity_tool else "fsverity" - def ProcessApexFile(self, apk_keys, payload_key, signing_args=None, is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None): + def ProcessApexFile(self, apk_keys, payload_key, signing_args=None): """Scans and signs the payload files and repack the apex Args: @@ -85,14 +84,10 @@ class ApexApkSigner(object): self.debugfs_path, 'list', self.apex_path] entries_names = common.RunAndCheckOutput(list_cmd).split() apk_entries = [name for name in entries_names if name.endswith('.apk')] - sepolicy_entries = [] - if is_sepolicy: - sepolicy_entries = [name for name in entries_names if - name.startswith('./etc/SEPolicy') and name.endswith('.zip')] # No need to sign and repack, return the original apex path. - if not apk_entries and not sepolicy_entries and self.sign_tool is None: - logger.info('No payload (apk or zip) file to sign in %s', self.apex_path) + if not apk_entries and self.sign_tool is None: + logger.info('No apk file to sign in %s', self.apex_path) return self.apex_path for entry in apk_entries: @@ -106,16 +101,15 @@ class ApexApkSigner(object): logger.warning('Apk path does not contain the intended directory name:' ' %s', entry) - payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(apk_entries, - apk_keys, payload_key, sepolicy_entries, sepolicy_key, sepolicy_cert, signing_args) + payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents( + apk_entries, apk_keys, payload_key, signing_args) if not has_signed_content: logger.info('No contents has been signed in %s', self.apex_path) return self.apex_path return self.RepackApexPayload(payload_dir, payload_key, signing_args) - def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key, - sepolicy_entries, sepolicy_key, sepolicy_cert, signing_args): + def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key, signing_args): """Extracts the payload image and signs the containing apk files.""" if not os.path.exists(self.debugfs_path): raise ApexSigningError( @@ -147,11 +141,6 @@ class ApexApkSigner(object): codename_to_api_level_map=self.codename_to_api_level_map) has_signed_content = True - for entry in sepolicy_entries: - sepolicy_key = sepolicy_key if sepolicy_key else payload_key - self.SignSePolicy(payload_dir, entry, sepolicy_key, sepolicy_cert) - has_signed_content = True - if self.sign_tool: logger.info('Signing payload contents in apex %s with %s', self.apex_path, self.sign_tool) # Pass avbtool to the custom signing tool @@ -165,36 +154,6 @@ class ApexApkSigner(object): return payload_dir, has_signed_content - def SignSePolicy(self, payload_dir, sepolicy_zip, sepolicy_key, sepolicy_cert): - sepolicy_sig = sepolicy_zip + '.sig' - sepolicy_fsv_sig = sepolicy_zip + '.fsv_sig' - - policy_zip_path = os.path.join(payload_dir, sepolicy_zip) - sig_out_path = os.path.join(payload_dir, sepolicy_sig) - sig_old = sig_out_path + '.old' - if os.path.exists(sig_out_path): - os.rename(sig_out_path, sig_old) - sign_cmd = ['openssl', 'dgst', '-sign', sepolicy_key, '-keyform', 'PEM', '-sha256', - '-out', sig_out_path, '-binary', policy_zip_path] - common.RunAndCheckOutput(sign_cmd) - if os.path.exists(sig_old): - os.remove(sig_old) - - if not sepolicy_cert: - logger.info('No cert provided for SEPolicy, skipping fsverity sign') - return - - fsv_sig_out_path = os.path.join(payload_dir, sepolicy_fsv_sig) - fsv_sig_old = fsv_sig_out_path + '.old' - if os.path.exists(fsv_sig_out_path): - os.rename(fsv_sig_out_path, fsv_sig_old) - - fsverity_cmd = [self.fsverity_tool, 'sign', policy_zip_path, fsv_sig_out_path, - '--key=' + sepolicy_key, '--cert=' + sepolicy_cert] - common.RunAndCheckOutput(fsverity_cmd) - if os.path.exists(fsv_sig_old): - os.remove(fsv_sig_old) - def RepackApexPayload(self, payload_dir, payload_key, signing_args=None): """Rebuilds the apex file with the updated payload directory.""" apex_dir = common.MakeTempDir() @@ -365,9 +324,7 @@ def ParseApexPayloadInfo(avbtool, payload_path): def SignUncompressedApex(avbtool, apex_file, payload_key, container_key, container_pw, apk_keys, codename_to_api_level_map, - no_hashtree, signing_args=None, sign_tool=None, - is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None, - fsverity_tool=None): + no_hashtree, signing_args=None, sign_tool=None): """Signs the current uncompressed APEX with the given payload/container keys. Args: @@ -380,10 +337,6 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key, no_hashtree: Don't include hashtree in the signed APEX. signing_args: Additional args to be passed to the payload signer. sign_tool: A tool to sign the contents of the APEX. - is_sepolicy: Indicates if the apex is a sepolicy.apex - sepolicy_key: Key to sign a sepolicy zip. - sepolicy_cert: Cert to sign a sepolicy zip. - fsverity_tool: fsverity path to sign sepolicy zip. Returns: The path to the signed APEX file. @@ -392,9 +345,8 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key, # the apex file after signing. apk_signer = ApexApkSigner(apex_file, container_pw, codename_to_api_level_map, - avbtool, sign_tool, fsverity_tool) - apex_file = apk_signer.ProcessApexFile( - apk_keys, payload_key, signing_args, is_sepolicy, sepolicy_key, sepolicy_cert) + avbtool, sign_tool) + apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args) # 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given # payload_key. @@ -448,9 +400,7 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key, def SignCompressedApex(avbtool, apex_file, payload_key, container_key, container_pw, apk_keys, codename_to_api_level_map, - no_hashtree, signing_args=None, sign_tool=None, - is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None, - fsverity_tool=None): + no_hashtree, signing_args=None, sign_tool=None): """Signs the current compressed APEX with the given payload/container keys. Args: @@ -462,10 +412,6 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key, codename_to_api_level_map: A dict that maps from codename to API level. no_hashtree: Don't include hashtree in the signed APEX. signing_args: Additional args to be passed to the payload signer. - is_sepolicy: Indicates if the apex is a sepolicy.apex - sepolicy_key: Key to sign a sepolicy zip. - sepolicy_cert: Cert to sign a sepolicy zip. - fsverity_tool: fsverity path to sign sepolicy zip. Returns: The path to the signed APEX file. @@ -492,11 +438,7 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key, codename_to_api_level_map, no_hashtree, signing_args, - sign_tool, - is_sepolicy, - sepolicy_key, - sepolicy_cert, - fsverity_tool) + sign_tool) # 3. Compress signed original apex. compressed_apex_file = common.MakeTempFile(prefix='apex-container-', @@ -524,8 +466,7 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key, def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, apk_keys, codename_to_api_level_map, - no_hashtree, signing_args=None, sign_tool=None, - is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None, fsverity_tool=None): + no_hashtree, signing_args=None, sign_tool=None): """Signs the current APEX with the given payload/container keys. Args: @@ -537,9 +478,6 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, codename_to_api_level_map: A dict that maps from codename to API level. no_hashtree: Don't include hashtree in the signed APEX. signing_args: Additional args to be passed to the payload signer. - sepolicy_key: Key to sign a sepolicy zip. - sepolicy_cert: Cert to sign a sepolicy zip. - fsverity_tool: fsverity path to sign sepolicy zip. Returns: The path to the signed APEX file. @@ -565,11 +503,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, no_hashtree=no_hashtree, apk_keys=apk_keys, signing_args=signing_args, - sign_tool=sign_tool, - is_sepolicy=is_sepolicy, - sepolicy_key=sepolicy_key, - sepolicy_cert=sepolicy_cert, - fsverity_tool=fsverity_tool) + sign_tool=sign_tool) elif apex_type == 'COMPRESSED': return SignCompressedApex( avbtool, @@ -581,11 +515,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, no_hashtree=no_hashtree, apk_keys=apk_keys, signing_args=signing_args, - sign_tool=sign_tool, - is_sepolicy=is_sepolicy, - sepolicy_key=sepolicy_key, - sepolicy_cert=sepolicy_cert, - fsverity_tool=fsverity_tool) + sign_tool=sign_tool) else: # TODO(b/172912232): support signing compressed apex raise ApexInfoError('Unsupported apex type {}'.format(apex_type)) diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py index bd3af680e9..c2c6df1a9a 100644 --- a/tools/releasetools/common.py +++ b/tools/releasetools/common.py @@ -97,7 +97,6 @@ class Options(object): self.stash_threshold = 0.8 self.logfile = None self.host_tools = {} - self.sepolicy_name = 'sepolicy.apex' OPTIONS = Options() diff --git a/tools/releasetools/sign_apex.py b/tools/releasetools/sign_apex.py index a68f1eca4a..692646705e 100755 --- a/tools/releasetools/sign_apex.py +++ b/tools/releasetools/sign_apex.py @@ -42,15 +42,6 @@ Usage: sign_apex [flags] input_apex_file output_apex_file --sign_tool Optional flag that specifies a custom signing tool for the contents of the apex. - - --sepolicy_key - Optional flag that specifies the sepolicy signing key, defaults to payload_key. - - --sepolicy_cert - Optional flag that specifies the sepolicy signing cert. - - --fsverity_tool - Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity. """ import logging @@ -61,12 +52,10 @@ import apex_utils import common logger = logging.getLogger(__name__) -OPTIONS = common.OPTIONS def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree, - apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None, - sepolicy_key=None, sepolicy_cert=None, fsverity_tool=None): + apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None): """Signs the given apex file.""" with open(apex_file, 'rb') as input_fp: apex_data = input_fp.read() @@ -81,11 +70,7 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree, no_hashtree=no_hashtree, apk_keys=apk_keys, signing_args=signing_args, - sign_tool=sign_tool, - is_sepolicy=apex_file.endswith(OPTIONS.sepolicy_name), - sepolicy_key=sepolicy_key, - sepolicy_cert=sepolicy_cert, - fsverity_tool=fsverity_tool) + sign_tool=sign_tool) def main(argv): @@ -121,12 +106,6 @@ def main(argv): options['extra_apks'].update({n: key}) elif o == '--sign_tool': options['sign_tool'] = a - elif o == '--sepolicy_key': - options['sepolicy_key'] = a - elif o == '--sepolicy_cert': - options['sepolicy_cert'] = a - elif o == '--fsverity_tool': - options['fsverity_tool'] = a else: return False return True @@ -142,9 +121,6 @@ def main(argv): 'payload_key=', 'extra_apks=', 'sign_tool=', - 'sepolicy_key=', - 'sepolicy_cert=', - 'fsverity_tool=' ], extra_option_handler=option_handler) @@ -165,10 +141,7 @@ def main(argv): signing_args=options.get('payload_extra_args'), codename_to_api_level_map=options.get( 'codename_to_api_level_map', {}), - sign_tool=options.get('sign_tool', None), - sepolicy_key=options.get('sepolicy_key', None), - sepolicy_cert=options.get('sepolicy_cert', None), - fsverity_tool=options.get('fsverity_tool', None)) + sign_tool=options.get('sign_tool', None)) shutil.copyfile(signed_apex, args[1]) logger.info("done.") diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py index 5f46ae06c9..fc6afb1c56 100755 --- a/tools/releasetools/sign_target_files_apks.py +++ b/tools/releasetools/sign_target_files_apks.py @@ -137,15 +137,6 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files --android_jar_path Path to the android.jar to repack the apex file. - --sepolicy_key - Optional flag that specifies the sepolicy signing key, defaults to payload_key for the sepolicy.apex. - - --sepolicy_cert - Optional flag that specifies the sepolicy signing cert. - - --fsverity_tool - Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity. - --allow_gsi_debug_sepolicy Allow the existence of the file 'userdebug_plat_sepolicy.cil' under (/system/system_ext|/system_ext)/etc/selinux. @@ -205,9 +196,6 @@ OPTIONS.gki_signing_extra_args = None OPTIONS.android_jar_path = None OPTIONS.vendor_partitions = set() OPTIONS.vendor_otatools = None -OPTIONS.sepolicy_key = None -OPTIONS.sepolicy_cert = None -OPTIONS.fsverity_tool = None OPTIONS.allow_gsi_debug_sepolicy = False @@ -246,8 +234,6 @@ ALLOWED_VENDOR_PARTITIONS = set(["vendor", "odm"]) def IsApexFile(filename): return filename.endswith(".apex") or filename.endswith(".capex") -def IsSepolicyApex(filename): - return filename.endswith(OPTIONS.sepolicy_name) def GetApexFilename(filename): name = os.path.basename(filename) @@ -270,24 +256,6 @@ def GetApkCerts(certmap): return certmap -def GetSepolicyKeys(keys_info): - """Gets SEPolicy signing keys applying overrides from command line options. - - Args: - keys_info: A dict that maps from the SEPolicy APEX filename to a tuple of - (sepolicy_key, sepolicy_cert, fsverity_tool). - - Returns: - A dict that contains the updated APEX key mapping, which should be used for - the current signing. - """ - for name in keys_info: - (sepolicy_key, sepolicy_cert, fsverity_tool) = keys_info[name] - sepolicy_key = OPTIONS.sepolicy_key if OPTIONS.sepolicy_key else sepolicy_key - sepolicy_cert = OPTIONS.sepolicy_cert if OPTIONS.sepolicy_cert else sepolicy_cert - fsverity_tool = OPTIONS.fsverity_tool if OPTIONS.fsverity_tool else fsverity_tool - keys_info[name] = (sepolicy_key, sepolicy_cert, fsverity_tool) - return keys_info def GetApexKeys(keys_info, key_map): """Gets APEX payload and container signing keys by applying the mapping rules. @@ -550,7 +518,7 @@ def IsBuildPropFile(filename): def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, apk_keys, apex_keys, key_passwords, platform_api_level, codename_to_api_level_map, - compressed_extension, sepolicy_keys): + compressed_extension): # maxsize measures the maximum filename length, including the ones to be # skipped. try: @@ -618,17 +586,6 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, print(" : %-*s payload (%s)" % ( maxsize, name, payload_key)) - sepolicy_key = None - sepolicy_cert = None - fsverity_tool = None - - if IsSepolicyApex(name): - (sepolicy_key, sepolicy_cert, fsverity_tool) = sepolicy_keys[name] - print(" : %-*s sepolicy key (%s)" % ( - maxsize, name, sepolicy_key)) - print(" : %-*s sepolicy cert (%s)" % ( - maxsize, name, sepolicy_cert)) - signed_apex = apex_utils.SignApex( misc_info['avb_avbtool'], data, @@ -639,11 +596,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, codename_to_api_level_map, no_hashtree=None, # Let apex_util determine if hash tree is needed signing_args=OPTIONS.avb_extra_args.get('apex'), - sign_tool=sign_tool, - is_sepolicy=IsSepolicyApex(name), - sepolicy_key=sepolicy_key, - sepolicy_cert=sepolicy_cert, - fsverity_tool=fsverity_tool) + sign_tool=sign_tool) common.ZipWrite(output_tf_zip, signed_apex, filename) else: @@ -1253,24 +1206,20 @@ def GetCodenameToApiLevelMap(input_tf_zip): def ReadApexKeysInfo(tf_zip): """Parses the APEX keys info from a given target-files zip. - Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns - two dicts, the first one contains the mapping from APEX names - (e.g. com.android.tzdata) to a tuple of (payload_key, container_key, - sign_tool). The second one maps the sepolicy APEX name to a tuple containing - (sepolicy_key, sepolicy_cert, fsverity_tool). + Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns a + dict that contains the mapping from APEX names (e.g. com.android.tzdata) to a + tuple of (payload_key, container_key, sign_tool). Args: tf_zip: The input target_files ZipFile (already open). Returns: - name : (payload_key, container_key, sign_tool) + (payload_key, container_key, sign_tool): - payload_key contains the path to the payload signing key - container_key contains the path to the container signing key - sign_tool is an apex-specific signing tool for its payload contents - name : (sepolicy_key, sepolicy_cert, fsverity_tool) """ keys = {} - sepolicy_keys = {} for line in tf_zip.read('META/apexkeys.txt').decode().split('\n'): line = line.strip() if not line: @@ -1281,9 +1230,6 @@ def ReadApexKeysInfo(tf_zip): r'private_key="(?P.*)"\s+' r'container_certificate="(?P.*)"\s+' r'container_private_key="(?P.*?)"' - r'(\s+sepolicy_key="(?P.*?)")?' - r'(\s+sepolicy_certificate="(?P.*?)")?' - r'(\s+fsverity_tool="(?P.*?)")?' r'(\s+partition="(?P.*?)")?' r'(\s+sign_tool="(?P.*?)")?$', line) @@ -1312,18 +1258,12 @@ def ReadApexKeysInfo(tf_zip): container_private_key, OPTIONS.private_key_suffix): container_key = container_cert[:-len(OPTIONS.public_key_suffix)] else: - raise ValueError("Failed to parse container keys: \n{} **** {}".format(container_cert, container_private_key)) + raise ValueError("Failed to parse container keys: \n{}".format(line)) sign_tool = matches.group("SIGN_TOOL") keys[name] = (payload_private_key, container_key, sign_tool) - if IsSepolicyApex(name): - sepolicy_key = matches.group('SEPOLICY_KEY') - sepolicy_cert = matches.group('SEPOLICY_CERT') - fsverity_tool = matches.group('FSVERITY_TOOL') - sepolicy_keys[name] = (sepolicy_key, sepolicy_cert, fsverity_tool) - - return keys, sepolicy_keys + return keys def BuildVendorPartitions(output_zip_path): @@ -1541,12 +1481,6 @@ def main(argv): OPTIONS.vendor_otatools = a elif o == "--vendor_partitions": OPTIONS.vendor_partitions = set(a.split(",")) - elif o == '--sepolicy_key': - OPTIONS.sepolicy_key = a - elif o == '--sepolicy_cert': - OPTIONS.sepolicy_cert = a - elif o == '--fsverity_tool': - OPTIONS.fsverity_tool = a elif o == "--allow_gsi_debug_sepolicy": OPTIONS.allow_gsi_debug_sepolicy = True else: @@ -1604,9 +1538,6 @@ def main(argv): "gki_signing_extra_args=", "vendor_partitions=", "vendor_otatools=", - "sepolicy_key=", - "sepolicy_cert=", - "fsverity_tool=", "allow_gsi_debug_sepolicy", ], extra_option_handler=option_handler) @@ -1629,9 +1560,8 @@ def main(argv): apk_keys_info, compressed_extension = common.ReadApkCerts(input_zip) apk_keys = GetApkCerts(apk_keys_info) - apex_keys_info, sepolicy_keys_info = ReadApexKeysInfo(input_zip) + apex_keys_info = ReadApexKeysInfo(input_zip) apex_keys = GetApexKeys(apex_keys_info, apk_keys) - sepolicy_keys = GetSepolicyKeys(sepolicy_keys_info) # TODO(xunchang) check for the apks inside the apex files, and abort early if # the keys are not available. @@ -1649,7 +1579,7 @@ def main(argv): ProcessTargetFiles(input_zip, output_zip, misc_info, apk_keys, apex_keys, key_passwords, platform_api_level, codename_to_api_level_map, - compressed_extension, sepolicy_keys) + compressed_extension) common.ZipClose(input_zip) common.ZipClose(output_zip) diff --git a/tools/releasetools/test_sign_apex.py b/tools/releasetools/test_sign_apex.py index c344e22058..8470f202c5 100644 --- a/tools/releasetools/test_sign_apex.py +++ b/tools/releasetools/test_sign_apex.py @@ -71,21 +71,3 @@ class SignApexTest(test_utils.ReleaseToolsTestCase): False, codename_to_api_level_map={'S': 31, 'Tiramisu' : 32}) self.assertTrue(os.path.exists(signed_apex)) - - @test_utils.SkipIfExternalToolsUnavailable() - def test_SignApexWithSepolicy(self): - test_apex = os.path.join(self.testdata_dir, 'sepolicy.apex') - payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key') - container_key = os.path.join(self.testdata_dir, 'testkey') - sepolicy_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key') - sepolicy_cert = os.path.join(self.testdata_dir, 'testkey.x509.pem') - signed_test_apex = sign_apex.SignApexFile( - 'avbtool', - test_apex, - payload_key, - container_key, - False, - None, - sepolicy_key=sepolicy_key, - sepolicy_cert=sepolicy_cert) - self.assertTrue(os.path.exists(signed_test_apex)) diff --git a/tools/releasetools/test_sign_target_files_apks.py b/tools/releasetools/test_sign_target_files_apks.py index 144a3cd460..0f13add290 100644 --- a/tools/releasetools/test_sign_target_files_apks.py +++ b/tools/releasetools/test_sign_target_files_apks.py @@ -476,7 +476,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', self.APEX_KEYS_TXT) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: - keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) + keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( @@ -486,7 +486,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) - self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_mismatchingContainerKeys(self): # Mismatching payload public / private keys. @@ -516,7 +515,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: - keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) + keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( @@ -526,7 +525,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) - self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_missingPayloadPublicKey(self): # Invalid lines will be skipped. @@ -540,7 +538,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: - keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) + keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( @@ -550,7 +548,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) - self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_presignedKeys(self): apex_keys = self.APEX_KEYS_TXT + ( @@ -564,7 +561,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: - keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) + keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( @@ -574,7 +571,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) - self.assertEqual({}, sepolicy_keys_info) def test_ReadApexKeysInfo_presignedKeys(self): apex_keys = self.APEX_KEYS_TXT + ( @@ -588,7 +584,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te target_files_zip.writestr('META/apexkeys.txt', apex_keys) with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: - keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) + keys_info = ReadApexKeysInfo(target_files_zip) self.assertEqual({ 'apex.apexd_test.apex': ( @@ -598,72 +594,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) - self.assertEqual({}, sepolicy_keys_info) - - def test_ReadApexKeysInfo_withSepolicyKeys(self): - apex_keys = self.APEX_KEYS_TXT + ( - 'name="sepolicy.apex" ' - 'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" ' - 'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" ' - 'container_certificate="build/make/target/product/security/testkey.x509.pem" ' - 'container_private_key="build/make/target/product/security/testkey.pk8" ' - 'sepolicy_key="build/make/target/product/security/testkey.key" ' - 'sepolicy_certificate="build/make/target/product/security/testkey.x509.pem" ' - 'fsverity_tool="fsverity"') - target_files = common.MakeTempFile(suffix='.zip') - with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip: - target_files_zip.writestr('META/apexkeys.txt', apex_keys) - - with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: - keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) - - self.assertEqual({ - 'apex.apexd_test.apex': ( - 'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem', - 'build/make/target/product/security/testkey', None), - 'apex.apexd_test_different_app.apex': ( - 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', - 'build/make/target/product/security/testkey', None), - 'sepolicy.apex': ( - 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', - 'build/make/target/product/security/testkey', None), - }, keys_info) - self.assertEqual({'sepolicy.apex': ( - 'build/make/target/product/security/testkey.key', - 'build/make/target/product/security/testkey.x509.pem', - 'fsverity'), - }, sepolicy_keys_info) - - def test_ReadApexKeysInfo_withSepolicyApex(self): - apex_keys = self.APEX_KEYS_TXT + ( - 'name="sepolicy.apex" ' - 'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" ' - 'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" ' - 'container_certificate="build/make/target/product/security/testkey.x509.pem" ' - 'container_private_key="build/make/target/product/security/testkey.pk8" ') - target_files = common.MakeTempFile(suffix='.zip') - with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip: - target_files_zip.writestr('META/apexkeys.txt', apex_keys) - - with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip: - keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip) - - self.assertEqual({ - 'apex.apexd_test.apex': ( - 'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem', - 'build/make/target/product/security/testkey', None), - 'apex.apexd_test_different_app.apex': ( - 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', - 'build/make/target/product/security/testkey', None), - 'sepolicy.apex': ( - 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', - 'build/make/target/product/security/testkey', None), - }, keys_info) - self.assertEqual({'sepolicy.apex': ( - None, - None, - None), - }, sepolicy_keys_info) def test_ReplaceGkiSigningKey(self): common.OPTIONS.gki_signing_key = 'release_gki_key' diff --git a/tools/releasetools/testdata/sepolicy.apex b/tools/releasetools/testdata/sepolicy.apex deleted file mode 100644 index f7d267d08d..0000000000 Binary files a/tools/releasetools/testdata/sepolicy.apex and /dev/null differ