Make change and version bump to TP1A.220414.001

Change-Id: Ic70c07d041acc1b13f08f61aa1c99b0b1ca06f54
2022-04-14 01:00:34 +00:00
parent 0d76292be2 0c2f8a586d
commit b7c996ccce
8 changed files with 34 additions and 290 deletions
--- a/core/build_id.mk
+++ b/core/build_id.mk
@@ -18,4 +18,4 @@
 # (like "CRB01").  It must be a single word, and is
 # capitalized by convention.
-BUILD_ID=TP1A.220413.003
+BUILD_ID=TP1A.220414.001
--- a/tools/releasetools/apex_utils.py
+++ b/tools/releasetools/apex_utils.py
@@ -54,7 +54,7 @@ class ApexSigningError(Exception):
 class ApexApkSigner(object):
  """Class to sign the apk files and other files in an apex payload image and repack the apex"""
-  def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None, fsverity_tool=None):
+  def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None):
    self.apex_path = apex_path
    if not key_passwords:
      self.key_passwords = dict()
@@ -65,9 +65,8 @@ class ApexApkSigner(object):
        OPTIONS.search_path, "bin", "debugfs_static")
    self.avbtool = avbtool if avbtool else "avbtool"
    self.sign_tool = sign_tool
    self.fsverity_tool = fsverity_tool if fsverity_tool else "fsverity"
-  def ProcessApexFile(self, apk_keys, payload_key, signing_args=None, is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None):
+  def ProcessApexFile(self, apk_keys, payload_key, signing_args=None):
    """Scans and signs the payload files and repack the apex
    Args:
@@ -85,14 +84,10 @@ class ApexApkSigner(object):
                self.debugfs_path, 'list', self.apex_path]
    entries_names = common.RunAndCheckOutput(list_cmd).split()
    apk_entries = [name for name in entries_names if name.endswith('.apk')]
    sepolicy_entries = []
    if is_sepolicy:
      sepolicy_entries = [name for name in entries_names if
          name.startswith('./etc/SEPolicy') and name.endswith('.zip')]
    # No need to sign and repack, return the original apex path.
-    if not apk_entries and not sepolicy_entries and self.sign_tool is None:
+    if not apk_entries and self.sign_tool is None:
-      logger.info('No payload (apk or zip) file to sign in %s', self.apex_path)
+      logger.info('No apk file to sign in %s', self.apex_path)
      return self.apex_path
    for entry in apk_entries:
@@ -106,16 +101,15 @@ class ApexApkSigner(object):
        logger.warning('Apk path does not contain the intended directory name:'
                       ' %s', entry)
-    payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(apk_entries,
+    payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(
-        apk_keys, payload_key, sepolicy_entries, sepolicy_key, sepolicy_cert, signing_args)
+        apk_entries, apk_keys, payload_key, signing_args)
    if not has_signed_content:
      logger.info('No contents has been signed in %s', self.apex_path)
      return self.apex_path
    return self.RepackApexPayload(payload_dir, payload_key, signing_args)
-  def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key,
+  def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key, signing_args):
  sepolicy_entries, sepolicy_key, sepolicy_cert, signing_args):
    """Extracts the payload image and signs the containing apk files."""
    if not os.path.exists(self.debugfs_path):
      raise ApexSigningError(
@@ -147,11 +141,6 @@ class ApexApkSigner(object):
          codename_to_api_level_map=self.codename_to_api_level_map)
      has_signed_content = True
    for entry in sepolicy_entries:
      sepolicy_key = sepolicy_key if sepolicy_key else payload_key
      self.SignSePolicy(payload_dir, entry, sepolicy_key, sepolicy_cert)
      has_signed_content = True
    if self.sign_tool:
      logger.info('Signing payload contents in apex %s with %s', self.apex_path, self.sign_tool)
      # Pass avbtool to the custom signing tool
@@ -165,36 +154,6 @@ class ApexApkSigner(object):
    return payload_dir, has_signed_content
  def SignSePolicy(self, payload_dir, sepolicy_zip, sepolicy_key, sepolicy_cert):
    sepolicy_sig = sepolicy_zip + '.sig'
    sepolicy_fsv_sig = sepolicy_zip + '.fsv_sig'
    policy_zip_path = os.path.join(payload_dir, sepolicy_zip)
    sig_out_path = os.path.join(payload_dir, sepolicy_sig)
    sig_old = sig_out_path + '.old'
    if os.path.exists(sig_out_path):
      os.rename(sig_out_path, sig_old)
    sign_cmd = ['openssl', 'dgst', '-sign', sepolicy_key, '-keyform', 'PEM', '-sha256',
        '-out', sig_out_path, '-binary', policy_zip_path]
    common.RunAndCheckOutput(sign_cmd)
    if os.path.exists(sig_old):
      os.remove(sig_old)
    if not sepolicy_cert:
      logger.info('No cert provided for SEPolicy, skipping fsverity sign')
      return
    fsv_sig_out_path = os.path.join(payload_dir, sepolicy_fsv_sig)
    fsv_sig_old = fsv_sig_out_path + '.old'
    if os.path.exists(fsv_sig_out_path):
      os.rename(fsv_sig_out_path, fsv_sig_old)
    fsverity_cmd = [self.fsverity_tool, 'sign', policy_zip_path, fsv_sig_out_path,
        '--key=' + sepolicy_key, '--cert=' + sepolicy_cert]
    common.RunAndCheckOutput(fsverity_cmd)
    if os.path.exists(fsv_sig_old):
      os.remove(fsv_sig_old)
  def RepackApexPayload(self, payload_dir, payload_key, signing_args=None):
    """Rebuilds the apex file with the updated payload directory."""
    apex_dir = common.MakeTempDir()
@@ -365,9 +324,7 @@ def ParseApexPayloadInfo(avbtool, payload_path):
 def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
                         container_pw, apk_keys, codename_to_api_level_map,
-                         no_hashtree, signing_args=None, sign_tool=None,
+                         no_hashtree, signing_args=None, sign_tool=None):
                         is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None,
                         fsverity_tool=None):
  """Signs the current uncompressed APEX with the given payload/container keys.
  Args:
@@ -380,10 +337,6 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
    no_hashtree: Don't include hashtree in the signed APEX.
    signing_args: Additional args to be passed to the payload signer.
    sign_tool: A tool to sign the contents of the APEX.
    is_sepolicy: Indicates if the apex is a sepolicy.apex
    sepolicy_key: Key to sign a sepolicy zip.
    sepolicy_cert: Cert to sign a sepolicy zip.
    fsverity_tool: fsverity path to sign sepolicy zip.
  Returns:
    The path to the signed APEX file.
@@ -392,9 +345,8 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
  # the apex file after signing.
  apk_signer = ApexApkSigner(apex_file, container_pw,
                             codename_to_api_level_map,
-                             avbtool, sign_tool, fsverity_tool)
+                             avbtool, sign_tool)
-  apex_file = apk_signer.ProcessApexFile(
+  apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args)
      apk_keys, payload_key, signing_args, is_sepolicy, sepolicy_key, sepolicy_cert)
  # 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
  # payload_key.
@@ -448,9 +400,7 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
 def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
                       container_pw, apk_keys, codename_to_api_level_map,
-                       no_hashtree, signing_args=None, sign_tool=None,
+                       no_hashtree, signing_args=None, sign_tool=None):
                       is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None,
                       fsverity_tool=None):
  """Signs the current compressed APEX with the given payload/container keys.
  Args:
@@ -462,10 +412,6 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
    codename_to_api_level_map: A dict that maps from codename to API level.
    no_hashtree: Don't include hashtree in the signed APEX.
    signing_args: Additional args to be passed to the payload signer.
    is_sepolicy: Indicates if the apex is a sepolicy.apex
    sepolicy_key: Key to sign a sepolicy zip.
    sepolicy_cert: Cert to sign a sepolicy zip.
    fsverity_tool: fsverity path to sign sepolicy zip.
  Returns:
    The path to the signed APEX file.
@@ -492,11 +438,7 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
      codename_to_api_level_map,
      no_hashtree,
      signing_args,
-      sign_tool,
+      sign_tool)
      is_sepolicy,
      sepolicy_key,
      sepolicy_cert,
      fsverity_tool)
  # 3. Compress signed original apex.
  compressed_apex_file = common.MakeTempFile(prefix='apex-container-',
@@ -524,8 +466,7 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
 def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
             apk_keys, codename_to_api_level_map,
-             no_hashtree, signing_args=None, sign_tool=None,
+             no_hashtree, signing_args=None, sign_tool=None):
             is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None, fsverity_tool=None):
  """Signs the current APEX with the given payload/container keys.
  Args:
@@ -537,9 +478,6 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
    codename_to_api_level_map: A dict that maps from codename to API level.
    no_hashtree: Don't include hashtree in the signed APEX.
    signing_args: Additional args to be passed to the payload signer.
    sepolicy_key: Key to sign a sepolicy zip.
    sepolicy_cert: Cert to sign a sepolicy zip.
    fsverity_tool: fsverity path to sign sepolicy zip.
  Returns:
    The path to the signed APEX file.
@@ -565,11 +503,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
          no_hashtree=no_hashtree,
          apk_keys=apk_keys,
          signing_args=signing_args,
-          sign_tool=sign_tool,
+          sign_tool=sign_tool)
          is_sepolicy=is_sepolicy,
          sepolicy_key=sepolicy_key,
          sepolicy_cert=sepolicy_cert,
          fsverity_tool=fsverity_tool)
    elif apex_type == 'COMPRESSED':
      return SignCompressedApex(
          avbtool,
@@ -581,11 +515,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
          no_hashtree=no_hashtree,
          apk_keys=apk_keys,
          signing_args=signing_args,
-          sign_tool=sign_tool,
+          sign_tool=sign_tool)
          is_sepolicy=is_sepolicy,
          sepolicy_key=sepolicy_key,
          sepolicy_cert=sepolicy_cert,
          fsverity_tool=fsverity_tool)
    else:
      # TODO(b/172912232): support signing compressed apex
      raise ApexInfoError('Unsupported apex type {}'.format(apex_type))
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -97,7 +97,6 @@ class Options(object):
    self.stash_threshold = 0.8
    self.logfile = None
    self.host_tools = {}
    self.sepolicy_name = 'sepolicy.apex'
 OPTIONS = Options()
--- a/tools/releasetools/sign_apex.py
+++ b/tools/releasetools/sign_apex.py
@@ -42,15 +42,6 @@ Usage:  sign_apex [flags] input_apex_file output_apex_file
  --sign_tool <sign_tool>
      Optional flag that specifies a custom signing tool for the contents of the apex.
  --sepolicy_key <key>
      Optional flag that specifies the sepolicy signing key, defaults to payload_key.
  --sepolicy_cert <cert>
      Optional flag that specifies the sepolicy signing cert.
  --fsverity_tool <path>
      Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity.
 """
 import logging
@@ -61,12 +52,10 @@ import apex_utils
 import common
 logger = logging.getLogger(__name__)
 OPTIONS = common.OPTIONS
 def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
-                 apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None,
+                 apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None):
                 sepolicy_key=None, sepolicy_cert=None, fsverity_tool=None):
  """Signs the given apex file."""
  with open(apex_file, 'rb') as input_fp:
    apex_data = input_fp.read()
@@ -81,11 +70,7 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
      no_hashtree=no_hashtree,
      apk_keys=apk_keys,
      signing_args=signing_args,
-      sign_tool=sign_tool,
+      sign_tool=sign_tool)
      is_sepolicy=apex_file.endswith(OPTIONS.sepolicy_name),
      sepolicy_key=sepolicy_key,
      sepolicy_cert=sepolicy_cert,
      fsverity_tool=fsverity_tool)
 def main(argv):
@@ -121,12 +106,6 @@ def main(argv):
        options['extra_apks'].update({n: key})
    elif o == '--sign_tool':
      options['sign_tool'] = a
    elif o == '--sepolicy_key':
      options['sepolicy_key'] = a
    elif o == '--sepolicy_cert':
      options['sepolicy_cert'] = a
    elif o == '--fsverity_tool':
      options['fsverity_tool'] = a
    else:
      return False
    return True
@@ -142,9 +121,6 @@ def main(argv):
          'payload_key=',
          'extra_apks=',
          'sign_tool=',
          'sepolicy_key=',
          'sepolicy_cert=',
          'fsverity_tool='
      ],
      extra_option_handler=option_handler)
@@ -165,10 +141,7 @@ def main(argv):
      signing_args=options.get('payload_extra_args'),
      codename_to_api_level_map=options.get(
          'codename_to_api_level_map', {}),
-      sign_tool=options.get('sign_tool', None),
+      sign_tool=options.get('sign_tool', None))
      sepolicy_key=options.get('sepolicy_key', None),
      sepolicy_cert=options.get('sepolicy_cert', None),
      fsverity_tool=options.get('fsverity_tool', None))
  shutil.copyfile(signed_apex, args[1])
  logger.info("done.")
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -137,15 +137,6 @@ Usage:  sign_target_files_apks [flags] input_target_files output_target_files
  --android_jar_path <path>
      Path to the android.jar to repack the apex file.
  --sepolicy_key <key>
      Optional flag that specifies the sepolicy signing key, defaults to payload_key for the sepolicy.apex.
  --sepolicy_cert <cert>
      Optional flag that specifies the sepolicy signing cert.
  --fsverity_tool <path>
      Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity.
  --allow_gsi_debug_sepolicy
      Allow the existence of the file 'userdebug_plat_sepolicy.cil' under
      (/system/system_ext|/system_ext)/etc/selinux.
@@ -205,9 +196,6 @@ OPTIONS.gki_signing_extra_args = None
 OPTIONS.android_jar_path = None
 OPTIONS.vendor_partitions = set()
 OPTIONS.vendor_otatools = None
 OPTIONS.sepolicy_key = None
 OPTIONS.sepolicy_cert = None
 OPTIONS.fsverity_tool = None
 OPTIONS.allow_gsi_debug_sepolicy = False
@@ -246,8 +234,6 @@ ALLOWED_VENDOR_PARTITIONS = set(["vendor", "odm"])
 def IsApexFile(filename):
  return filename.endswith(".apex") or filename.endswith(".capex")
 def IsSepolicyApex(filename):
  return filename.endswith(OPTIONS.sepolicy_name)
 def GetApexFilename(filename):
  name = os.path.basename(filename)
@@ -270,24 +256,6 @@ def GetApkCerts(certmap):
  return certmap
 def GetSepolicyKeys(keys_info):
  """Gets SEPolicy signing keys applying overrides from command line options.
  Args:
    keys_info: A dict that maps from the SEPolicy APEX filename to a tuple of
    (sepolicy_key, sepolicy_cert, fsverity_tool).
  Returns:
    A dict that contains the updated APEX key mapping, which should be used for
    the current signing.
  """
  for name in keys_info:
      (sepolicy_key, sepolicy_cert, fsverity_tool) = keys_info[name]
      sepolicy_key = OPTIONS.sepolicy_key if OPTIONS.sepolicy_key else sepolicy_key
      sepolicy_cert = OPTIONS.sepolicy_cert if OPTIONS.sepolicy_cert else sepolicy_cert
      fsverity_tool = OPTIONS.fsverity_tool if OPTIONS.fsverity_tool else fsverity_tool
      keys_info[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
  return keys_info
 def GetApexKeys(keys_info, key_map):
  """Gets APEX payload and container signing keys by applying the mapping rules.
@@ -550,7 +518,7 @@ def IsBuildPropFile(filename):
 def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
                       apk_keys, apex_keys, key_passwords,
                       platform_api_level, codename_to_api_level_map,
-                       compressed_extension, sepolicy_keys):
+                       compressed_extension):
  # maxsize measures the maximum filename length, including the ones to be
  # skipped.
  try:
@@ -618,17 +586,6 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
        print("           : %-*s payload   (%s)" % (
            maxsize, name, payload_key))
        sepolicy_key = None
        sepolicy_cert = None
        fsverity_tool = None
        if IsSepolicyApex(name):
          (sepolicy_key, sepolicy_cert, fsverity_tool) = sepolicy_keys[name]
          print("           : %-*s sepolicy key   (%s)" % (
            maxsize, name, sepolicy_key))
          print("           : %-*s sepolicy cert  (%s)" % (
            maxsize, name, sepolicy_cert))
        signed_apex = apex_utils.SignApex(
            misc_info['avb_avbtool'],
            data,
@@ -639,11 +596,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
            codename_to_api_level_map,
            no_hashtree=None,  # Let apex_util determine if hash tree is needed
            signing_args=OPTIONS.avb_extra_args.get('apex'),
-            sign_tool=sign_tool,
+            sign_tool=sign_tool)
            is_sepolicy=IsSepolicyApex(name),
            sepolicy_key=sepolicy_key,
            sepolicy_cert=sepolicy_cert,
            fsverity_tool=fsverity_tool)
        common.ZipWrite(output_tf_zip, signed_apex, filename)
      else:
@@ -1253,24 +1206,20 @@ def GetCodenameToApiLevelMap(input_tf_zip):
 def ReadApexKeysInfo(tf_zip):
  """Parses the APEX keys info from a given target-files zip.
-  Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns
+  Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns a
-  two dicts, the first one contains the mapping from APEX names
+  dict that contains the mapping from APEX names (e.g. com.android.tzdata) to a
-  (e.g. com.android.tzdata) to a tuple of (payload_key, container_key,
+  tuple of (payload_key, container_key, sign_tool).
  sign_tool). The second one maps the sepolicy APEX name to a tuple containing
  (sepolicy_key, sepolicy_cert, fsverity_tool).
  Args:
    tf_zip: The input target_files ZipFile (already open).
  Returns:
-    name : (payload_key, container_key, sign_tool)
+    (payload_key, container_key, sign_tool):
      - payload_key contains the path to the payload signing key
      - container_key contains the path to the container signing key
      - sign_tool is an apex-specific signing tool for its payload contents
    name : (sepolicy_key, sepolicy_cert, fsverity_tool)
  """
  keys = {}
  sepolicy_keys = {}
  for line in tf_zip.read('META/apexkeys.txt').decode().split('\n'):
    line = line.strip()
    if not line:
@@ -1281,9 +1230,6 @@ def ReadApexKeysInfo(tf_zip):
        r'private_key="(?P<PAYLOAD_PRIVATE_KEY>.*)"\s+'
        r'container_certificate="(?P<CONTAINER_CERT>.*)"\s+'
        r'container_private_key="(?P<CONTAINER_PRIVATE_KEY>.*?)"'
        r'(\s+sepolicy_key="(?P<SEPOLICY_KEY>.*?)")?'
        r'(\s+sepolicy_certificate="(?P<SEPOLICY_CERT>.*?)")?'
        r'(\s+fsverity_tool="(?P<FSVERITY_TOOL>.*?)")?'
        r'(\s+partition="(?P<PARTITION>.*?)")?'
        r'(\s+sign_tool="(?P<SIGN_TOOL>.*?)")?$',
        line)
@@ -1312,18 +1258,12 @@ def ReadApexKeysInfo(tf_zip):
            container_private_key, OPTIONS.private_key_suffix):
      container_key = container_cert[:-len(OPTIONS.public_key_suffix)]
    else:
-      raise ValueError("Failed to parse container keys: \n{} **** {}".format(container_cert, container_private_key))
+      raise ValueError("Failed to parse container keys: \n{}".format(line))
    sign_tool = matches.group("SIGN_TOOL")
    keys[name] = (payload_private_key, container_key, sign_tool)
-    if IsSepolicyApex(name):
+  return keys
      sepolicy_key = matches.group('SEPOLICY_KEY')
      sepolicy_cert = matches.group('SEPOLICY_CERT')
      fsverity_tool = matches.group('FSVERITY_TOOL')
      sepolicy_keys[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
  return keys, sepolicy_keys
 def BuildVendorPartitions(output_zip_path):
@@ -1541,12 +1481,6 @@ def main(argv):
      OPTIONS.vendor_otatools = a
    elif o == "--vendor_partitions":
      OPTIONS.vendor_partitions = set(a.split(","))
    elif o == '--sepolicy_key':
      OPTIONS.sepolicy_key = a
    elif o == '--sepolicy_cert':
      OPTIONS.sepolicy_cert = a
    elif o == '--fsverity_tool':
      OPTIONS.fsverity_tool = a
    elif o == "--allow_gsi_debug_sepolicy":
      OPTIONS.allow_gsi_debug_sepolicy = True
    else:
@@ -1604,9 +1538,6 @@ def main(argv):
          "gki_signing_extra_args=",
          "vendor_partitions=",
          "vendor_otatools=",
          "sepolicy_key=",
          "sepolicy_cert=",
          "fsverity_tool=",
          "allow_gsi_debug_sepolicy",
      ],
      extra_option_handler=option_handler)
@@ -1629,9 +1560,8 @@ def main(argv):
  apk_keys_info, compressed_extension = common.ReadApkCerts(input_zip)
  apk_keys = GetApkCerts(apk_keys_info)
-  apex_keys_info, sepolicy_keys_info = ReadApexKeysInfo(input_zip)
+  apex_keys_info = ReadApexKeysInfo(input_zip)
  apex_keys = GetApexKeys(apex_keys_info, apk_keys)
  sepolicy_keys = GetSepolicyKeys(sepolicy_keys_info)
  # TODO(xunchang) check for the apks inside the apex files, and abort early if
  # the keys are not available.
@@ -1649,7 +1579,7 @@ def main(argv):
  ProcessTargetFiles(input_zip, output_zip, misc_info,
                     apk_keys, apex_keys, key_passwords,
                     platform_api_level, codename_to_api_level_map,
-                     compressed_extension, sepolicy_keys)
+                     compressed_extension)
  common.ZipClose(input_zip)
  common.ZipClose(output_zip)
--- a/tools/releasetools/test_sign_apex.py
+++ b/tools/releasetools/test_sign_apex.py
@@ -71,21 +71,3 @@ class SignApexTest(test_utils.ReleaseToolsTestCase):
        False,
        codename_to_api_level_map={'S': 31, 'Tiramisu' : 32})
    self.assertTrue(os.path.exists(signed_apex))
  @test_utils.SkipIfExternalToolsUnavailable()
  def test_SignApexWithSepolicy(self):
    test_apex = os.path.join(self.testdata_dir, 'sepolicy.apex')
    payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')
    container_key = os.path.join(self.testdata_dir, 'testkey')
    sepolicy_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')
    sepolicy_cert = os.path.join(self.testdata_dir, 'testkey.x509.pem')
    signed_test_apex = sign_apex.SignApexFile(
        'avbtool',
        test_apex,
        payload_key,
        container_key,
        False,
        None,
        sepolicy_key=sepolicy_key,
        sepolicy_cert=sepolicy_cert)
    self.assertTrue(os.path.exists(signed_test_apex))
--- a/tools/releasetools/test_sign_target_files_apks.py
+++ b/tools/releasetools/test_sign_target_files_apks.py
@@ -476,7 +476,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
      target_files_zip.writestr('META/apexkeys.txt', self.APEX_KEYS_TXT)
    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
-      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+      keys_info = ReadApexKeysInfo(target_files_zip)
    self.assertEqual({
        'apex.apexd_test.apex': (
@@ -486,7 +486,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        }, keys_info)
    self.assertEqual({}, sepolicy_keys_info)
  def test_ReadApexKeysInfo_mismatchingContainerKeys(self):
    # Mismatching payload public / private keys.
@@ -516,7 +515,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
      target_files_zip.writestr('META/apexkeys.txt', apex_keys)
    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
-      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+      keys_info = ReadApexKeysInfo(target_files_zip)
    self.assertEqual({
        'apex.apexd_test.apex': (
@@ -526,7 +525,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        }, keys_info)
    self.assertEqual({}, sepolicy_keys_info)
  def test_ReadApexKeysInfo_missingPayloadPublicKey(self):
    # Invalid lines will be skipped.
@@ -540,7 +538,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
      target_files_zip.writestr('META/apexkeys.txt', apex_keys)
    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
-      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+      keys_info = ReadApexKeysInfo(target_files_zip)
    self.assertEqual({
        'apex.apexd_test.apex': (
@@ -550,7 +548,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        }, keys_info)
    self.assertEqual({}, sepolicy_keys_info)
  def test_ReadApexKeysInfo_presignedKeys(self):
    apex_keys = self.APEX_KEYS_TXT + (
@@ -564,7 +561,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
      target_files_zip.writestr('META/apexkeys.txt', apex_keys)
    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
-      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+      keys_info = ReadApexKeysInfo(target_files_zip)
    self.assertEqual({
        'apex.apexd_test.apex': (
@@ -574,7 +571,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        }, keys_info)
    self.assertEqual({}, sepolicy_keys_info)
  def test_ReadApexKeysInfo_presignedKeys(self):
    apex_keys = self.APEX_KEYS_TXT + (
@@ -588,7 +584,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
      target_files_zip.writestr('META/apexkeys.txt', apex_keys)
    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
-      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+      keys_info = ReadApexKeysInfo(target_files_zip)
    self.assertEqual({
        'apex.apexd_test.apex': (
@@ -598,72 +594,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        }, keys_info)
    self.assertEqual({}, sepolicy_keys_info)
  def test_ReadApexKeysInfo_withSepolicyKeys(self):
    apex_keys = self.APEX_KEYS_TXT + (
        'name="sepolicy.apex" '
        'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
        'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
        'container_certificate="build/make/target/product/security/testkey.x509.pem" '
        'container_private_key="build/make/target/product/security/testkey.pk8" '
        'sepolicy_key="build/make/target/product/security/testkey.key" '
        'sepolicy_certificate="build/make/target/product/security/testkey.x509.pem" '
        'fsverity_tool="fsverity"')
    target_files = common.MakeTempFile(suffix='.zip')
    with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
      target_files_zip.writestr('META/apexkeys.txt', apex_keys)
    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
    self.assertEqual({
        'apex.apexd_test.apex': (
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
            'build/make/target/product/security/testkey', None),
        'apex.apexd_test_different_app.apex': (
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        'sepolicy.apex': (
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        }, keys_info)
    self.assertEqual({'sepolicy.apex': (
            'build/make/target/product/security/testkey.key',
            'build/make/target/product/security/testkey.x509.pem',
            'fsverity'),
        }, sepolicy_keys_info)
  def test_ReadApexKeysInfo_withSepolicyApex(self):
    apex_keys = self.APEX_KEYS_TXT + (
        'name="sepolicy.apex" '
        'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
        'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
        'container_certificate="build/make/target/product/security/testkey.x509.pem" '
        'container_private_key="build/make/target/product/security/testkey.pk8" ')
    target_files = common.MakeTempFile(suffix='.zip')
    with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
      target_files_zip.writestr('META/apexkeys.txt', apex_keys)
    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
    self.assertEqual({
        'apex.apexd_test.apex': (
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
            'build/make/target/product/security/testkey', None),
        'apex.apexd_test_different_app.apex': (
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        'sepolicy.apex': (
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        }, keys_info)
    self.assertEqual({'sepolicy.apex': (
            None,
            None,
            None),
        }, sepolicy_keys_info)
  def test_ReplaceGkiSigningKey(self):
    common.OPTIONS.gki_signing_key = 'release_gki_key'
--- a/tools/releasetools/testdata/sepolicy.apex
+++ b/tools/releasetools/testdata/sepolicy.apex