StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make change and version bump to TP1A.220414.001

Browse Source 
Change-Id: Ic70c07d041acc1b13f08f61aa1c99b0b1ca06f54
This commit is contained in:
Android Build Coastguard Worker
2022-04-14 01:00:34 +00:00
parent 0d76292be2 0c2f8a586d
commit b7c996ccce
8 changed files with 34 additions and 290 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/build_id.mk
View File

@@ -18,4 +18,4 @@
# (like "CRB01"). It must be a single word, and is
# capitalized by convention.
BUILD_ID=TP1A.220413.003
BUILD_ID=TP1A.220414.001

100
tools/releasetools/apex_utils.py
View File

@@ -54,7 +54,7 @@ class ApexSigningError(Exception):
class ApexApkSigner(object):
"""Class to sign the apk files and other files in an apex payload image and repack the apex"""
def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None, fsverity_tool=None):
def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None):
self.apex_path = apex_path
if not key_passwords:
self.key_passwords = dict()
@@ -65,9 +65,8 @@ class ApexApkSigner(object):
OPTIONS.search_path, "bin", "debugfs_static")
self.avbtool = avbtool if avbtool else "avbtool"
self.sign_tool = sign_tool
self.fsverity_tool = fsverity_tool if fsverity_tool else "fsverity"
def ProcessApexFile(self, apk_keys, payload_key, signing_args=None, is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None):
def ProcessApexFile(self, apk_keys, payload_key, signing_args=None):
"""Scans and signs the payload files and repack the apex
Args:
@@ -85,14 +84,10 @@ class ApexApkSigner(object):
self.debugfs_path, 'list', self.apex_path]
entries_names = common.RunAndCheckOutput(list_cmd).split()
apk_entries = [name for name in entries_names if name.endswith('.apk')]
sepolicy_entries = []
if is_sepolicy:
sepolicy_entries = [name for name in entries_names if
name.startswith('./etc/SEPolicy') and name.endswith('.zip')]
# No need to sign and repack, return the original apex path.
if not apk_entries and not sepolicy_entries and self.sign_tool is None:
logger.info('No payload (apk or zip) file to sign in %s', self.apex_path)
if not apk_entries and self.sign_tool is None:
logger.info('No apk file to sign in %s', self.apex_path)
return self.apex_path
for entry in apk_entries:
@@ -106,16 +101,15 @@ class ApexApkSigner(object):
logger.warning('Apk path does not contain the intended directory name:'
' %s', entry)
payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(apk_entries,
apk_keys, payload_key, sepolicy_entries, sepolicy_key, sepolicy_cert, signing_args)
payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(
apk_entries, apk_keys, payload_key, signing_args)
if not has_signed_content:
logger.info('No contents has been signed in %s', self.apex_path)
return self.apex_path
return self.RepackApexPayload(payload_dir, payload_key, signing_args)
def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key,
sepolicy_entries, sepolicy_key, sepolicy_cert, signing_args):
def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key, signing_args):
"""Extracts the payload image and signs the containing apk files."""
if not os.path.exists(self.debugfs_path):
raise ApexSigningError(
@@ -147,11 +141,6 @@ class ApexApkSigner(object):
codename_to_api_level_map=self.codename_to_api_level_map)
has_signed_content = True
for entry in sepolicy_entries:
sepolicy_key = sepolicy_key if sepolicy_key else payload_key
self.SignSePolicy(payload_dir, entry, sepolicy_key, sepolicy_cert)
has_signed_content = True
if self.sign_tool:
logger.info('Signing payload contents in apex %s with %s', self.apex_path, self.sign_tool)
# Pass avbtool to the custom signing tool
@@ -165,36 +154,6 @@ class ApexApkSigner(object):
return payload_dir, has_signed_content
def SignSePolicy(self, payload_dir, sepolicy_zip, sepolicy_key, sepolicy_cert):
sepolicy_sig = sepolicy_zip + '.sig'
sepolicy_fsv_sig = sepolicy_zip + '.fsv_sig'
policy_zip_path = os.path.join(payload_dir, sepolicy_zip)
sig_out_path = os.path.join(payload_dir, sepolicy_sig)
sig_old = sig_out_path + '.old'
if os.path.exists(sig_out_path):
os.rename(sig_out_path, sig_old)
sign_cmd = ['openssl', 'dgst', '-sign', sepolicy_key, '-keyform', 'PEM', '-sha256',
'-out', sig_out_path, '-binary', policy_zip_path]
common.RunAndCheckOutput(sign_cmd)
if os.path.exists(sig_old):
os.remove(sig_old)
if not sepolicy_cert:
logger.info('No cert provided for SEPolicy, skipping fsverity sign')
return
fsv_sig_out_path = os.path.join(payload_dir, sepolicy_fsv_sig)
fsv_sig_old = fsv_sig_out_path + '.old'
if os.path.exists(fsv_sig_out_path):
os.rename(fsv_sig_out_path, fsv_sig_old)
fsverity_cmd = [self.fsverity_tool, 'sign', policy_zip_path, fsv_sig_out_path,
'--key=' + sepolicy_key, '--cert=' + sepolicy_cert]
common.RunAndCheckOutput(fsverity_cmd)
if os.path.exists(fsv_sig_old):
os.remove(fsv_sig_old)
def RepackApexPayload(self, payload_dir, payload_key, signing_args=None):
"""Rebuilds the apex file with the updated payload directory."""
apex_dir = common.MakeTempDir()
@@ -365,9 +324,7 @@ def ParseApexPayloadInfo(avbtool, payload_path):
def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
container_pw, apk_keys, codename_to_api_level_map,
no_hashtree, signing_args=None, sign_tool=None,
is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None,
fsverity_tool=None):
no_hashtree, signing_args=None, sign_tool=None):
"""Signs the current uncompressed APEX with the given payload/container keys.
Args:
@@ -380,10 +337,6 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
no_hashtree: Don't include hashtree in the signed APEX.
signing_args: Additional args to be passed to the payload signer.
sign_tool: A tool to sign the contents of the APEX.
is_sepolicy: Indicates if the apex is a sepolicy.apex
sepolicy_key: Key to sign a sepolicy zip.
sepolicy_cert: Cert to sign a sepolicy zip.
fsverity_tool: fsverity path to sign sepolicy zip.
Returns:
The path to the signed APEX file.
@@ -392,9 +345,8 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
# the apex file after signing.
apk_signer = ApexApkSigner(apex_file, container_pw,
codename_to_api_level_map,
avbtool, sign_tool, fsverity_tool)
apex_file = apk_signer.ProcessApexFile(
apk_keys, payload_key, signing_args, is_sepolicy, sepolicy_key, sepolicy_cert)
avbtool, sign_tool)
apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args)
# 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
# payload_key.
@@ -448,9 +400,7 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
container_pw, apk_keys, codename_to_api_level_map,
no_hashtree, signing_args=None, sign_tool=None,
is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None,
fsverity_tool=None):
no_hashtree, signing_args=None, sign_tool=None):
"""Signs the current compressed APEX with the given payload/container keys.
Args:
@@ -462,10 +412,6 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
codename_to_api_level_map: A dict that maps from codename to API level.
no_hashtree: Don't include hashtree in the signed APEX.
signing_args: Additional args to be passed to the payload signer.
is_sepolicy: Indicates if the apex is a sepolicy.apex
sepolicy_key: Key to sign a sepolicy zip.
sepolicy_cert: Cert to sign a sepolicy zip.
fsverity_tool: fsverity path to sign sepolicy zip.
Returns:
The path to the signed APEX file.
@@ -492,11 +438,7 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
codename_to_api_level_map,
no_hashtree,
signing_args,
sign_tool,
is_sepolicy,
sepolicy_key,
sepolicy_cert,
fsverity_tool)
sign_tool)
# 3. Compress signed original apex.
compressed_apex_file = common.MakeTempFile(prefix='apex-container-',
@@ -524,8 +466,7 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
apk_keys, codename_to_api_level_map,
no_hashtree, signing_args=None, sign_tool=None,
is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None, fsverity_tool=None):
no_hashtree, signing_args=None, sign_tool=None):
"""Signs the current APEX with the given payload/container keys.
Args:
@@ -537,9 +478,6 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
codename_to_api_level_map: A dict that maps from codename to API level.
no_hashtree: Don't include hashtree in the signed APEX.
signing_args: Additional args to be passed to the payload signer.
sepolicy_key: Key to sign a sepolicy zip.
sepolicy_cert: Cert to sign a sepolicy zip.
fsverity_tool: fsverity path to sign sepolicy zip.
Returns:
The path to the signed APEX file.
@@ -565,11 +503,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
no_hashtree=no_hashtree,
apk_keys=apk_keys,
signing_args=signing_args,
sign_tool=sign_tool,
is_sepolicy=is_sepolicy,
sepolicy_key=sepolicy_key,
sepolicy_cert=sepolicy_cert,
fsverity_tool=fsverity_tool)
sign_tool=sign_tool)
elif apex_type == 'COMPRESSED':
return SignCompressedApex(
avbtool,
@@ -581,11 +515,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
no_hashtree=no_hashtree,
apk_keys=apk_keys,
signing_args=signing_args,
sign_tool=sign_tool,
is_sepolicy=is_sepolicy,
sepolicy_key=sepolicy_key,
sepolicy_cert=sepolicy_cert,
fsverity_tool=fsverity_tool)
sign_tool=sign_tool)
else:
# TODO(b/172912232): support signing compressed apex
raise ApexInfoError('Unsupported apex type {}'.format(apex_type))

1
tools/releasetools/common.py
View File

@@ -97,7 +97,6 @@ class Options(object):
self.stash_threshold = 0.8
self.logfile = None
self.host_tools = {}
self.sepolicy_name = 'sepolicy.apex'
OPTIONS = Options()

33
tools/releasetools/sign_apex.py
View File

@@ -42,15 +42,6 @@ Usage: sign_apex [flags] input_apex_file output_apex_file
--sign_tool <sign_tool>
Optional flag that specifies a custom signing tool for the contents of the apex.
--sepolicy_key <key>
Optional flag that specifies the sepolicy signing key, defaults to payload_key.
--sepolicy_cert <cert>
Optional flag that specifies the sepolicy signing cert.
--fsverity_tool <path>
Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity.
"""
import logging
@@ -61,12 +52,10 @@ import apex_utils
import common
logger = logging.getLogger(__name__)
OPTIONS = common.OPTIONS
def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None,
sepolicy_key=None, sepolicy_cert=None, fsverity_tool=None):
apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None):
"""Signs the given apex file."""
with open(apex_file, 'rb') as input_fp:
apex_data = input_fp.read()
@@ -81,11 +70,7 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
no_hashtree=no_hashtree,
apk_keys=apk_keys,
signing_args=signing_args,
sign_tool=sign_tool,
is_sepolicy=apex_file.endswith(OPTIONS.sepolicy_name),
sepolicy_key=sepolicy_key,
sepolicy_cert=sepolicy_cert,
fsverity_tool=fsverity_tool)
sign_tool=sign_tool)
def main(argv):
@@ -121,12 +106,6 @@ def main(argv):
options['extra_apks'].update({n: key})
elif o == '--sign_tool':
options['sign_tool'] = a
elif o == '--sepolicy_key':
options['sepolicy_key'] = a
elif o == '--sepolicy_cert':
options['sepolicy_cert'] = a
elif o == '--fsverity_tool':
options['fsverity_tool'] = a
else:
return False
return True
@@ -142,9 +121,6 @@ def main(argv):
'payload_key=',
'extra_apks=',
'sign_tool=',
'sepolicy_key=',
'sepolicy_cert=',
'fsverity_tool='
],
extra_option_handler=option_handler)
@@ -165,10 +141,7 @@ def main(argv):
signing_args=options.get('payload_extra_args'),
codename_to_api_level_map=options.get(
'codename_to_api_level_map', {}),
sign_tool=options.get('sign_tool', None),
sepolicy_key=options.get('sepolicy_key', None),
sepolicy_cert=options.get('sepolicy_cert', None),
fsverity_tool=options.get('fsverity_tool', None))
sign_tool=options.get('sign_tool', None))
shutil.copyfile(signed_apex, args[1])
logger.info("done.")

90
tools/releasetools/sign_target_files_apks.py
View File

@@ -137,15 +137,6 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files
--android_jar_path <path>
Path to the android.jar to repack the apex file.
--sepolicy_key <key>
Optional flag that specifies the sepolicy signing key, defaults to payload_key for the sepolicy.apex.
--sepolicy_cert <cert>
Optional flag that specifies the sepolicy signing cert.
--fsverity_tool <path>
Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity.
--allow_gsi_debug_sepolicy
Allow the existence of the file 'userdebug_plat_sepolicy.cil' under
(/system/system_ext|/system_ext)/etc/selinux.
@@ -205,9 +196,6 @@ OPTIONS.gki_signing_extra_args = None
OPTIONS.android_jar_path = None
OPTIONS.vendor_partitions = set()
OPTIONS.vendor_otatools = None
OPTIONS.sepolicy_key = None
OPTIONS.sepolicy_cert = None
OPTIONS.fsverity_tool = None
OPTIONS.allow_gsi_debug_sepolicy = False
@@ -246,8 +234,6 @@ ALLOWED_VENDOR_PARTITIONS = set(["vendor", "odm"])
def IsApexFile(filename):
return filename.endswith(".apex") or filename.endswith(".capex")
def IsSepolicyApex(filename):
return filename.endswith(OPTIONS.sepolicy_name)
def GetApexFilename(filename):
name = os.path.basename(filename)
@@ -270,24 +256,6 @@ def GetApkCerts(certmap):
return certmap
def GetSepolicyKeys(keys_info):
"""Gets SEPolicy signing keys applying overrides from command line options.
Args:
keys_info: A dict that maps from the SEPolicy APEX filename to a tuple of
(sepolicy_key, sepolicy_cert, fsverity_tool).
Returns:
A dict that contains the updated APEX key mapping, which should be used for
the current signing.
"""
for name in keys_info:
(sepolicy_key, sepolicy_cert, fsverity_tool) = keys_info[name]
sepolicy_key = OPTIONS.sepolicy_key if OPTIONS.sepolicy_key else sepolicy_key
sepolicy_cert = OPTIONS.sepolicy_cert if OPTIONS.sepolicy_cert else sepolicy_cert
fsverity_tool = OPTIONS.fsverity_tool if OPTIONS.fsverity_tool else fsverity_tool
keys_info[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
return keys_info
def GetApexKeys(keys_info, key_map):
"""Gets APEX payload and container signing keys by applying the mapping rules.
@@ -550,7 +518,7 @@ def IsBuildPropFile(filename):
def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
apk_keys, apex_keys, key_passwords,
platform_api_level, codename_to_api_level_map,
compressed_extension, sepolicy_keys):
compressed_extension):
# maxsize measures the maximum filename length, including the ones to be
# skipped.
try:
@@ -618,17 +586,6 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
print(" : %-*s payload (%s)" % (
maxsize, name, payload_key))
sepolicy_key = None
sepolicy_cert = None
fsverity_tool = None
if IsSepolicyApex(name):
(sepolicy_key, sepolicy_cert, fsverity_tool) = sepolicy_keys[name]
print(" : %-*s sepolicy key (%s)" % (
maxsize, name, sepolicy_key))
print(" : %-*s sepolicy cert (%s)" % (
maxsize, name, sepolicy_cert))
signed_apex = apex_utils.SignApex(
misc_info['avb_avbtool'],
data,
@@ -639,11 +596,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
codename_to_api_level_map,
no_hashtree=None, # Let apex_util determine if hash tree is needed
signing_args=OPTIONS.avb_extra_args.get('apex'),
sign_tool=sign_tool,
is_sepolicy=IsSepolicyApex(name),
sepolicy_key=sepolicy_key,
sepolicy_cert=sepolicy_cert,
fsverity_tool=fsverity_tool)
sign_tool=sign_tool)
common.ZipWrite(output_tf_zip, signed_apex, filename)
else:
@@ -1253,24 +1206,20 @@ def GetCodenameToApiLevelMap(input_tf_zip):
def ReadApexKeysInfo(tf_zip):
"""Parses the APEX keys info from a given target-files zip.
Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns
two dicts, the first one contains the mapping from APEX names
(e.g. com.android.tzdata) to a tuple of (payload_key, container_key,
sign_tool). The second one maps the sepolicy APEX name to a tuple containing
(sepolicy_key, sepolicy_cert, fsverity_tool).
Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns a
dict that contains the mapping from APEX names (e.g. com.android.tzdata) to a
tuple of (payload_key, container_key, sign_tool).
Args:
tf_zip: The input target_files ZipFile (already open).
Returns:
name : (payload_key, container_key, sign_tool)
(payload_key, container_key, sign_tool):
- payload_key contains the path to the payload signing key
- container_key contains the path to the container signing key
- sign_tool is an apex-specific signing tool for its payload contents
name : (sepolicy_key, sepolicy_cert, fsverity_tool)
"""
keys = {}
sepolicy_keys = {}
for line in tf_zip.read('META/apexkeys.txt').decode().split('\n'):
line = line.strip()
if not line:
@@ -1281,9 +1230,6 @@ def ReadApexKeysInfo(tf_zip):
r'private_key="(?P<PAYLOAD_PRIVATE_KEY>.*)"\s+'
r'container_certificate="(?P<CONTAINER_CERT>.*)"\s+'
r'container_private_key="(?P<CONTAINER_PRIVATE_KEY>.*?)"'
r'(\s+sepolicy_key="(?P<SEPOLICY_KEY>.*?)")?'
r'(\s+sepolicy_certificate="(?P<SEPOLICY_CERT>.*?)")?'
r'(\s+fsverity_tool="(?P<FSVERITY_TOOL>.*?)")?'
r'(\s+partition="(?P<PARTITION>.*?)")?'
r'(\s+sign_tool="(?P<SIGN_TOOL>.*?)")?$',
line)
@@ -1312,18 +1258,12 @@ def ReadApexKeysInfo(tf_zip):
container_private_key, OPTIONS.private_key_suffix):
container_key = container_cert[:-len(OPTIONS.public_key_suffix)]
else:
raise ValueError("Failed to parse container keys: \n{} **** {}".format(container_cert, container_private_key))
raise ValueError("Failed to parse container keys: \n{}".format(line))
sign_tool = matches.group("SIGN_TOOL")
keys[name] = (payload_private_key, container_key, sign_tool)
if IsSepolicyApex(name):
sepolicy_key = matches.group('SEPOLICY_KEY')
sepolicy_cert = matches.group('SEPOLICY_CERT')
fsverity_tool = matches.group('FSVERITY_TOOL')
sepolicy_keys[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
return keys, sepolicy_keys
return keys
def BuildVendorPartitions(output_zip_path):
@@ -1541,12 +1481,6 @@ def main(argv):
OPTIONS.vendor_otatools = a
elif o == "--vendor_partitions":
OPTIONS.vendor_partitions = set(a.split(","))
elif o == '--sepolicy_key':
OPTIONS.sepolicy_key = a
elif o == '--sepolicy_cert':
OPTIONS.sepolicy_cert = a
elif o == '--fsverity_tool':
OPTIONS.fsverity_tool = a
elif o == "--allow_gsi_debug_sepolicy":
OPTIONS.allow_gsi_debug_sepolicy = True
else:
@@ -1604,9 +1538,6 @@ def main(argv):
"gki_signing_extra_args=",
"vendor_partitions=",
"vendor_otatools=",
"sepolicy_key=",
"sepolicy_cert=",
"fsverity_tool=",
"allow_gsi_debug_sepolicy",
],
extra_option_handler=option_handler)
@@ -1629,9 +1560,8 @@ def main(argv):
apk_keys_info, compressed_extension = common.ReadApkCerts(input_zip)
apk_keys = GetApkCerts(apk_keys_info)
apex_keys_info, sepolicy_keys_info = ReadApexKeysInfo(input_zip)
apex_keys_info = ReadApexKeysInfo(input_zip)
apex_keys = GetApexKeys(apex_keys_info, apk_keys)
sepolicy_keys = GetSepolicyKeys(sepolicy_keys_info)
# TODO(xunchang) check for the apks inside the apex files, and abort early if
# the keys are not available.
@@ -1649,7 +1579,7 @@ def main(argv):
ProcessTargetFiles(input_zip, output_zip, misc_info,
apk_keys, apex_keys, key_passwords,
platform_api_level, codename_to_api_level_map,
compressed_extension, sepolicy_keys)
compressed_extension)
common.ZipClose(input_zip)
common.ZipClose(output_zip)

18
tools/releasetools/test_sign_apex.py
View File

@@ -71,21 +71,3 @@ class SignApexTest(test_utils.ReleaseToolsTestCase):
False,
codename_to_api_level_map={'S': 31, 'Tiramisu' : 32})
self.assertTrue(os.path.exists(signed_apex))
@test_utils.SkipIfExternalToolsUnavailable()
def test_SignApexWithSepolicy(self):
test_apex = os.path.join(self.testdata_dir, 'sepolicy.apex')
payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')
container_key = os.path.join(self.testdata_dir, 'testkey')
sepolicy_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')
sepolicy_cert = os.path.join(self.testdata_dir, 'testkey.x509.pem')
signed_test_apex = sign_apex.SignApexFile(
'avbtool',
test_apex,
payload_key,
container_key,
False,
None,
sepolicy_key=sepolicy_key,
sepolicy_cert=sepolicy_cert)
self.assertTrue(os.path.exists(signed_test_apex))

80
tools/releasetools/test_sign_target_files_apks.py
View File

@@ -476,7 +476,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
target_files_zip.writestr('META/apexkeys.txt', self.APEX_KEYS_TXT)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -486,7 +486,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_mismatchingContainerKeys(self):
# Mismatching payload public / private keys.
@@ -516,7 +515,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -526,7 +525,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_missingPayloadPublicKey(self):
# Invalid lines will be skipped.
@@ -540,7 +538,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -550,7 +548,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_presignedKeys(self):
apex_keys = self.APEX_KEYS_TXT + (
@@ -564,7 +561,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -574,7 +571,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_presignedKeys(self):
apex_keys = self.APEX_KEYS_TXT + (
@@ -588,7 +584,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -598,72 +594,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_withSepolicyKeys(self):
apex_keys = self.APEX_KEYS_TXT + (
'name="sepolicy.apex" '
'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
'container_certificate="build/make/target/product/security/testkey.x509.pem" '
'container_private_key="build/make/target/product/security/testkey.pk8" '
'sepolicy_key="build/make/target/product/security/testkey.key" '
'sepolicy_certificate="build/make/target/product/security/testkey.x509.pem" '
'fsverity_tool="fsverity"')
target_files = common.MakeTempFile(suffix='.zip')
with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
'build/make/target/product/security/testkey', None),
'apex.apexd_test_different_app.apex': (
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
'sepolicy.apex': (
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({'sepolicy.apex': (
'build/make/target/product/security/testkey.key',
'build/make/target/product/security/testkey.x509.pem',
'fsverity'),
}, sepolicy_keys_info)
def test_ReadApexKeysInfo_withSepolicyApex(self):
apex_keys = self.APEX_KEYS_TXT + (
'name="sepolicy.apex" '
'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
'container_certificate="build/make/target/product/security/testkey.x509.pem" '
'container_private_key="build/make/target/product/security/testkey.pk8" ')
target_files = common.MakeTempFile(suffix='.zip')
with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
'build/make/target/product/security/testkey', None),
'apex.apexd_test_different_app.apex': (
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
'sepolicy.apex': (
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({'sepolicy.apex': (
None,
None,
None),
}, sepolicy_keys_info)
def test_ReplaceGkiSigningKey(self):
common.OPTIONS.gki_signing_key = 'release_gki_key'

BIN
tools/releasetools/testdata/sepolicy.apex vendored
View File

Binary file not shown.