diff --git a/tools/releasetools/apex_utils.py b/tools/releasetools/apex_utils.py index 51ec434196..211af0a0d1 100644 --- a/tools/releasetools/apex_utils.py +++ b/tools/releasetools/apex_utils.py @@ -52,9 +52,9 @@ class ApexSigningError(Exception): class ApexApkSigner(object): - """Class to sign the apk files in a apex payload image and repack the apex""" + """Class to sign the apk files and other files in an apex payload image and repack the apex""" - def __init__(self, apex_path, key_passwords, codename_to_api_level_map): + def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None): self.apex_path = apex_path if not key_passwords: self.key_passwords = dict() @@ -63,9 +63,11 @@ class ApexApkSigner(object): self.codename_to_api_level_map = codename_to_api_level_map self.debugfs_path = os.path.join( OPTIONS.search_path, "bin", "debugfs_static") + self.avbtool = avbtool if avbtool else "avbtool" + self.sign_tool = sign_tool def ProcessApexFile(self, apk_keys, payload_key, signing_args=None): - """Scans and signs the apk files and repack the apex + """Scans and signs the payload files and repack the apex Args: apk_keys: A dict that holds the signing keys for apk files. @@ -84,7 +86,7 @@ class ApexApkSigner(object): apk_entries = [name for name in entries_names if name.endswith('.apk')] # No need to sign and repack, return the original apex path. - if not apk_entries: + if not apk_entries and self.sign_tool is None: logger.info('No apk file to sign in %s', self.apex_path) return self.apex_path @@ -99,15 +101,15 @@ class ApexApkSigner(object): logger.warning('Apk path does not contain the intended directory name:' ' %s', entry) - payload_dir, has_signed_apk = self.ExtractApexPayloadAndSignApks( - apk_entries, apk_keys) - if not has_signed_apk: - logger.info('No apk file has been signed in %s', self.apex_path) + payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents( + apk_entries, apk_keys, payload_key) + if not has_signed_content: + logger.info('No contents has been signed in %s', self.apex_path) return self.apex_path return self.RepackApexPayload(payload_dir, payload_key, signing_args) - def ExtractApexPayloadAndSignApks(self, apk_entries, apk_keys): + def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key): """Extracts the payload image and signs the containing apk files.""" if not os.path.exists(self.debugfs_path): raise ApexSigningError( @@ -119,7 +121,7 @@ class ApexApkSigner(object): self.debugfs_path, 'extract', self.apex_path, payload_dir] common.RunAndCheckOutput(extract_cmd) - has_signed_apk = False + has_signed_content = False for entry in apk_entries: apk_path = os.path.join(payload_dir, entry) assert os.path.exists(self.apex_path) @@ -137,8 +139,14 @@ class ApexApkSigner(object): common.SignFile( unsigned_apk, apk_path, key_name, self.key_passwords.get(key_name), codename_to_api_level_map=self.codename_to_api_level_map) - has_signed_apk = True - return payload_dir, has_signed_apk + has_signed_content = True + + if self.sign_tool: + cmd = [self.sign_tool, '--avbtool', self.avbtool, payload_key, payload_dir] + common.RunAndCheckOutput(cmd) + has_signed_content = True + + return payload_dir, has_signed_content def RepackApexPayload(self, payload_dir, payload_key, signing_args=None): """Rebuilds the apex file with the updated payload directory.""" @@ -310,7 +318,7 @@ def ParseApexPayloadInfo(avbtool, payload_path): def SignUncompressedApex(avbtool, apex_file, payload_key, container_key, container_pw, apk_keys, codename_to_api_level_map, - no_hashtree, signing_args=None): + no_hashtree, signing_args=None, sign_tool=None): """Signs the current uncompressed APEX with the given payload/container keys. Args: @@ -322,14 +330,16 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key, codename_to_api_level_map: A dict that maps from codename to API level. no_hashtree: Don't include hashtree in the signed APEX. signing_args: Additional args to be passed to the payload signer. + sign_tool: A tool to sign the contents of the APEX. Returns: The path to the signed APEX file. """ - # 1. Extract the apex payload image and sign the containing apk files. Repack + # 1. Extract the apex payload image and sign the files (e.g. APKs). Repack # the apex file after signing. apk_signer = ApexApkSigner(apex_file, container_pw, - codename_to_api_level_map) + codename_to_api_level_map, + avbtool, sign_tool) apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args) # 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given @@ -384,7 +394,7 @@ def SignUncompressedApex(avbtool, apex_file, payload_key, container_key, def SignCompressedApex(avbtool, apex_file, payload_key, container_key, container_pw, apk_keys, codename_to_api_level_map, - no_hashtree, signing_args=None): + no_hashtree, signing_args=None, sign_tool=None): """Signs the current compressed APEX with the given payload/container keys. Args: @@ -421,7 +431,8 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key, apk_keys, codename_to_api_level_map, no_hashtree, - signing_args) + signing_args, + sign_tool) # 3. Compress signed original apex. compressed_apex_file = common.MakeTempFile(prefix='apex-container-', @@ -449,7 +460,7 @@ def SignCompressedApex(avbtool, apex_file, payload_key, container_key, def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, apk_keys, codename_to_api_level_map, - no_hashtree, signing_args=None): + no_hashtree, signing_args=None, sign_tool=None): """Signs the current APEX with the given payload/container keys. Args: @@ -485,7 +496,8 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, codename_to_api_level_map=codename_to_api_level_map, no_hashtree=no_hashtree, apk_keys=apk_keys, - signing_args=signing_args) + signing_args=signing_args, + sign_tool=sign_tool) elif apex_type == 'COMPRESSED': return SignCompressedApex( avbtool, @@ -496,7 +508,8 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, codename_to_api_level_map=codename_to_api_level_map, no_hashtree=no_hashtree, apk_keys=apk_keys, - signing_args=signing_args) + signing_args=signing_args, + sign_tool=sign_tool) else: # TODO(b/172912232): support signing compressed apex raise ApexInfoError('Unsupported apex type {}'.format(apex_type)) diff --git a/tools/releasetools/sign_apex.py b/tools/releasetools/sign_apex.py index fb947f4ec6..679f57ad5e 100755 --- a/tools/releasetools/sign_apex.py +++ b/tools/releasetools/sign_apex.py @@ -39,6 +39,9 @@ Usage: sign_apex [flags] input_apex_file output_apex_file --codename_to_api_level_map Q:29,R:30,... A Mapping of codename to api level. This is useful to provide sdk targeting information to APK Signer. + + --sign_tool + Optional flag that specifies a custom signing tool for the contents of the apex. """ import logging @@ -52,7 +55,7 @@ logger = logging.getLogger(__name__) def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree, - apk_keys=None, signing_args=None, codename_to_api_level_map=None): + apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None): """Signs the given apex file.""" with open(apex_file, 'rb') as input_fp: apex_data = input_fp.read() @@ -66,7 +69,8 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree, codename_to_api_level_map=codename_to_api_level_map, no_hashtree=no_hashtree, apk_keys=apk_keys, - signing_args=signing_args) + signing_args=signing_args, + sign_tool=sign_tool) def main(argv): @@ -100,6 +104,8 @@ def main(argv): if 'extra_apks' not in options: options['extra_apks'] = {} options['extra_apks'].update({n: key}) + elif o == '--sign_tool': + options['sign_tool'] = a else: return False return True @@ -114,6 +120,7 @@ def main(argv): 'payload_extra_args=', 'payload_key=', 'extra_apks=', + 'sign_tool=', ], extra_option_handler=option_handler) @@ -133,7 +140,8 @@ def main(argv): apk_keys=options.get('extra_apks', {}), signing_args=options.get('payload_extra_args'), codename_to_api_level_map=options.get( - 'codename_to_api_level_map', {})) + 'codename_to_api_level_map', {}), + sign_tool=options['sign_tool']) shutil.copyfile(signed_apex, args[1]) logger.info("done.") diff --git a/tools/releasetools/test_apex_utils.py b/tools/releasetools/test_apex_utils.py index 71f643378d..ed920f28d7 100644 --- a/tools/releasetools/test_apex_utils.py +++ b/tools/releasetools/test_apex_utils.py @@ -187,3 +187,19 @@ class ApexUtilsTest(test_utils.ReleaseToolsTestCase): self.payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key') signer.ProcessApexFile(apk_keys, self.payload_key) + + @test_utils.SkipIfExternalToolsUnavailable() + def test_ApexApkSigner_invokesCustomSignTool(self): + apex_path = common.MakeTempFile(suffix='.apex') + shutil.copy(self.apex_with_apk, apex_path) + apk_keys = {'wifi-service-resources.apk': os.path.join( + self.testdata_dir, 'testkey')} + self.payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key') + + # pass `false` as a sign_tool to see the invocation error + with self.assertRaises(common.ExternalError) as cm: + signer = apex_utils.ApexApkSigner(apex_path, None, None, sign_tool='false') + signer.ProcessApexFile(apk_keys, self.payload_key) + + the_exception = cm.exception + self.assertIn('Failed to run command \'[\'false\'', the_exception.message)