releasetools: PRESIGNED APEX container entails PRESIGNED payload.
We used to require explicitly setting both (e.g. `-e foo.apex=` and
`--extra_apex_payload_key foo.apex=` to skip signing `foo.apex`).
This CL allows specifying `-e` alone to achieve the same result.
However, if a conflicting `--extra_apex_payload_key` is also specified,
that would be considered as a config error.
Bug: 131153746
Test: Run sign_target_files_apks.py with `-e foo.apex=` alone to skip
signing foo.apex.
Test: Run sign_target_files_apks.py with `-e foo.apex=` and
`--extra_apex_payload_key foo.apex=key` and expect assertion error.
Change-Id: Ia747f59ee726b60bdb1445024e749320171064c2
This commit is contained in:
Tao Bao
@@ -176,6 +176,9 @@ def GetApexKeys(keys_info, key_map):
|
|||||||
Returns:
|
Returns:
|
||||||
A dict that contains the updated APEX key mapping, which should be used for
|
A dict that contains the updated APEX key mapping, which should be used for
|
||||||
the current signing.
|
the current signing.
|
||||||
|
|
||||||
|
Raises:
|
||||||
|
AssertionError: On invalid container / payload key overrides.
|
||||||
"""
|
"""
|
||||||
# Apply all the --extra_apex_payload_key options to override the payload
|
# Apply all the --extra_apex_payload_key options to override the payload
|
||||||
# signing keys in the given keys_info.
|
# signing keys in the given keys_info.
|
||||||
@@ -197,6 +200,24 @@ def GetApexKeys(keys_info, key_map):
|
|||||||
key = 'PRESIGNED'
|
key = 'PRESIGNED'
|
||||||
keys_info[apex] = (keys_info[apex][0], key_map.get(key, key))
|
keys_info[apex] = (keys_info[apex][0], key_map.get(key, key))
|
||||||
|
|
||||||
|
# A PRESIGNED container entails a PRESIGNED payload. Apply this to all the
|
||||||
|
# APEX key pairs. However, a PRESIGNED container with non-PRESIGNED payload
|
||||||
|
# (overridden via commandline) indicates a config error, which should not be
|
||||||
|
# allowed.
|
||||||
|
for apex, (payload_key, container_key) in keys_info.items():
|
||||||
|
if container_key != 'PRESIGNED':
|
||||||
|
continue
|
||||||
|
if apex in OPTIONS.extra_apex_payload_keys:
|
||||||
|
payload_override = OPTIONS.extra_apex_payload_keys[apex]
|
||||||
|
assert payload_override == '', \
|
||||||
|
("Invalid APEX key overrides: {} has PRESIGNED container but "
|
||||||
|
"non-PRESIGNED payload key {}").format(apex, payload_override)
|
||||||
|
if payload_key != 'PRESIGNED':
|
||||||
|
print(
|
||||||
|
"Setting {} payload as PRESIGNED due to PRESIGNED container".format(
|
||||||
|
apex))
|
||||||
|
keys_info[apex] = ('PRESIGNED', 'PRESIGNED')
|
||||||
|
|
||||||
return keys_info
|
return keys_info
|
||||||
|
|
||||||
|
|
||||||
@@ -289,7 +310,9 @@ def CheckApkAndApexKeysAvailable(input_tf_zip, known_keys,
|
|||||||
"not sign this apk).".format("\n ".join(unknown_files)))
|
"not sign this apk).".format("\n ".join(unknown_files)))
|
||||||
|
|
||||||
# For all the APEXes, double check that we won't have an APEX that has only
|
# For all the APEXes, double check that we won't have an APEX that has only
|
||||||
# one of the payload / container keys set.
|
# one of the payload / container keys set. Note that non-PRESIGNED container
|
||||||
|
# with PRESIGNED payload could be allowed but currently unsupported. It would
|
||||||
|
# require changing SignApex implementation.
|
||||||
if not apex_keys:
|
if not apex_keys:
|
||||||
return
|
return
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user