If an OTA contains compressed APEX inside it, then the device will need
to allocate space on /data partition for their decompression. In order
to calculate how much space the OTA process needs to allocate, the
process needs more information about the APEX contained inside the OTA.
In this CL, we are adding functionality to the OTA generation script
that allows us to gather information about the APEX stored inside the
target-file zip. However, we did not integrate the new functionality
with the ota_from_target_files.py scrip yet. That will be done on follow
up CL.
Bug: 172911822
Test: atest releasetools_py3_test
Change-Id: I2ac42018f628c2c21527b3e086be1f4e7e7247ad
Logic for signing compressed apex will be added in the follow-up cl.
Test: python -m unittest test_sign_apex
Bug: 172912232
Change-Id: I8dc1d334c17e11f9eed8fe0a575b6dfcf337ab5d
When opening an zip file through zipfile.ZipFile(), python2 by default
disables zip64 support. To support update files >4GB, we manually add
allowZip64 to override the setting.
Test: generate && serve an OTA
Change-Id: I9645e963ced830cc2d3a4b72bc63b9369a1cefe8
When signing APks on build server, there might not be an android repo.
Usually deapexer.py will be run from otatools.zip after exctration. So
we should look for debugfs_static in search path
Bug: 165347497
Test: Use sign_apk_from_target_files without android repo
Change-Id: Ifaf91764ca0dc08d010f43a24bfe975a07a71e7f
When signing APks on build server, there might not be an android repo.
Usually deapexer.py will be run from otatools.zip after exctration. So
we should look for debugfs_static in search path
Bug: 165347497
Test: Sign using self-service
Change-Id: I608870b0184bd8f5f07afa53355b39de47a97e1c
When sign_apex.py re-signs an apex, the hash algorithm is extracted and
it is used when re-packaging the file.
Bug: 155771970
Test: releasetools_py3_test doesn't regress
(some tests were failed, but they failed even without this change:
test_ApexApkSigner_apkKeyNotPresent (test_apex_utils.ApexUtilsTest) ... ERROR
test_ApexApkSigner_noApkPresent (test_apex_utils.ApexUtilsTest) ... ERROR
test_ApexApkSigner_noAssetDir (test_apex_utils.ApexUtilsTest) ... ERROR
test_ApexApkSigner_signApk (test_apex_utils.ApexUtilsTest) ... ERROR)
Merged-In: I996a33e0208d3dd3a04a31b8dafb27ef995297f2
Change-Id: I996a33e0208d3dd3a04a31b8dafb27ef995297f2
(cherry picked from commit a1887f326c)
When sign_apex.py re-signs an apex, the hash algorithm is extracted and
it is used when re-packaging the file.
Bug: 155771970
Test: releasetools_py3_test doesn't regress
(some tests were failed, but they failed even without this change:
test_ApexApkSigner_apkKeyNotPresent (test_apex_utils.ApexUtilsTest) ... ERROR
test_ApexApkSigner_noApkPresent (test_apex_utils.ApexUtilsTest) ... ERROR
test_ApexApkSigner_noAssetDir (test_apex_utils.ApexUtilsTest) ... ERROR
test_ApexApkSigner_signApk (test_apex_utils.ApexUtilsTest) ... ERROR)
Change-Id: I996a33e0208d3dd3a04a31b8dafb27ef995297f2
When doing apk-in-apex signing, the package name is not reserved
during the apex repacking. As a result, the name accidentally
reverts to 'com.android.wifi' from 'com.google.android.wifi'.
This cl changes the behavior to call 'apexer' by passing the
'--payload_only' argument. So we don't build the apex file from
scratch and the old AndroidManifest.xml will be reused.
BUG: 152084536
Test: unit tests pass
Change-Id: I8332b2ee84832fb196f2e1c4309abac5ab92e153
Merged-In: I8332b2ee84832fb196f2e1c4309abac5ab92e153
When doing apk-in-apex signing, the package name is not reserved
during the apex repacking. As a result, the name accidentally
reverts to 'com.android.wifi' from 'com.google.android.wifi'.
This cl changes the behavior to call 'apexer' by passing the
'--payload_only' argument. So we don't build the apex file from
scratch and the old AndroidManifest.xml will be reused.
Test: 152084536
Bug: unit tests pass
Change-Id: I8332b2ee84832fb196f2e1c4309abac5ab92e153
We should add quote when passing the signing arguments to apexer. So
the final argument whould look like
apexer ... --signing_args "--signing_helper_with_files=%path"
And the argument parser in avbtool will eventually parse the
"--signing_helper_with_files" correctly.
Bug: 148627666
Test: unittest pass, run a smoke sign_target_files_apk with signing arguments
Change-Id: Ie203d26a508cb98ca94e6c364a2640b681ad79f2
In the build signing environment, we don't necessary have access to the
physical private key. And we work around it by passing an extra
signing_helper to the avbtool instead of a private key. Since we need
to perform signing to add the hashtree footer when rebuilding the apex
image. We should propogate the signing_helper to apexer and eventually
to avbtool.
Bug: 148627666
Test: unit tests pass. Smoke test by pass a public key to apexer and
hardcode the private key in signing helper script.
Change-Id: I56d57485493a5ba2cbe4c49e493ee9604f68088b
We should only provide the --assets_dir option when the assets directory
is available in the original apex.
Bug: 148452817
Test: unit tests pass
Change-Id: I44308b80a43ff3f441223f0ecc248991d1d83f31
So when $ANDROID_BUILD_TOP is missing, the error message print out the
path of the missing file; instead of a type error.
Bug: 148452817
Test: check result with missing ANDROID_BUILD_TOP
Change-Id: I5f841f6626eb3843364f20e78b278d3244505396
Some apex payload images contain apk files. And these apks need to be
signed during the signing processed when sign_target_files_apks is
called. To support the signing, we can extract the payload and repack
the apex file with the (de)apexer tool. Add the signing support in the
apex_util.
Bug: 146508800
Test: unit tests pass, run sign_apex, sign_target_files_apks
Change-Id: If6d58975248709a144b07dbabf47c27916e5695e
Bug: 139957269
Test: Sign a target_files.zip. Extract a re-signed APEX and check the
hashtree size (being zero).
Test: Use sign_apex to sign an APEX file. Check the hashtree size (not
being zero).
Test: python -m unittest test_apex_utils
Test: python -m unittest test_sign_apex
Change-Id: I927b7681d66920d7732b700ec3a8f7a65b4cb351
The avb_pubkey may not be present, if the apex was initially
unsigned or generated from a bundle. In this case, running
sign_apex to generate a signed apex binary would result in an error.
This fix checks for presense of avbpubkey before attempting the
deletion
BUG: 139994107
Change-Id: I3cb2e88a11ad8797e38ba5fb98c96a4ec4135fc8
This allows a consistent logic in using the avbtool which could be
board-specific.
Test: `atest releasetools_test`
Test: Run sign_target_files_apks.py on a target_files.zip.
Change-Id: I8cd93b8e71146985734f85c31f4662f5e2e9534c
In order to get a Python 2 and 3 compatible re-raise behavior, this CL
removes the stack traceback for the lines within apex_util module (i.e.
sys.exc_info()[2]). It's not a big loss in practice, since we only have
one line within the try-except block (`common.RunAndCheckOutput()`)
that's no longer reported in the traceback.
Using `six` module could better solve this, but only after building
releasetools as python_binary_host modules where we can properly handle
the module dependency.
Bug: 131631303
Test: TreeHugger
Test: `python -m unittest test_apex_utils`
Test: `python3 -m unittest test_apex_utils`
Change-Id: I0c5a72ec9fad5ff9d8c9c94d29e813e433ec2921
This CL moves SignApex() from sign_target_files_apks into apex_utils,
and adds sign_apex that allows signing a standalone APEX file directly.
Test: Run the following command and check the output file.
$ build/make/tools/releasetools/sign_apex.py \
-v \
--container_key \
build/make/target/product/security/testkey.x509.pem \
--payload_key external/avb/test/data/testkey_rsa4096.pem \
--payload_extra_args \
"--signing_helper_with_files ./signing-helper.sh" \
foo.apex \
signed-foo.apex
Test: Run sign_target_files_apks.py on crosshatch target_files.zip.
Change-Id: I4b2422fd5cb1c60a3aa94511475e2a0e5b1666ca
