Equivalent to PRODUCT_EXTRA_RECOVERY_KEYS but for A/B OTA.
Bug: 211848136
Test: set PRODUCT_EXTRA_OTA_KEYS and check otacerts.zip
Change-Id: I81e27d12a22b405f6227b09c01ed684dfcede19e
Currently when running sign_target_files_apks on a no-system-image
target, it will raise the following error:
ValueError: max() arg is an empty sequence
This is because there is no APK files in the target_files.zip.
Fixing this by setting maxsize to zero in this case.
Bug: 213028932
Test: lunch gki_arm64-userdebug; make dist
Test: sign_target_files_apks \
--gki_signing_key=external/avb/test/data/testkey_rsa4096.pem \
--gki_signing_algorithm=SHA256_RSA4096 \
--gki_signing_extra_args="--prop gki:prop1 --prop gki:prop2" \
./out/dist/*-target_files-eng.*.zip signed.zip
Change-Id: I40daecbc2ff3f89d3e635d1a4a1c1dea31ba9a27
This new init_boot.img contains the ramdisk that used to reside in the
boot.img file.
Test: set BOARD_PREBUILT_INIT_BOOT_IMAGE to an external init_boot.img
- Check that "m" pulls in the init_boot.img to
out/target/product/vsoc_x86_64/
- Check that "m dist" adds the init_boot.img to
aosp_cf_x86_64_phone-img-eng.devinmoore.zip
Test: atest --host releasetools_test
Bug: 203698939
Change-Id: If7ef2cf093e5e525529c7c44333c0f40f6ba0764
When an APEX specifies its custom signing tool (custom_sign_tool:),
apexkeys.txt contains the info and sign_target_files_apks pass the value
to apex_util.
For now the Virt APEX has its own custom signing tool (sign_virt_apex),
which is added to OTATOOLS.
Bug: 193504286
Test: sign_target_files_apks invokes sign_virt_apex
Change-Id: Iba845723fe3e18f542963324b9c58cd00914c5ba
https://android-review.googlesource.com/q/topic:gsi_debug_policy
adds userdebug_plat_sepolicy.cil into the GSI system.img to
reduce the steps of repacking a debug ramdisk.
This CL checks that the file userdebug_plat_sepolicy.cil shouldn't
exist before signing, unless the caller explicitly specifies
--allow_gsi_debug_sepolicy to allow it.
Note: also fixes the indentation around the block.
Bug: 201482141
Test: sign_target_files_apks *-target_files-*.zip signed.zip
Change-Id: I56ed328a9ae70cf49dbd3c6efb5a4a8c54e1b7a7
Today, the signing script simply ignores capex files, because it
looks for hardcoded '.apex' suffix. Add support to handle capex
as well.
Bug: 190574334
Test: Sign a target file locally
Change-Id: I3085ca7b0396a4fbf1b220f7de44d4eafb60c3d8
Commit I8bd8ad3acf324931b47d45fd30bc590206b1927e adds a default
value of "gki_signing_signature_args" in the misc_info.txt for
release signing to work. However, it's better to replace the default
value entirely (e.g., --prop foo:bar) as there is no need to include
them in the final release-signed image.
Bug: 178559811
Bug: 177862434
Test: atest releasetools_test
Test: atest releasetools_py3_test
Change-Id: I060b5a7076ff3e5d883abeb7d72f3db887c9fd69
Calculate the vbmeta digest if the device builds vbmeta image. The
digest will used later to determine the build fingerprint in new
format.
One sample usage is the ota package generation, where we put the
build fingerprint in the ota metadata. But we don't have the runtime
vbmeta digest provided the bootloader.
Bug: 186786987
Test: unit tests
Change-Id: If572e2b973e295a6c95a9e23a65bb20b3afbf1b0
Some OEMs, namely OnePlus don't use AOSP compliant build description.
Making sure that the last piece ends with -keys is more than enough.
Change-Id: Iefa3c408a3fdda0b63db257befb8ba2d36793293
Commit I9967d06bde0e18a12b84b5b0b568db09765fe305 supports adding a
generic boot_signature into boot.img v4. This change allows replacing
the boot_signture signing key with a release key during the release
process.
The default GKI signing key can be specified in a BoardConfig.mk via:
BOARD_GKI_SIGNING_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
BOARD_GKI_SIGNING_ALGORITHM := SHA256_RSA2048
BOARD_GKI_SIGNING_SIGNATURE_ARGS := --prop foo:bar
The release signing key/algorithm can be specified by the following options
when invoking sign_target_files_apks:
--gki_signing_key=external/avb/test/data/testkey_rsa4096.pem
--gki_signing_algorithm=SHA256_RSA4096
Additional arguments for generating the GKI signature can be
specified as below:
--gki_signing_extra_args="--prop gki:prop1 --prop gki:prop2"
Bug: 177862434
Test: make dist
Test: sign_target_files_apks \
--gki_signing_key=external/avb/test/data/testkey_rsa4096.pem \
--gki_signing_algorithm=SHA256_RSA4096 \
--gki_signing_extra_args="--prop gki:prop1 --prop gki:prop2" \
./out/dist/*-target_files-eng.*.zip signed.zip
Test: Checks GKI boot_signature is expected after signing:
`unzip signed.zip IMAGES/boot.img`
`unpack_bootimg --boot_img IMAGES/boot.img --out unpack`
`avbtool info_image --image unpack/boot_signature`
Test: unit test: releasetools_test and releasetools_py3_test
Change-Id: I61dadbc242360e4cab3dc70295931b4a5b9422a9
Fail the signing if the AVB_FOOTER_ARGS_BY_PARTITION isn't in sync
with common.AVB_PARTITIONS.
Bug: 181787095
Test: run sign_target_files_apks on a S image
Change-Id: I6ccf5fb9f39b92c1da2554f5b3826d2cd87d84d7
If we miss these entries, the signing script won't correctly update
the avb prop to build the vbmeta. This cl adds the missing partitions
for R build.
In the followup, we need to make the map in sync with AVB_PARTITIONS in
common.py
Bug: 181787095
Test: run sign_target_files_apks
Change-Id: I39a308fb7028b45ce08f0ca3c6ad61a6c13e8082
Bundle APEXes may exist on other partitions than system, e.g. vendor,
system_ext. And leaving them unsigned may cause security problems.
Bug: 180675334
Test: run sign_target_files_apks
Change-Id: Ib912a026f4010d818161a89b11f818180208843f
Rewrite build.prop of all partitions
Test: sign an target_file, check build prop of partitions
Bug: 179186447
Bug: 180025432
Change-Id: I01249532dc2df1b6d9ec8d0be58424a76814b53e
When opening an zip file through zipfile.ZipFile(), python2 by default
disables zip64 support. To support update files >4GB, we manually add
allowZip64 to override the setting.
Test: generate && serve an OTA
Change-Id: I9645e963ced830cc2d3a4b72bc63b9369a1cefe8
With this change the name of the signed and unsigned APK will be something like 'tmpadrbpp9f/tmpvl0lf2kr/tmpknja6mca_MyApk.apk' instead of 'tmpadrbpp9f/tmpvl0lf2kr/tmpknja6mca'.
The motivation for this change is a better logging and transparency what is being signed in the underlying client.
Change-Id: I32b0e93d5859ca3fb712e426705f16d329d71f0e
avb_extra_custom_image_extra_args can be set to
'oem=--signing_helper_with_files=/tmp/avbsigner.sh' on signing server.
The second '=' shouldn't be splitted in this case.
BUG: 154171021
Test: Manually sign target zip files which has custom images.
sign_target_files_apks -d certs --avb_extra_custom_image_key \
oem=oem_rsa4096.pem --avb_extra_custom_image_algorithm \
oem=SHA256_RSA4096 --avb_extra_custom_image_extra_args \
oem="--signing_helper_with_files=/tmp/avbsigner.sh" \
xxxx-target_files.zip signed.zip
Change-Id: I815d574f791734d4c6a25a9f8d827b5b4f93d7cc
Merged-In: I815d574f791734d4c6a25a9f8d827b5b4f93d7cc
avb_extra_custom_image_extra_args can be set to
'oem=--signing_helper_with_files=/tmp/avbsigner.sh' on signing server.
The second '=' shouldn't be splitted in this case.
BUG: 154171021
Test: Manually sign target zip files which has custom images.
sign_target_files_apks -d certs --avb_extra_custom_image_key \
oem=oem_rsa4096.pem --avb_extra_custom_image_algorithm \
oem=SHA256_RSA4096 --avb_extra_custom_image_extra_args \
oem="--signing_helper_with_files=/tmp/avbsigner.sh" \
xxxx-target_files.zip signed.zip
Change-Id: I815d574f791734d4c6a25a9f8d827b5b4f93d7cc
The custom images are any images owned by OEMs and SoCs, oem images
mounted on /oem is an example. The oem images can be used to customize
devices for different carriers, like wallpaper, ringtones, and
carrier-specific apks. OEMs can generate multiple oem images, like
oem.img, oem-carrier1.img and oem-carrier2.img and flash different oem
images for different carriers. The oem images are only one case, OEMs
and SoCs can add more custom images and mount them to custom partitions.
This change enables custom images to be vbmeta.img chained partitions.
The following configuration in BoardConfig.mk is an exmaple. It has two
custom partitions: oem and test. They will be signed by different keys.
And they will be chained by vbmeta.img. The custom images here are
prebuilts, which can be built by `make custom_images` separately.
BOARD_AVB_<CUSTOM_PARTITION>_IMAGE_LIST should include all custom images
to apply AVB signing. And to every custom partition, one image whose
name is partition name must be added in its
BOARD_AVB_<CUSTOM_PARTITION>_IMAGE_LIST.
BOARD_CUSTOMIMAGES_PARTITION_LIST := oem test
BOARD_AVB_OEM_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem
BOARD_AVB_OEM_ALGORITHM := SHA256_RSA4096
BOARD_AVB_OEM_ADD_HASHTREE_FOOTER_ARGS :=
BOARD_AVB_OEM_ROLLBACK_INDEX_LOCATION := 1
BOARD_AVB_OEM_PARTITION_SIZE := 5242880
BOARD_AVB_OEM_IMAGE_LIST := \
device/xxxx/yyyy/oem/oem.img \
device/xxxx/yyyy/oem/oem1.img
BOARD_AVB_TEST_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
BOARD_AVB_TEST_ALGORITHM := SHA256_RSA2048
BOARD_AVB_TEST_ADD_HASHTREE_FOOTER_ARGS :=
BOARD_AVB_TEST_ROLLBACK_INDEX_LOCATION := 2
BOARD_AVB_TEST_PARTITION_SIZE := 10485760
BOARD_AVB_TEST_IMAGE_LIST := \
device/xxxx/yyyy/test/test.img \
device/xxxx/yyyy/test/test1.img
To resign the custom images in the target zip file, the
avb_extra_custom_image_key, avb_extra_custom_image_algorithms and
avb_extra_custom_image_extra_args options are added to the
sign_target_files_apks tool too. The following test cases list some
examples about how to use them.
BUG: 154171021
Test: 1) "atest --host releasetools_test releasetools_py3_test -c"
2) Build images by 'make dist', sign and validate target files.
a) Test on dist w/ chained vbmeta_system and ome custom images
sign_target_files_apks -d certs \
--avb_extra_custom_image_key oem=oem_rsa4096.pem \
--avb_extra_custom_image_algorithm oem=SHA256_RSA4096 \
xxx-target_xxx.zip signed.zip
validate_target_files.py signed.zip
Flash image and boot up.
Verify the oem images and vbmeta images in OUT and target zips by
avbtool.
b) Test on dist w/ chained vbmeta_system and oem and test custom images
sign_target_files_apks -d certs \
--avb_extra_custom_image_key oem=oem_rsa4096.pem \
--avb_extra_custom_image_algorithm oem=SHA256_RSA4096 \
--avb_extra_custom_image_extra_args oem=--do_not_generate_fec \
--avb_extra_custom_image_key test=test_rsa4096.pem \
--avb_extra_custom_image_algorithm test=SHA256_RSA4096 \
xxx-target_xxx.zip signed.zip
validate_target_files.py signed.zip
Verify the oem, test images and vbmeta images in OUT and target zips
by avbtool.
c) Test on dist w/o chained partition.
sign_target_files_apks -d certs xxx-target_xxx.zip signed.zip
validate_target_files.py signed.zip
Flash image and boot up.
Verify the vbmeta images in OUT and target zips by avbtool.
Change-Id: Ifccfee5e8909697eef6ccda0cc352fa16a9f6db6
Merged-In: Ifccfee5e8909697eef6ccda0cc352fa16a9f6db6
The custom images are any images owned by OEMs and SoCs, oem images
mounted on /oem is an example. The oem images can be used to customize
devices for different carriers, like wallpaper, ringtones, and
carrier-specific apks. OEMs can generate multiple oem images, like
oem.img, oem-carrier1.img and oem-carrier2.img and flash different oem
images for different carriers. The oem images are only one case, OEMs
and SoCs can add more custom images and mount them to custom partitions.
This change enables custom images to be vbmeta.img chained partitions.
The following configuration in BoardConfig.mk is an exmaple. It has two
custom partitions: oem and test. They will be signed by different keys.
And they will be chained by vbmeta.img. The custom images here are
prebuilts, which can be built by `make custom_images` separately.
BOARD_AVB_<CUSTOM_PARTITION>_IMAGE_LIST should include all custom images
to apply AVB signing. And to every custom partition, one image whose
name is partition name must be added in its
BOARD_AVB_<CUSTOM_PARTITION>_IMAGE_LIST.
BOARD_CUSTOMIMAGES_PARTITION_LIST := oem test
BOARD_AVB_OEM_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem
BOARD_AVB_OEM_ALGORITHM := SHA256_RSA4096
BOARD_AVB_OEM_ADD_HASHTREE_FOOTER_ARGS :=
BOARD_AVB_OEM_ROLLBACK_INDEX_LOCATION := 1
BOARD_AVB_OEM_PARTITION_SIZE := 5242880
BOARD_AVB_OEM_IMAGE_LIST := \
device/xxxx/yyyy/oem/oem.img \
device/xxxx/yyyy/oem/oem1.img
BOARD_AVB_TEST_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
BOARD_AVB_TEST_ALGORITHM := SHA256_RSA2048
BOARD_AVB_TEST_ADD_HASHTREE_FOOTER_ARGS :=
BOARD_AVB_TEST_ROLLBACK_INDEX_LOCATION := 2
BOARD_AVB_TEST_PARTITION_SIZE := 10485760
BOARD_AVB_TEST_IMAGE_LIST := \
device/xxxx/yyyy/test/test.img \
device/xxxx/yyyy/test/test1.img
To resign the custom images in the target zip file, the
avb_extra_custom_image_key, avb_extra_custom_image_algorithms and
avb_extra_custom_image_extra_args options are added to the
sign_target_files_apks tool too. The following test cases list some
examples about how to use them.
BUG: 154171021
Test: 1) "atest --host releasetools_test releasetools_py3_test -c"
2) Build images by 'make dist', sign and validate target files.
a) Test on dist w/ chained vbmeta_system and ome custom images
sign_target_files_apks -d certs \
--avb_extra_custom_image_key oem=oem_rsa4096.pem \
--avb_extra_custom_image_algorithm oem=SHA256_RSA4096 \
xxx-target_xxx.zip signed.zip
validate_target_files.py signed.zip
Flash image and boot up.
Verify the oem images and vbmeta images in OUT and target zips by
avbtool.
b) Test on dist w/ chained vbmeta_system and oem and test custom images
sign_target_files_apks -d certs \
--avb_extra_custom_image_key oem=oem_rsa4096.pem \
--avb_extra_custom_image_algorithm oem=SHA256_RSA4096 \
--avb_extra_custom_image_extra_args oem=--do_not_generate_fec \
--avb_extra_custom_image_key test=test_rsa4096.pem \
--avb_extra_custom_image_algorithm test=SHA256_RSA4096 \
xxx-target_xxx.zip signed.zip
validate_target_files.py signed.zip
Verify the oem, test images and vbmeta images in OUT and target zips
by avbtool.
c) Test on dist w/o chained partition.
sign_target_files_apks -d certs xxx-target_xxx.zip signed.zip
validate_target_files.py signed.zip
Flash image and boot up.
Verify the vbmeta images in OUT and target zips by avbtool.
Change-Id: Ifccfee5e8909697eef6ccda0cc352fa16a9f6db6
Since we might use ToT release tools to sign a package
generated by an older build, we make the new
`partition=` tag optional. This also means we need to be
careful to use non-greedy regex matching.
Bug: 153133823
Test: python3 -m unittest
Test: input with and without the new `partition=` tag
Test: new test_ReadApkCerts_WithWithoutOptionalFields
Change-Id: Ic57efd34e745ad302ae17150c6f2318f0b4524cb
Merged-In: Ic57efd34e745ad302ae17150c6f2318f0b4524cb
Since we might use ToT release tools to sign a package
generated by an older build, we make the new
`partition=` tag optional. This also means we need to be
careful to use non-greedy regex matching.
Bug: 153133823
Test: python3 -m unittest
Test: input with and without the new `partition=` tag
Test: new test_ReadApkCerts_WithWithoutOptionalFields
Change-Id: Ic57efd34e745ad302ae17150c6f2318f0b4524cb
Propagate partition tag data to apexkeys.txt and
apkcerts.txt so that merge_target_files.py can build
merged versions of these files by filtering the
framework files for framework partitions and filtering
the vendor files for vendor partitions.
Bug: 138942268
Change-Id: Ic3226728e97dae84d38ec230ccc86d1b124bea94
Merged-In: Ic3226728e97dae84d38ec230ccc86d1b124bea94
Propagate partition tag data to apexkeys.txt and
apkcerts.txt so that merge_target_files.py can build
merged versions of these files by filtering the
framework files for framework partitions and filtering
the vendor files for vendor partitions.
Bug: 138942268
Change-Id: Ic3226728e97dae84d38ec230ccc86d1b124bea94
AVB public keys might be installed into the first-stage ramdisk.
This CL supports removing some AVB keys during the signing process,
which can be useful when a key needs to be revoked.
Also correcting the path of force_debuggable detection.
Bug: 150109393
Test: make dist
Test: ./build/tools/releasetools/sign_target_files_apks \
--remove_avb_public_keys key1.avbpubkey,key2.avbpubkey \
out/dist/*-target_files-*.zip signed-target_files.zip
Change-Id: I1af95adbbec655f40121f3392965dd1950aca4e5
Merged-In: I1af95adbbec655f40121f3392965dd1950aca4e5
(cherry picked from commit 2fe786a528)
AVB public keys might be installed into the first-stage ramdisk.
This CL supports removing some AVB keys during the signing process,
which can be useful when a key needs to be revoked.
Also correcting the path of force_debuggable detection.
Bug: 150109393
Test: make dist
Test: ./build/tools/releasetools/sign_target_files_apks \
--remove_avb_public_keys key1.avbpubkey,key2.avbpubkey \
out/dist/*-target_files-*.zip signed-target_files.zip
Change-Id: I1af95adbbec655f40121f3392965dd1950aca4e5
Some apex payload images contain apk files. And these apks need to be
signed during the signing processed when sign_target_files_apks is
called. To support the signing, we can extract the payload and repack
the apex file with the (de)apexer tool. Add the signing support in the
apex_util.
Bug: 146508800
Test: unit tests pass, run sign_apex, sign_target_files_apks
Change-Id: If6d58975248709a144b07dbabf47c27916e5695e
Now the update_engine is able to read public keysfrom otacerts directly.
So the update_engine_payload_key is no longer needed.
Also remove the key replace in sign_target_files_apks.py. So we should
not use the new script to sign the old target files.
Bug: 116660991
Test: build the system image, unit tests pass
Change-Id: I9dae1f8b397f2b5efafed66a8faac1cb9087c741
This allows querying per-partition fingerprint via libavb (in
particular, avb_property_lookup).
Bug: 80097573
Test: `m dist`; `avbtool info_image --image /path/to/image` to check the
written prop.
Test: `atest --host releasetools_test releasetools_py3_test`
Test: Run sign_target_files_apks to sign a target_files.zip that's built
with the change. Check the AVB prop in the signed images.
Change-Id: Id4f06df82c29e77aca128439c8c11f0367fe587e
