Gitiles
Code Review Sign In
gerrit.omnirom.org / android_build / 0f5a41da56c51be5d2e14926ddbbc323ec2f6c9f^! / . / tools / releasetools / apex_utils.py
commit0f5a41da56c51be5d2e14926ddbbc323ec2f6c9f[log] [tgz]
authorJooyung Han <jooyung@google.com>Wed Oct 27 03:53:21 2021 +0900
committerJooyung Han <jooyung@google.com>Wed Oct 27 16:56:22 2021 +0900
tree20c90c687d136e880c3037110f0de46c4cc63664
parentc4b7b34b4b7d8e1f88dd21d2495206e437caa025 [diff] [blame]
sign_apex --sign_tool

A new argument is a custom signing tool for APEX contents. When
specified, apex_util invokes the tool with payload's key and payload
directory.

For now, the Virt APEX has its own custom signing tool (sign_virt_apex)
to re-sign filesystem images in it.

Bug: 193504286
Test: atest releasetools_test
Test: m sign_apex sign_virt_apex
Test: sign_apex --sign_tool sign_virt_apex --payload_key ..
  --container_key .. resigned.apex
      adb install resigned.apex
      reboot & vm run-app
Change-Id: Ic4d369c2ba42a8295044a0a75e054dc8def93208

diff --git a/tools/releasetools/apex_utils.py b/tools/releasetools/apex_utils.py
index 51ec434..211af0a 100644
--- a/tools/releasetools/apex_utils.py
+++ b/tools/releasetools/apex_utils.py

@@ -52,9 +52,9 @@
 
 
 class ApexApkSigner(object):
-  """Class to sign the apk files in a apex payload image and repack the apex"""
+  """Class to sign the apk files and other files in an apex payload image and repack the apex"""
 
-  def __init__(self, apex_path, key_passwords, codename_to_api_level_map):
+  def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None):
     self.apex_path = apex_path
     if not key_passwords:
       self.key_passwords = dict()
@@ -63,9 +63,11 @@
     self.codename_to_api_level_map = codename_to_api_level_map
     self.debugfs_path = os.path.join(
         OPTIONS.search_path, "bin", "debugfs_static")
+    self.avbtool = avbtool if avbtool else "avbtool"
+    self.sign_tool = sign_tool
 
   def ProcessApexFile(self, apk_keys, payload_key, signing_args=None):
-    """Scans and signs the apk files and repack the apex
+    """Scans and signs the payload files and repack the apex
 
     Args:
       apk_keys: A dict that holds the signing keys for apk files.
@@ -84,7 +86,7 @@
     apk_entries = [name for name in entries_names if name.endswith('.apk')]
 
     # No need to sign and repack, return the original apex path.
-    if not apk_entries:
+    if not apk_entries and self.sign_tool is None:
       logger.info('No apk file to sign in %s', self.apex_path)
       return self.apex_path
 
@@ -99,15 +101,15 @@
         logger.warning('Apk path does not contain the intended directory name:'
                        ' %s', entry)
 
-    payload_dir, has_signed_apk = self.ExtractApexPayloadAndSignApks(
-        apk_entries, apk_keys)
-    if not has_signed_apk:
-      logger.info('No apk file has been signed in %s', self.apex_path)
+    payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(
+        apk_entries, apk_keys, payload_key)
+    if not has_signed_content:
+      logger.info('No contents has been signed in %s', self.apex_path)
       return self.apex_path
 
     return self.RepackApexPayload(payload_dir, payload_key, signing_args)
 
-  def ExtractApexPayloadAndSignApks(self, apk_entries, apk_keys):
+  def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key):
     """Extracts the payload image and signs the containing apk files."""
     if not os.path.exists(self.debugfs_path):
       raise ApexSigningError(
@@ -119,7 +121,7 @@
                    self.debugfs_path, 'extract', self.apex_path, payload_dir]
     common.RunAndCheckOutput(extract_cmd)
 
-    has_signed_apk = False
+    has_signed_content = False
     for entry in apk_entries:
       apk_path = os.path.join(payload_dir, entry)
       assert os.path.exists(self.apex_path)
@@ -137,8 +139,14 @@
       common.SignFile(
           unsigned_apk, apk_path, key_name, self.key_passwords.get(key_name),
           codename_to_api_level_map=self.codename_to_api_level_map)
-      has_signed_apk = True
-    return payload_dir, has_signed_apk
+      has_signed_content = True
+
+    if self.sign_tool:
+      cmd = [self.sign_tool, '--avbtool', self.avbtool, payload_key, payload_dir]
+      common.RunAndCheckOutput(cmd)
+      has_signed_content = True
+
+    return payload_dir, has_signed_content
 
   def RepackApexPayload(self, payload_dir, payload_key, signing_args=None):
     """Rebuilds the apex file with the updated payload directory."""
@@ -310,7 +318,7 @@
 
 def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
                          container_pw, apk_keys, codename_to_api_level_map,
-                         no_hashtree, signing_args=None):
+                         no_hashtree, signing_args=None, sign_tool=None):
   """Signs the current uncompressed APEX with the given payload/container keys.
 
   Args:
@@ -322,14 +330,16 @@
     codename_to_api_level_map: A dict that maps from codename to API level.
     no_hashtree: Don't include hashtree in the signed APEX.
     signing_args: Additional args to be passed to the payload signer.
+    sign_tool: A tool to sign the contents of the APEX.
 
   Returns:
     The path to the signed APEX file.
   """
-  # 1. Extract the apex payload image and sign the containing apk files. Repack
+  # 1. Extract the apex payload image and sign the files (e.g. APKs). Repack
   # the apex file after signing.
   apk_signer = ApexApkSigner(apex_file, container_pw,
-                             codename_to_api_level_map)
+                             codename_to_api_level_map,
+                             avbtool, sign_tool)
   apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args)
 
   # 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
@@ -384,7 +394,7 @@
 
 def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
                        container_pw, apk_keys, codename_to_api_level_map,
-                       no_hashtree, signing_args=None):
+                       no_hashtree, signing_args=None, sign_tool=None):
   """Signs the current compressed APEX with the given payload/container keys.
 
   Args:
@@ -421,7 +431,8 @@
       apk_keys,
       codename_to_api_level_map,
       no_hashtree,
-      signing_args)
+      signing_args,
+      sign_tool)
 
   # 3. Compress signed original apex.
   compressed_apex_file = common.MakeTempFile(prefix='apex-container-',
@@ -449,7 +460,7 @@
 
 def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
              apk_keys, codename_to_api_level_map,
-             no_hashtree, signing_args=None):
+             no_hashtree, signing_args=None, sign_tool=None):
   """Signs the current APEX with the given payload/container keys.
 
   Args:
@@ -485,7 +496,8 @@
           codename_to_api_level_map=codename_to_api_level_map,
           no_hashtree=no_hashtree,
           apk_keys=apk_keys,
-          signing_args=signing_args)
+          signing_args=signing_args,
+          sign_tool=sign_tool)
     elif apex_type == 'COMPRESSED':
       return SignCompressedApex(
           avbtool,
@@ -496,7 +508,8 @@
           codename_to_api_level_map=codename_to_api_level_map,
           no_hashtree=no_hashtree,
           apk_keys=apk_keys,
-          signing_args=signing_args)
+          signing_args=signing_args,
+          sign_tool=sign_tool)
     else:
       # TODO(b/172912232): support signing compressed apex
       raise ApexInfoError('Unsupported apex type {}'.format(apex_type))