Fix the signing error in gsi_arm64 builds
After adding 'PREBUILT_IMAGES/pvmfw.img' into gsi_arm64,
the signing process fails:
common.ExternalError: Failed to run command
'['avbtool', 'extract_public_key', '--key', 'PRESIGNED',
'--output', '/tmp/avb-8z8y8_xn.avbpubkey']' (exit code 1):
~/codebase/android15-tests-dev/otatools/bin/avbtool:
Error getting public key: b'Could not open file or uri for loading
private key of public key from PRESIGNED: No such file or directory\n'
This is because that apex files are pre-signed in gsi_arm64
and the script currently tries to extract public key from the
non-existing 'PRESIGNED' file.
Fix this by obtaining the public key from 'apex_pubkey' of
'SYSTEM/apex/com.android.virt.apex'.
See https://source.android.com/docs/core/ota/apex#apex-format
for details.
Bug: 384813199
Test: m sign_target_files_apks
Test: sign_target_files_apks --allow_gsi_debug_sepolicy \
--extra_apex_payload_key com.android.virt.apex= \
-e com.android.virt.apex= \
gsi_arm64-target_files-${build_id}.zip signed.zip
Test: `zipinfo signed.zip | grep pvmfw`, checks pvmfw.img is included.
Change-Id: I551e14fa6a0c63e3cef334b953f670cf9c465e10
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 4ad97e0..2378539 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -862,21 +862,32 @@
# Updates pvmfw embedded public key with the virt APEX payload key.
elif filename == "PREBUILT_IMAGES/pvmfw.img":
- # Find the name of the virt APEX in the target files.
+ # Find the path of the virt APEX in the target files.
namelist = input_tf_zip.namelist()
- apex_gen = (GetApexFilename(f) for f in namelist if IsApexFile(f))
- virt_apex_re = re.compile("^com\.([^\.]+\.)?android\.virt\.apex$")
- virt_apex = next((a for a in apex_gen if virt_apex_re.match(a)), None)
- if not virt_apex:
+ apex_gen = (f for f in namelist if IsApexFile(f))
+ virt_apex_re = re.compile("^.*com\.([^\.]+\.)?android\.virt\.apex$")
+ virt_apex_path = next(
+ (a for a in apex_gen if virt_apex_re.match(a)), None)
+ if not virt_apex_path:
print("Removing %s from ramdisk: virt APEX not found" % filename)
else:
- print("Replacing %s embedded key with %s key" % (filename, virt_apex))
+ print("Replacing %s embedded key with %s key" % (filename,
+ virt_apex_path))
# Get the current and new embedded keys.
+ virt_apex = GetApexFilename(virt_apex_path)
payload_key, container_key, sign_tool = apex_keys[virt_apex]
- new_pubkey_path = common.ExtractAvbPublicKey(
- misc_info['avb_avbtool'], payload_key)
- with open(new_pubkey_path, 'rb') as f:
- new_pubkey = f.read()
+
+ # b/384813199: handles the pre-signed com.android.virt.apex in GSI.
+ if payload_key == 'PRESIGNED':
+ with input_tf_zip.open(virt_apex_path) as apex_fp:
+ with zipfile.ZipFile(apex_fp) as apex_zip:
+ new_pubkey = apex_zip.read('apex_pubkey')
+ else:
+ new_pubkey_path = common.ExtractAvbPublicKey(
+ misc_info['avb_avbtool'], payload_key)
+ with open(new_pubkey_path, 'rb') as f:
+ new_pubkey = f.read()
+
pubkey_info = copy.copy(
input_tf_zip.getinfo("PREBUILT_IMAGES/pvmfw_embedded.avbpubkey"))
old_pubkey = input_tf_zip.read(pubkey_info.filename)