Gitiles
Code Review Sign In
gerrit.omnirom.org / android_build / 5bd0395570370c079cba67bdccdae57ad3cb2a7b^! / . / tools / releasetools / sign_target_files_apks.py
commit5bd0395570370c079cba67bdccdae57ad3cb2a7b[log] [tgz]
authorTianjie <xunchang@google.com>Thu Feb 18 23:02:36 2021 -0800
committerTianjie <xunchang@google.com>Thu Feb 18 23:02:36 2021 -0800
tree7c8eee9238261f276c467cdaf8042ad9a93f7e00
parent6d89e4a9e19228942e062567192cd2f50ab85146 [diff] [blame]
Sign APEXes on all partitions

Bundle APEXes may exist on other partitions than system, e.g. vendor,
system_ext. And leaving them unsigned may cause security problems.

Bug: 180675334
Test: run sign_target_files_apks
Change-Id: Ib912a026f4010d818161a89b11f818180208843f

diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 890cb51..05a085b 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py

@@ -329,9 +329,8 @@
   """
   unknown_files = []
   for info in input_tf_zip.infolist():
-    # Handle APEXes first, e.g. SYSTEM/apex/com.android.tzdata.apex.
-    if (info.filename.startswith('SYSTEM/apex') and
-        info.filename.endswith('.apex')):
+    # Handle APEXes on all partitions
+    if info.filename.endswith('.apex'):
       name = os.path.basename(info.filename)
       if name not in known_keys:
         unknown_files.append(name)
@@ -363,8 +362,7 @@
 
   invalid_apexes = []
   for info in input_tf_zip.infolist():
-    if (not info.filename.startswith('SYSTEM/apex') or
-        not info.filename.endswith('.apex')):
+    if not info.filename.endswith('.apex'):
       continue
 
     name = os.path.basename(info.filename)
@@ -444,6 +442,7 @@
 
   return data
 
+
 def IsBuildPropFile(filename):
   return filename in (
         "SYSTEM/etc/prop.default",
@@ -462,6 +461,7 @@
         # path here for clarity.
         "RECOVERY/RAMDISK/default.prop") or filename.endswith("build.prop")
 
+
 def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
                        apk_keys, apex_keys, key_passwords,
                        platform_api_level, codename_to_api_level_map,
@@ -514,8 +514,8 @@
             "        (skipped due to special cert string)" % (name,))
         common.ZipWriteStr(output_tf_zip, out_info, data)
 
-    # Sign bundled APEX files.
-    elif filename.startswith("SYSTEM/apex") and filename.endswith(".apex"):
+    # Sign bundled APEX files on all partitions
+    elif filename.endswith(".apex"):
       name = os.path.basename(filename)
       payload_key, container_key = apex_keys[name]
 
@@ -545,11 +545,6 @@
             "        (skipped due to special cert string)" % (name,))
         common.ZipWriteStr(output_tf_zip, out_info, data)
 
-    # AVB public keys for the installed APEXes, which will be updated later.
-    elif (os.path.dirname(filename) == 'SYSTEM/etc/security/apex' and
-          filename != 'SYSTEM/etc/security/apex/'):
-      continue
-
     # System properties.
     elif IsBuildPropFile(filename):
       print("Rewriting %s:" % (filename,))