commit 88a759d65134d3e8c708b256fdecee76964ab775
author Tianjie Xu <xunchang@google.com> Thu Jan 23 10:47:54 2020 -0800
committer Tianjie Xu <xunchang@google.com> Mon Jan 27 19:48:39 2020 +0000
tree d7cf8c416d634efd31b56248d27d871873dbf152
parent eb8a0a003634eb6088ad6361d9390ab1c8c4c2f4

Resign apks contained in apex

Some apex payload images contain apk files. And these apks need to be
signed during the signing processed when sign_target_files_apks is
called. To support the signing, we can extract the payload and repack
the apex file with the (de)apexer tool. Add the signing support in the
apex_util.

Bug: 146508800
Test: unit tests pass, run sign_apex, sign_target_files_apks
Change-Id: If6d58975248709a144b07dbabf47c27916e5695e

tools/releasetools/sign_apex.py

diff --git a/tools/releasetools/sign_apex.py b/tools/releasetools/sign_apex.py
index 4c0850c..b0128dc 100755
--- a/tools/releasetools/sign_apex.py
+++ b/tools/releasetools/sign_apex.py
@@ -31,6 +31,10 @@
   --payload_extra_args <args>
       Optional flag that specifies any extra args to be passed to payload signer
       (e.g. --payload_extra_args="--signing_helper_with_files /path/to/helper").
+
+  -e  (--extra_apks)  <name,name,...=key>
+      Add extra APK name/key pairs. This is useful to sign the apk files in the
+      apex payload image.
 """
 
 import logging
@@ -43,8 +47,8 @@
 logger = logging.getLogger(__name__)
 
 
-def SignApexFile(avbtool, apex_file, payload_key, container_key,
-                 no_hashtree, signing_args=None):
+def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
+                 apk_keys=None, signing_args=None):
   """Signs the given apex file."""
   with open(apex_file, 'rb') as input_fp:
     apex_data = input_fp.read()
@@ -57,6 +61,7 @@
       container_pw=None,
       codename_to_api_level_map=None,
       no_hashtree=no_hashtree,
+      apk_keys=apk_keys,
       signing_args=signing_args)
 
 
@@ -77,18 +82,26 @@
       options['payload_key'] = a
     elif o == '--payload_extra_args':
       options['payload_extra_args'] = a
+    elif o in ("-e", "--extra_apks"):
+      names, key = a.split("=")
+      names = names.split(",")
+      for n in names:
+        if 'extra_apks' not in options:
+          options['extra_apks'] = {}
+        options['extra_apks'].update({n: key})
     else:
       return False
     return True
 
   args = common.ParseOptions(
       argv, __doc__,
-      extra_opts='',
+      extra_opts='e:',
       extra_long_opts=[
           'avbtool=',
           'container_key=',
           'payload_extra_args=',
           'payload_key=',
+          'extra_apks=',
       ],
       extra_option_handler=option_handler)
 
@@ -105,6 +118,7 @@
       options['payload_key'],
       options['container_key'],
       no_hashtree=False,
+      apk_keys=options.get('extra_apks', {}),
       signing_args=options.get('payload_extra_args'))
   shutil.copyfile(signed_apex, args[1])
   logger.info("done.")