Support custom APEX signing tool
When an APEX specifies its custom signing tool (custom_sign_tool:),
apexkeys.txt contains the info and sign_target_files_apks pass the value
to apex_util.
For now the Virt APEX has its own custom signing tool (sign_virt_apex),
which is added to OTATOOLS.
Bug: 193504286
Test: sign_target_files_apks invokes sign_virt_apex
Change-Id: Iba845723fe3e18f542963324b9c58cd00914c5ba
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index bd5d7d3..5626980 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -262,7 +262,7 @@
Args:
keys_info: A dict that maps from APEX filenames to a tuple of (payload_key,
- container_key).
+ container_key, sign_tool).
key_map: A dict that overrides the keys, specified via command-line input.
Returns:
@@ -280,11 +280,11 @@
if apex not in keys_info:
logger.warning('Failed to find %s in target_files; Ignored', apex)
continue
- keys_info[apex] = (key, keys_info[apex][1])
+ keys_info[apex] = (key, keys_info[apex][1], keys_info[apex][2])
# Apply the key remapping to container keys.
- for apex, (payload_key, container_key) in keys_info.items():
- keys_info[apex] = (payload_key, key_map.get(container_key, container_key))
+ for apex, (payload_key, container_key, sign_tool) in keys_info.items():
+ keys_info[apex] = (payload_key, key_map.get(container_key, container_key), sign_tool)
# Apply all the --extra_apks options to override the container keys.
for apex, key in OPTIONS.extra_apks.items():
@@ -293,13 +293,13 @@
continue
if not key:
key = 'PRESIGNED'
- keys_info[apex] = (keys_info[apex][0], key_map.get(key, key))
+ keys_info[apex] = (keys_info[apex][0], key_map.get(key, key), keys_info[apex][2])
# A PRESIGNED container entails a PRESIGNED payload. Apply this to all the
# APEX key pairs. However, a PRESIGNED container with non-PRESIGNED payload
# (overridden via commandline) indicates a config error, which should not be
# allowed.
- for apex, (payload_key, container_key) in keys_info.items():
+ for apex, (payload_key, container_key, sign_tool) in keys_info.items():
if container_key != 'PRESIGNED':
continue
if apex in OPTIONS.extra_apex_payload_keys:
@@ -311,7 +311,7 @@
print(
"Setting {} payload as PRESIGNED due to PRESIGNED container".format(
apex))
- keys_info[apex] = ('PRESIGNED', 'PRESIGNED')
+ keys_info[apex] = ('PRESIGNED', 'PRESIGNED', None)
return keys_info
@@ -372,7 +372,7 @@
compressed_extension: The extension string of compressed APKs, such as
'.gz', or None if there's no compressed APKs.
apex_keys: A dict that contains the key mapping from APEX name to
- (payload_key, container_key).
+ (payload_key, container_key, sign_tool).
Raises:
AssertionError: On finding unknown APKs and APEXes.
@@ -417,7 +417,7 @@
name = GetApexFilename(info.filename)
- (payload_key, container_key) = apex_keys[name]
+ (payload_key, container_key, _) = apex_keys[name]
if ((payload_key in common.SPECIAL_CERT_STRINGS and
container_key not in common.SPECIAL_CERT_STRINGS) or
(payload_key not in common.SPECIAL_CERT_STRINGS and
@@ -569,7 +569,7 @@
elif IsApexFile(filename):
name = GetApexFilename(filename)
- payload_key, container_key = apex_keys[name]
+ payload_key, container_key, sign_tool = apex_keys[name]
# We've asserted not having a case with only one of them PRESIGNED.
if (payload_key not in common.SPECIAL_CERT_STRINGS and
@@ -588,7 +588,8 @@
apk_keys,
codename_to_api_level_map,
no_hashtree=None, # Let apex_util determine if hash tree is needed
- signing_args=OPTIONS.avb_extra_args.get('apex'))
+ signing_args=OPTIONS.avb_extra_args.get('apex'),
+ sign_tool=sign_tool)
common.ZipWrite(output_tf_zip, signed_apex, filename)
else:
@@ -1147,15 +1148,16 @@
Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns a
dict that contains the mapping from APEX names (e.g. com.android.tzdata) to a
- tuple of (payload_key, container_key).
+ tuple of (payload_key, container_key, sign_tool).
Args:
tf_zip: The input target_files ZipFile (already open).
Returns:
- (payload_key, container_key): payload_key contains the path to the payload
- signing key; container_key contains the path to the container signing
- key.
+ (payload_key, container_key, sign_tool):
+ - payload_key contains the path to the payload signing key
+ - container_key contains the path to the container signing key
+ - sign_tool is an apex-specific signing tool for its payload contents
"""
keys = {}
for line in tf_zip.read('META/apexkeys.txt').decode().split('\n'):
@@ -1168,7 +1170,8 @@
r'private_key="(?P<PAYLOAD_PRIVATE_KEY>.*)"\s+'
r'container_certificate="(?P<CONTAINER_CERT>.*)"\s+'
r'container_private_key="(?P<CONTAINER_PRIVATE_KEY>.*?)"'
- r'(\s+partition="(?P<PARTITION>.*?)")?$',
+ r'(\s+partition="(?P<PARTITION>.*?)")?'
+ r'(\s+sign_tool="(?P<SIGN_TOOL>.*?)")?$',
line)
if not matches:
continue
@@ -1197,7 +1200,8 @@
else:
raise ValueError("Failed to parse container keys: \n{}".format(line))
- keys[name] = (payload_private_key, container_key)
+ sign_tool = matches.group("SIGN_TOOL")
+ keys[name] = (payload_private_key, container_key, sign_tool)
return keys