Revert "Merge "Adding flags and logic to sign updateable SEPolicy in APEX" am: 77c1dfa6d9 am: 5a0d81a0be am: 54e08307dc"
Test: mma and run sign_apex
This reverts commit 8fe9e3a2c72db9d23b60678b530a501dc29ff4dd.
Reason for revert: Updateable SEPolicy is punted.
Change-Id: I28ae2afbb1083e215f4e0a27a9164133cd73dd76
Merged-In: I28ae2afbb1083e215f4e0a27a9164133cd73dd76
diff --git a/tools/releasetools/apex_utils.py b/tools/releasetools/apex_utils.py
index 3f13a4a..941edc6 100644
--- a/tools/releasetools/apex_utils.py
+++ b/tools/releasetools/apex_utils.py
@@ -54,7 +54,7 @@
class ApexApkSigner(object):
"""Class to sign the apk files and other files in an apex payload image and repack the apex"""
- def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None, fsverity_tool=None):
+ def __init__(self, apex_path, key_passwords, codename_to_api_level_map, avbtool=None, sign_tool=None):
self.apex_path = apex_path
if not key_passwords:
self.key_passwords = dict()
@@ -65,9 +65,8 @@
OPTIONS.search_path, "bin", "debugfs_static")
self.avbtool = avbtool if avbtool else "avbtool"
self.sign_tool = sign_tool
- self.fsverity_tool = fsverity_tool if fsverity_tool else "fsverity"
- def ProcessApexFile(self, apk_keys, payload_key, signing_args=None, is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None):
+ def ProcessApexFile(self, apk_keys, payload_key, signing_args=None):
"""Scans and signs the payload files and repack the apex
Args:
@@ -85,14 +84,10 @@
self.debugfs_path, 'list', self.apex_path]
entries_names = common.RunAndCheckOutput(list_cmd).split()
apk_entries = [name for name in entries_names if name.endswith('.apk')]
- sepolicy_entries = []
- if is_sepolicy:
- sepolicy_entries = [name for name in entries_names if
- name.startswith('./etc/SEPolicy') and name.endswith('.zip')]
# No need to sign and repack, return the original apex path.
- if not apk_entries and not sepolicy_entries and self.sign_tool is None:
- logger.info('No payload (apk or zip) file to sign in %s', self.apex_path)
+ if not apk_entries and self.sign_tool is None:
+ logger.info('No apk file to sign in %s', self.apex_path)
return self.apex_path
for entry in apk_entries:
@@ -106,16 +101,15 @@
logger.warning('Apk path does not contain the intended directory name:'
' %s', entry)
- payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(apk_entries,
- apk_keys, payload_key, sepolicy_entries, sepolicy_key, sepolicy_cert, signing_args)
+ payload_dir, has_signed_content = self.ExtractApexPayloadAndSignContents(
+ apk_entries, apk_keys, payload_key, signing_args)
if not has_signed_content:
logger.info('No contents has been signed in %s', self.apex_path)
return self.apex_path
return self.RepackApexPayload(payload_dir, payload_key, signing_args)
- def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key,
- sepolicy_entries, sepolicy_key, sepolicy_cert, signing_args):
+ def ExtractApexPayloadAndSignContents(self, apk_entries, apk_keys, payload_key, signing_args):
"""Extracts the payload image and signs the containing apk files."""
if not os.path.exists(self.debugfs_path):
raise ApexSigningError(
@@ -147,11 +141,6 @@
codename_to_api_level_map=self.codename_to_api_level_map)
has_signed_content = True
- for entry in sepolicy_entries:
- sepolicy_key = sepolicy_key if sepolicy_key else payload_key
- self.SignSePolicy(payload_dir, entry, sepolicy_key, sepolicy_cert)
- has_signed_content = True
-
if self.sign_tool:
logger.info('Signing payload contents in apex %s with %s', self.apex_path, self.sign_tool)
# Pass avbtool to the custom signing tool
@@ -165,36 +154,6 @@
return payload_dir, has_signed_content
- def SignSePolicy(self, payload_dir, sepolicy_zip, sepolicy_key, sepolicy_cert):
- sepolicy_sig = sepolicy_zip + '.sig'
- sepolicy_fsv_sig = sepolicy_zip + '.fsv_sig'
-
- policy_zip_path = os.path.join(payload_dir, sepolicy_zip)
- sig_out_path = os.path.join(payload_dir, sepolicy_sig)
- sig_old = sig_out_path + '.old'
- if os.path.exists(sig_out_path):
- os.rename(sig_out_path, sig_old)
- sign_cmd = ['openssl', 'dgst', '-sign', sepolicy_key, '-keyform', 'PEM', '-sha256',
- '-out', sig_out_path, '-binary', policy_zip_path]
- common.RunAndCheckOutput(sign_cmd)
- if os.path.exists(sig_old):
- os.remove(sig_old)
-
- if not sepolicy_cert:
- logger.info('No cert provided for SEPolicy, skipping fsverity sign')
- return
-
- fsv_sig_out_path = os.path.join(payload_dir, sepolicy_fsv_sig)
- fsv_sig_old = fsv_sig_out_path + '.old'
- if os.path.exists(fsv_sig_out_path):
- os.rename(fsv_sig_out_path, fsv_sig_old)
-
- fsverity_cmd = [self.fsverity_tool, 'sign', policy_zip_path, fsv_sig_out_path,
- '--key=' + sepolicy_key, '--cert=' + sepolicy_cert]
- common.RunAndCheckOutput(fsverity_cmd)
- if os.path.exists(fsv_sig_old):
- os.remove(fsv_sig_old)
-
def RepackApexPayload(self, payload_dir, payload_key, signing_args=None):
"""Rebuilds the apex file with the updated payload directory."""
apex_dir = common.MakeTempDir()
@@ -365,9 +324,7 @@
def SignUncompressedApex(avbtool, apex_file, payload_key, container_key,
container_pw, apk_keys, codename_to_api_level_map,
- no_hashtree, signing_args=None, sign_tool=None,
- is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None,
- fsverity_tool=None):
+ no_hashtree, signing_args=None, sign_tool=None):
"""Signs the current uncompressed APEX with the given payload/container keys.
Args:
@@ -380,10 +337,6 @@
no_hashtree: Don't include hashtree in the signed APEX.
signing_args: Additional args to be passed to the payload signer.
sign_tool: A tool to sign the contents of the APEX.
- is_sepolicy: Indicates if the apex is a sepolicy.apex
- sepolicy_key: Key to sign a sepolicy zip.
- sepolicy_cert: Cert to sign a sepolicy zip.
- fsverity_tool: fsverity path to sign sepolicy zip.
Returns:
The path to the signed APEX file.
@@ -392,9 +345,8 @@
# the apex file after signing.
apk_signer = ApexApkSigner(apex_file, container_pw,
codename_to_api_level_map,
- avbtool, sign_tool, fsverity_tool)
- apex_file = apk_signer.ProcessApexFile(
- apk_keys, payload_key, signing_args, is_sepolicy, sepolicy_key, sepolicy_cert)
+ avbtool, sign_tool)
+ apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args)
# 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
# payload_key.
@@ -448,9 +400,7 @@
def SignCompressedApex(avbtool, apex_file, payload_key, container_key,
container_pw, apk_keys, codename_to_api_level_map,
- no_hashtree, signing_args=None, sign_tool=None,
- is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None,
- fsverity_tool=None):
+ no_hashtree, signing_args=None, sign_tool=None):
"""Signs the current compressed APEX with the given payload/container keys.
Args:
@@ -462,10 +412,6 @@
codename_to_api_level_map: A dict that maps from codename to API level.
no_hashtree: Don't include hashtree in the signed APEX.
signing_args: Additional args to be passed to the payload signer.
- is_sepolicy: Indicates if the apex is a sepolicy.apex
- sepolicy_key: Key to sign a sepolicy zip.
- sepolicy_cert: Cert to sign a sepolicy zip.
- fsverity_tool: fsverity path to sign sepolicy zip.
Returns:
The path to the signed APEX file.
@@ -492,11 +438,7 @@
codename_to_api_level_map,
no_hashtree,
signing_args,
- sign_tool,
- is_sepolicy,
- sepolicy_key,
- sepolicy_cert,
- fsverity_tool)
+ sign_tool)
# 3. Compress signed original apex.
compressed_apex_file = common.MakeTempFile(prefix='apex-container-',
@@ -524,8 +466,7 @@
def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
apk_keys, codename_to_api_level_map,
- no_hashtree, signing_args=None, sign_tool=None,
- is_sepolicy=False, sepolicy_key=None, sepolicy_cert=None, fsverity_tool=None):
+ no_hashtree, signing_args=None, sign_tool=None):
"""Signs the current APEX with the given payload/container keys.
Args:
@@ -537,9 +478,6 @@
codename_to_api_level_map: A dict that maps from codename to API level.
no_hashtree: Don't include hashtree in the signed APEX.
signing_args: Additional args to be passed to the payload signer.
- sepolicy_key: Key to sign a sepolicy zip.
- sepolicy_cert: Cert to sign a sepolicy zip.
- fsverity_tool: fsverity path to sign sepolicy zip.
Returns:
The path to the signed APEX file.
@@ -565,11 +503,7 @@
no_hashtree=no_hashtree,
apk_keys=apk_keys,
signing_args=signing_args,
- sign_tool=sign_tool,
- is_sepolicy=is_sepolicy,
- sepolicy_key=sepolicy_key,
- sepolicy_cert=sepolicy_cert,
- fsverity_tool=fsverity_tool)
+ sign_tool=sign_tool)
elif apex_type == 'COMPRESSED':
return SignCompressedApex(
avbtool,
@@ -581,11 +515,7 @@
no_hashtree=no_hashtree,
apk_keys=apk_keys,
signing_args=signing_args,
- sign_tool=sign_tool,
- is_sepolicy=is_sepolicy,
- sepolicy_key=sepolicy_key,
- sepolicy_cert=sepolicy_cert,
- fsverity_tool=fsverity_tool)
+ sign_tool=sign_tool)
else:
# TODO(b/172912232): support signing compressed apex
raise ApexInfoError('Unsupported apex type {}'.format(apex_type))
diff --git a/tools/releasetools/sign_apex.py b/tools/releasetools/sign_apex.py
index 722359b..6926467 100755
--- a/tools/releasetools/sign_apex.py
+++ b/tools/releasetools/sign_apex.py
@@ -42,15 +42,6 @@
--sign_tool <sign_tool>
Optional flag that specifies a custom signing tool for the contents of the apex.
-
- --sepolicy_key <key>
- Optional flag that specifies the sepolicy signing key, defaults to payload_key.
-
- --sepolicy_cert <cert>
- Optional flag that specifies the sepolicy signing cert.
-
- --fsverity_tool <path>
- Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity.
"""
import logging
@@ -64,8 +55,7 @@
def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
- apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None,
- sepolicy_key=None, sepolicy_cert=None, fsverity_tool=None):
+ apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None):
"""Signs the given apex file."""
with open(apex_file, 'rb') as input_fp:
apex_data = input_fp.read()
@@ -80,11 +70,7 @@
no_hashtree=no_hashtree,
apk_keys=apk_keys,
signing_args=signing_args,
- sign_tool=sign_tool,
- is_sepolicy=apex_file.endswith("sepolicy.apex"),
- sepolicy_key=sepolicy_key,
- sepolicy_cert=sepolicy_cert,
- fsverity_tool=fsverity_tool)
+ sign_tool=sign_tool)
def main(argv):
@@ -120,12 +106,6 @@
options['extra_apks'].update({n: key})
elif o == '--sign_tool':
options['sign_tool'] = a
- elif o == '--sepolicy_key':
- options['sepolicy_key'] = a
- elif o == '--sepolicy_cert':
- options['sepolicy_cert'] = a
- elif o == '--fsverity_tool':
- options['fsverity_tool'] = a
else:
return False
return True
@@ -141,9 +121,6 @@
'payload_key=',
'extra_apks=',
'sign_tool=',
- 'sepolicy_key=',
- 'sepolicy_cert=',
- 'fsverity_tool='
],
extra_option_handler=option_handler)
@@ -164,10 +141,7 @@
signing_args=options.get('payload_extra_args'),
codename_to_api_level_map=options.get(
'codename_to_api_level_map', {}),
- sign_tool=options.get('sign_tool', None),
- sepolicy_key=options.get('sepolicy_key', None),
- sepolicy_cert=options.get('sepolicy_cert', None),
- fsverity_tool=options.get('fsverity_tool', None))
+ sign_tool=options.get('sign_tool', None))
shutil.copyfile(signed_apex, args[1])
logger.info("done.")
diff --git a/tools/releasetools/test_sign_apex.py b/tools/releasetools/test_sign_apex.py
index c344e22..8470f20 100644
--- a/tools/releasetools/test_sign_apex.py
+++ b/tools/releasetools/test_sign_apex.py
@@ -71,21 +71,3 @@
False,
codename_to_api_level_map={'S': 31, 'Tiramisu' : 32})
self.assertTrue(os.path.exists(signed_apex))
-
- @test_utils.SkipIfExternalToolsUnavailable()
- def test_SignApexWithSepolicy(self):
- test_apex = os.path.join(self.testdata_dir, 'sepolicy.apex')
- payload_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')
- container_key = os.path.join(self.testdata_dir, 'testkey')
- sepolicy_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')
- sepolicy_cert = os.path.join(self.testdata_dir, 'testkey.x509.pem')
- signed_test_apex = sign_apex.SignApexFile(
- 'avbtool',
- test_apex,
- payload_key,
- container_key,
- False,
- None,
- sepolicy_key=sepolicy_key,
- sepolicy_cert=sepolicy_cert)
- self.assertTrue(os.path.exists(signed_test_apex))
diff --git a/tools/releasetools/testdata/sepolicy.apex b/tools/releasetools/testdata/sepolicy.apex
deleted file mode 100644
index f7d267d..0000000
--- a/tools/releasetools/testdata/sepolicy.apex
+++ /dev/null
Binary files differ