Add PRODUCT_EXTRA_OTA_KEYS to add extra ota keys in otacerts.zip
Equivalent to PRODUCT_EXTRA_RECOVERY_KEYS but for A/B OTA.
Bug: 211848136
Test: set PRODUCT_EXTRA_OTA_KEYS and check otacerts.zip
Change-Id: I81e27d12a22b405f6227b09c01ed684dfcede19e
diff --git a/core/Makefile b/core/Makefile
index 0c14fd8..ec22af9 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -4623,6 +4623,9 @@
endif
$(hide) echo "tool_extensions=$(tool_extensions)" >> $@
$(hide) echo "default_system_dev_certificate=$(DEFAULT_SYSTEM_DEV_CERTIFICATE)" >> $@
+ifdef PRODUCT_EXTRA_OTA_KEYS
+ $(hide) echo "extra_ota_keys=$(PRODUCT_EXTRA_OTA_KEYS)" >> $@
+endif
ifdef PRODUCT_EXTRA_RECOVERY_KEYS
$(hide) echo "extra_recovery_keys=$(PRODUCT_EXTRA_RECOVERY_KEYS)" >> $@
endif
diff --git a/core/product-graph.mk b/core/product-graph.mk
index f28ea3d..d425b22 100644
--- a/core/product-graph.mk
+++ b/core/product-graph.mk
@@ -126,6 +126,7 @@
$(hide) echo 'PRODUCT_CHARACTERISTICS=$(call get-product-var,$(1),PRODUCT_CHARACTERISTICS)' >> $$@
$(hide) echo 'PRODUCT_COPY_FILES=$(call get-product-var,$(1),PRODUCT_COPY_FILES)' >> $$@
$(hide) echo 'PRODUCT_OTA_PUBLIC_KEYS=$(call get-product-var,$(1),PRODUCT_OTA_PUBLIC_KEYS)' >> $$@
+ $(hide) echo 'PRODUCT_EXTRA_OTA_KEYS=$(call get-product-var,$(1),PRODUCT_EXTRA_OTA_KEYS)' >> $$@
$(hide) echo 'PRODUCT_EXTRA_RECOVERY_KEYS=$(call get-product-var,$(1),PRODUCT_EXTRA_RECOVERY_KEYS)' >> $$@
$(hide) echo 'PRODUCT_PACKAGE_OVERLAYS=$(call get-product-var,$(1),PRODUCT_PACKAGE_OVERLAYS)' >> $$@
$(hide) echo 'DEVICE_PACKAGE_OVERLAYS=$(call get-product-var,$(1),DEVICE_PACKAGE_OVERLAYS)' >> $$@
diff --git a/core/product.mk b/core/product.mk
index 04c59ff..b069dda 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -183,6 +183,7 @@
# signing tools can substitute them for the test key embedded by
# default.
_product_list_vars += PRODUCT_OTA_PUBLIC_KEYS
+_product_list_vars += PRODUCT_EXTRA_OTA_KEYS
_product_list_vars += PRODUCT_EXTRA_RECOVERY_KEYS
# Should we use the default resources or add any product specific overlays
diff --git a/core/product_config.mk b/core/product_config.mk
index a376f74..57b7724 100644
--- a/core/product_config.mk
+++ b/core/product_config.mk
@@ -381,6 +381,7 @@
ENFORCE_SYSTEM_CERTIFICATE_ALLOW_LIST := $(PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_ALLOW_LIST)
PRODUCT_OTA_PUBLIC_KEYS := $(sort $(PRODUCT_OTA_PUBLIC_KEYS))
+PRODUCT_EXTRA_OTA_KEYS := $(sort $(PRODUCT_EXTRA_OTA_KEYS))
PRODUCT_EXTRA_RECOVERY_KEYS := $(sort $(PRODUCT_EXTRA_RECOVERY_KEYS))
# Resolve and setup per-module dex-preopt configs.
diff --git a/target/product/security/Android.mk b/target/product/security/Android.mk
index cedad5b..9daa3bf 100644
--- a/target/product/security/Android.mk
+++ b/target/product/security/Android.mk
@@ -63,9 +63,17 @@
LOCAL_MODULE_STEM := otacerts.zip
LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
include $(BUILD_SYSTEM)/base_rules.mk
+
+extra_ota_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_OTA_KEYS))
+
$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
-$(LOCAL_BUILT_MODULE): $(SOONG_ZIP) $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
- $(SOONG_ZIP) -o $@ -j -symlinks=false -f $(PRIVATE_CERT)
+$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_OTA_KEYS := $(extra_ota_keys)
+$(LOCAL_BUILT_MODULE): \
+ $(SOONG_ZIP) \
+ $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
+ $(extra_ota_keys)
+ $(SOONG_ZIP) -o $@ -j -symlinks=false \
+ $(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_OTA_KEYS))
#######################################
@@ -80,7 +88,7 @@
LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security
include $(BUILD_SYSTEM)/base_rules.mk
-extra_recovery_keys := $(patsubst %,%.x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
+extra_recovery_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_RECOVERY_KEYS := $(extra_recovery_keys)
@@ -89,4 +97,4 @@
$(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
$(extra_recovery_keys)
$(SOONG_ZIP) -o $@ -j -symlinks=false \
- $(foreach key_file, $(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS), -f $(key_file))
+ $(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS))
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 3f65df1..8472157 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -883,14 +883,27 @@
except KeyError:
raise common.ExternalError("can't read META/otakeys.txt from input")
- extra_recovery_keys = misc_info.get("extra_recovery_keys")
- if extra_recovery_keys:
+ extra_ota_keys_info = misc_info.get("extra_ota_keys")
+ if extra_ota_keys_info:
+ extra_ota_keys = [OPTIONS.key_map.get(k, k) + ".x509.pem"
+ for k in extra_ota_keys_info.split()]
+ print("extra ota key(s): " + ", ".join(extra_ota_keys))
+ else:
+ extra_ota_keys = []
+ for k in extra_ota_keys:
+ if not os.path.isfile(k):
+ raise common.ExternalError(k + " does not exist or is not a file")
+
+ extra_recovery_keys_info = misc_info.get("extra_recovery_keys")
+ if extra_recovery_keys_info:
extra_recovery_keys = [OPTIONS.key_map.get(k, k) + ".x509.pem"
- for k in extra_recovery_keys.split()]
- if extra_recovery_keys:
- print("extra recovery-only key(s): " + ", ".join(extra_recovery_keys))
+ for k in extra_recovery_keys_info.split()]
+ print("extra recovery-only key(s): " + ", ".join(extra_recovery_keys))
else:
extra_recovery_keys = []
+ for k in extra_recovery_keys:
+ if not os.path.isfile(k):
+ raise common.ExternalError(k + " does not exist or is not a file")
mapped_keys = []
for k in keylist:
@@ -913,13 +926,20 @@
mapped_keys.append(mapped_devkey + ".x509.pem")
print("META/otakeys.txt has no keys; using %s for OTA package"
" verification." % (mapped_keys[0],))
+ for k in mapped_keys:
+ if not os.path.isfile(k):
+ raise common.ExternalError(k + " does not exist or is not a file")
otacerts = [info
for info in input_tf_zip.infolist()
if info.filename.endswith("/otacerts.zip")]
for info in otacerts:
- print("Rewriting OTA key:", info.filename, mapped_keys)
- WriteOtacerts(output_tf_zip, info.filename, mapped_keys)
+ if info.filename.startswith(("BOOT/", "RECOVERY/", "VENDOR_BOOT/")):
+ extra_keys = extra_recovery_keys
+ else:
+ extra_keys = extra_ota_keys
+ print("Rewriting OTA key:", info.filename, mapped_keys + extra_keys)
+ WriteOtacerts(output_tf_zip, info.filename, mapped_keys + extra_keys)
def ReplaceVerityPublicKey(output_zip, filename, key_path):