releasetools: check_target_files_signatures.py checks APEXes.
Only the container certs will be checked and reported. For the payload
within an APEX, we can't easily extract the cert info.
It needs to go along a longer path, if ever needed, by:
- extracting public keys from all the available certs;
- using each of them to verify against an APEX payload to find a match
(`avbtool verify_image --image payload --key public_key`).
Bug: 123716522
Test: Run check_target_files_signatures.py on target_files with APEXes.
Change-Id: I2ef318e05433d2d65ab84e2dff9e01fb6ee3373d
diff --git a/tools/releasetools/check_target_files_signatures.py b/tools/releasetools/check_target_files_signatures.py
index 9b76954..4b0d4c7 100755
--- a/tools/releasetools/check_target_files_signatures.py
+++ b/tools/releasetools/check_target_files_signatures.py
@@ -168,6 +168,7 @@
class APK(object):
+
def __init__(self, full_filename, filename):
self.filename = filename
self.certs = None
@@ -244,12 +245,12 @@
# must decompress them individually before we perform any analysis.
# This is the list of wildcards of files we extract from |filename|.
- apk_extensions = ['*.apk']
+ apk_extensions = ['*.apk', '*.apex']
self.certmap, compressed_extension = common.ReadApkCerts(
- zipfile.ZipFile(filename, "r"))
+ zipfile.ZipFile(filename))
if compressed_extension:
- apk_extensions.append("*.apk" + compressed_extension)
+ apk_extensions.append('*.apk' + compressed_extension)
d = common.UnzipTemp(filename, apk_extensions)
self.apks = {}
@@ -272,7 +273,7 @@
os.remove(os.path.join(dirpath, fn))
fn = uncompressed_fn
- if fn.endswith(".apk"):
+ if fn.endswith(('.apk', '.apex')):
fullname = os.path.join(dirpath, fn)
displayname = fullname[len(d)+1:]
apk = APK(fullname, displayname)