Revert "Merge "Adding sepolicy sign params to sign_target_files_apks." am: fb042449e0 am: bd8c313275 am: a2db49becd"
Test: sign_target_files_apks target_files.zip target_out.zip
This reverts commit 6e6c22c70e48e9d4fe830fe0c5b9c47618bd116a.
Reason for revert: Updateable SEPolicy is punted.
Change-Id: I99524d13811028a4036aa85c74cf10974fe08165
Merged-In: I99524d13811028a4036aa85c74cf10974fe08165
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index cff7542..caa4641 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -97,7 +97,6 @@
self.stash_threshold = 0.8
self.logfile = None
self.host_tools = {}
- self.sepolicy_name = 'sepolicy.apex'
OPTIONS = Options()
diff --git a/tools/releasetools/sign_apex.py b/tools/releasetools/sign_apex.py
index a68f1ec..722359b 100755
--- a/tools/releasetools/sign_apex.py
+++ b/tools/releasetools/sign_apex.py
@@ -61,7 +61,6 @@
import common
logger = logging.getLogger(__name__)
-OPTIONS = common.OPTIONS
def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
@@ -82,7 +81,7 @@
apk_keys=apk_keys,
signing_args=signing_args,
sign_tool=sign_tool,
- is_sepolicy=apex_file.endswith(OPTIONS.sepolicy_name),
+ is_sepolicy=apex_file.endswith("sepolicy.apex"),
sepolicy_key=sepolicy_key,
sepolicy_cert=sepolicy_cert,
fsverity_tool=fsverity_tool)
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index f363afd..78fc886 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -137,15 +137,6 @@
--android_jar_path <path>
Path to the android.jar to repack the apex file.
- --sepolicy_key <key>
- Optional flag that specifies the sepolicy signing key, defaults to payload_key for the sepolicy.apex.
-
- --sepolicy_cert <cert>
- Optional flag that specifies the sepolicy signing cert.
-
- --fsverity_tool <path>
- Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity.
-
--allow_gsi_debug_sepolicy
Allow the existence of the file 'userdebug_plat_sepolicy.cil' under
(/system/system_ext|/system_ext)/etc/selinux.
@@ -205,9 +196,6 @@
OPTIONS.android_jar_path = None
OPTIONS.vendor_partitions = set()
OPTIONS.vendor_otatools = None
-OPTIONS.sepolicy_key = None
-OPTIONS.sepolicy_cert = None
-OPTIONS.fsverity_tool = None
OPTIONS.allow_gsi_debug_sepolicy = False
@@ -247,8 +235,6 @@
def IsApexFile(filename):
return filename.endswith(".apex") or filename.endswith(".capex")
-def IsSepolicyApex(filename):
- return filename.endswith(OPTIONS.sepolicy_name)
def GetApexFilename(filename):
name = os.path.basename(filename)
@@ -271,24 +257,6 @@
return certmap
-def GetSepolicyKeys(keys_info):
- """Gets SEPolicy signing keys applying overrides from command line options.
-
- Args:
- keys_info: A dict that maps from the SEPolicy APEX filename to a tuple of
- (sepolicy_key, sepolicy_cert, fsverity_tool).
-
- Returns:
- A dict that contains the updated APEX key mapping, which should be used for
- the current signing.
- """
- for name in keys_info:
- (sepolicy_key, sepolicy_cert, fsverity_tool) = keys_info[name]
- sepolicy_key = OPTIONS.sepolicy_key if OPTIONS.sepolicy_key else sepolicy_key
- sepolicy_cert = OPTIONS.sepolicy_cert if OPTIONS.sepolicy_cert else sepolicy_cert
- fsverity_tool = OPTIONS.fsverity_tool if OPTIONS.fsverity_tool else fsverity_tool
- keys_info[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
- return keys_info
def GetApexKeys(keys_info, key_map):
"""Gets APEX payload and container signing keys by applying the mapping rules.
@@ -551,7 +519,7 @@
def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
apk_keys, apex_keys, key_passwords,
platform_api_level, codename_to_api_level_map,
- compressed_extension, sepolicy_keys):
+ compressed_extension):
# maxsize measures the maximum filename length, including the ones to be
# skipped.
try:
@@ -619,17 +587,6 @@
print(" : %-*s payload (%s)" % (
maxsize, name, payload_key))
- sepolicy_key = None
- sepolicy_cert = None
- fsverity_tool = None
-
- if IsSepolicyApex(name):
- (sepolicy_key, sepolicy_cert, fsverity_tool) = sepolicy_keys[name]
- print(" : %-*s sepolicy key (%s)" % (
- maxsize, name, sepolicy_key))
- print(" : %-*s sepolicy cert (%s)" % (
- maxsize, name, sepolicy_cert))
-
signed_apex = apex_utils.SignApex(
misc_info['avb_avbtool'],
data,
@@ -640,11 +597,7 @@
codename_to_api_level_map,
no_hashtree=None, # Let apex_util determine if hash tree is needed
signing_args=OPTIONS.avb_extra_args.get('apex'),
- sign_tool=sign_tool,
- is_sepolicy=IsSepolicyApex(name),
- sepolicy_key=sepolicy_key,
- sepolicy_cert=sepolicy_cert,
- fsverity_tool=fsverity_tool)
+ sign_tool=sign_tool)
common.ZipWrite(output_tf_zip, signed_apex, filename)
else:
@@ -1254,24 +1207,20 @@
def ReadApexKeysInfo(tf_zip):
"""Parses the APEX keys info from a given target-files zip.
- Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns
- two dicts, the first one contains the mapping from APEX names
- (e.g. com.android.tzdata) to a tuple of (payload_key, container_key,
- sign_tool). The second one maps the sepolicy APEX name to a tuple containing
- (sepolicy_key, sepolicy_cert, fsverity_tool).
+ Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns a
+ dict that contains the mapping from APEX names (e.g. com.android.tzdata) to a
+ tuple of (payload_key, container_key, sign_tool).
Args:
tf_zip: The input target_files ZipFile (already open).
Returns:
- name : (payload_key, container_key, sign_tool)
+ (payload_key, container_key, sign_tool):
- payload_key contains the path to the payload signing key
- container_key contains the path to the container signing key
- sign_tool is an apex-specific signing tool for its payload contents
- name : (sepolicy_key, sepolicy_cert, fsverity_tool)
"""
keys = {}
- sepolicy_keys = {}
for line in tf_zip.read('META/apexkeys.txt').decode().split('\n'):
line = line.strip()
if not line:
@@ -1282,9 +1231,6 @@
r'private_key="(?P<PAYLOAD_PRIVATE_KEY>.*)"\s+'
r'container_certificate="(?P<CONTAINER_CERT>.*)"\s+'
r'container_private_key="(?P<CONTAINER_PRIVATE_KEY>.*?)"'
- r'(\s+sepolicy_key="(?P<SEPOLICY_KEY>.*?)")?'
- r'(\s+sepolicy_certificate="(?P<SEPOLICY_CERT>.*?)")?'
- r'(\s+fsverity_tool="(?P<FSVERITY_TOOL>.*?)")?'
r'(\s+partition="(?P<PARTITION>.*?)")?'
r'(\s+sign_tool="(?P<SIGN_TOOL>.*?)")?$',
line)
@@ -1313,18 +1259,12 @@
container_private_key, OPTIONS.private_key_suffix):
container_key = container_cert[:-len(OPTIONS.public_key_suffix)]
else:
- raise ValueError("Failed to parse container keys: \n{} **** {}".format(container_cert, container_private_key))
+ raise ValueError("Failed to parse container keys: \n{}".format(line))
sign_tool = matches.group("SIGN_TOOL")
keys[name] = (payload_private_key, container_key, sign_tool)
- if IsSepolicyApex(name):
- sepolicy_key = matches.group('SEPOLICY_KEY')
- sepolicy_cert = matches.group('SEPOLICY_CERT')
- fsverity_tool = matches.group('FSVERITY_TOOL')
- sepolicy_keys[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
-
- return keys, sepolicy_keys
+ return keys
def BuildVendorPartitions(output_zip_path):
@@ -1541,12 +1481,6 @@
OPTIONS.vendor_otatools = a
elif o == "--vendor_partitions":
OPTIONS.vendor_partitions = set(a.split(","))
- elif o == '--sepolicy_key':
- OPTIONS.sepolicy_key = a
- elif o == '--sepolicy_cert':
- OPTIONS.sepolicy_cert = a
- elif o == '--fsverity_tool':
- OPTIONS.fsverity_tool = a
elif o == "--allow_gsi_debug_sepolicy":
OPTIONS.allow_gsi_debug_sepolicy = True
else:
@@ -1601,9 +1535,6 @@
"gki_signing_extra_args=",
"vendor_partitions=",
"vendor_otatools=",
- "sepolicy_key=",
- "sepolicy_cert=",
- "fsverity_tool=",
"allow_gsi_debug_sepolicy",
],
extra_option_handler=option_handler)
@@ -1626,9 +1557,8 @@
apk_keys_info, compressed_extension = common.ReadApkCerts(input_zip)
apk_keys = GetApkCerts(apk_keys_info)
- apex_keys_info, sepolicy_keys_info = ReadApexKeysInfo(input_zip)
+ apex_keys_info = ReadApexKeysInfo(input_zip)
apex_keys = GetApexKeys(apex_keys_info, apk_keys)
- sepolicy_keys = GetSepolicyKeys(sepolicy_keys_info)
# TODO(xunchang) check for the apks inside the apex files, and abort early if
# the keys are not available.
@@ -1646,7 +1576,7 @@
ProcessTargetFiles(input_zip, output_zip, misc_info,
apk_keys, apex_keys, key_passwords,
platform_api_level, codename_to_api_level_map,
- compressed_extension, sepolicy_keys)
+ compressed_extension)
common.ZipClose(input_zip)
common.ZipClose(output_zip)
diff --git a/tools/releasetools/test_sign_target_files_apks.py b/tools/releasetools/test_sign_target_files_apks.py
index 144a3cd..0f13add 100644
--- a/tools/releasetools/test_sign_target_files_apks.py
+++ b/tools/releasetools/test_sign_target_files_apks.py
@@ -476,7 +476,7 @@
target_files_zip.writestr('META/apexkeys.txt', self.APEX_KEYS_TXT)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
- keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+ keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -486,7 +486,6 @@
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
- self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_mismatchingContainerKeys(self):
# Mismatching payload public / private keys.
@@ -516,7 +515,7 @@
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
- keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+ keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -526,7 +525,6 @@
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
- self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_missingPayloadPublicKey(self):
# Invalid lines will be skipped.
@@ -540,7 +538,7 @@
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
- keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+ keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -550,7 +548,6 @@
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
- self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_presignedKeys(self):
apex_keys = self.APEX_KEYS_TXT + (
@@ -564,7 +561,7 @@
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
- keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+ keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -574,7 +571,6 @@
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
- self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_presignedKeys(self):
apex_keys = self.APEX_KEYS_TXT + (
@@ -588,7 +584,7 @@
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
- keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+ keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -598,72 +594,6 @@
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
- self.assertEqual({}, sepolicy_keys_info)
-
- def test_ReadApexKeysInfo_withSepolicyKeys(self):
- apex_keys = self.APEX_KEYS_TXT + (
- 'name="sepolicy.apex" '
- 'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
- 'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
- 'container_certificate="build/make/target/product/security/testkey.x509.pem" '
- 'container_private_key="build/make/target/product/security/testkey.pk8" '
- 'sepolicy_key="build/make/target/product/security/testkey.key" '
- 'sepolicy_certificate="build/make/target/product/security/testkey.x509.pem" '
- 'fsverity_tool="fsverity"')
- target_files = common.MakeTempFile(suffix='.zip')
- with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
- target_files_zip.writestr('META/apexkeys.txt', apex_keys)
-
- with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
- keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
-
- self.assertEqual({
- 'apex.apexd_test.apex': (
- 'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
- 'build/make/target/product/security/testkey', None),
- 'apex.apexd_test_different_app.apex': (
- 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
- 'build/make/target/product/security/testkey', None),
- 'sepolicy.apex': (
- 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
- 'build/make/target/product/security/testkey', None),
- }, keys_info)
- self.assertEqual({'sepolicy.apex': (
- 'build/make/target/product/security/testkey.key',
- 'build/make/target/product/security/testkey.x509.pem',
- 'fsverity'),
- }, sepolicy_keys_info)
-
- def test_ReadApexKeysInfo_withSepolicyApex(self):
- apex_keys = self.APEX_KEYS_TXT + (
- 'name="sepolicy.apex" '
- 'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
- 'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
- 'container_certificate="build/make/target/product/security/testkey.x509.pem" '
- 'container_private_key="build/make/target/product/security/testkey.pk8" ')
- target_files = common.MakeTempFile(suffix='.zip')
- with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
- target_files_zip.writestr('META/apexkeys.txt', apex_keys)
-
- with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
- keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
-
- self.assertEqual({
- 'apex.apexd_test.apex': (
- 'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
- 'build/make/target/product/security/testkey', None),
- 'apex.apexd_test_different_app.apex': (
- 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
- 'build/make/target/product/security/testkey', None),
- 'sepolicy.apex': (
- 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
- 'build/make/target/product/security/testkey', None),
- }, keys_info)
- self.assertEqual({'sepolicy.apex': (
- None,
- None,
- None),
- }, sepolicy_keys_info)
def test_ReplaceGkiSigningKey(self):
common.OPTIONS.gki_signing_key = 'release_gki_key'