Revert "Merge "Adding sepolicy sign params to sign_target_files_apks." am: fb042449e0 am: bd8c313275 am: a2db49becd"
Test: sign_target_files_apks target_files.zip target_out.zip
This reverts commit 6e6c22c70e48e9d4fe830fe0c5b9c47618bd116a.
Reason for revert: Updateable SEPolicy is punted.
Change-Id: I99524d13811028a4036aa85c74cf10974fe08165
Merged-In: I99524d13811028a4036aa85c74cf10974fe08165
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index f363afd..78fc886 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -137,15 +137,6 @@
--android_jar_path <path>
Path to the android.jar to repack the apex file.
- --sepolicy_key <key>
- Optional flag that specifies the sepolicy signing key, defaults to payload_key for the sepolicy.apex.
-
- --sepolicy_cert <cert>
- Optional flag that specifies the sepolicy signing cert.
-
- --fsverity_tool <path>
- Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity.
-
--allow_gsi_debug_sepolicy
Allow the existence of the file 'userdebug_plat_sepolicy.cil' under
(/system/system_ext|/system_ext)/etc/selinux.
@@ -205,9 +196,6 @@
OPTIONS.android_jar_path = None
OPTIONS.vendor_partitions = set()
OPTIONS.vendor_otatools = None
-OPTIONS.sepolicy_key = None
-OPTIONS.sepolicy_cert = None
-OPTIONS.fsverity_tool = None
OPTIONS.allow_gsi_debug_sepolicy = False
@@ -247,8 +235,6 @@
def IsApexFile(filename):
return filename.endswith(".apex") or filename.endswith(".capex")
-def IsSepolicyApex(filename):
- return filename.endswith(OPTIONS.sepolicy_name)
def GetApexFilename(filename):
name = os.path.basename(filename)
@@ -271,24 +257,6 @@
return certmap
-def GetSepolicyKeys(keys_info):
- """Gets SEPolicy signing keys applying overrides from command line options.
-
- Args:
- keys_info: A dict that maps from the SEPolicy APEX filename to a tuple of
- (sepolicy_key, sepolicy_cert, fsverity_tool).
-
- Returns:
- A dict that contains the updated APEX key mapping, which should be used for
- the current signing.
- """
- for name in keys_info:
- (sepolicy_key, sepolicy_cert, fsverity_tool) = keys_info[name]
- sepolicy_key = OPTIONS.sepolicy_key if OPTIONS.sepolicy_key else sepolicy_key
- sepolicy_cert = OPTIONS.sepolicy_cert if OPTIONS.sepolicy_cert else sepolicy_cert
- fsverity_tool = OPTIONS.fsverity_tool if OPTIONS.fsverity_tool else fsverity_tool
- keys_info[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
- return keys_info
def GetApexKeys(keys_info, key_map):
"""Gets APEX payload and container signing keys by applying the mapping rules.
@@ -551,7 +519,7 @@
def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
apk_keys, apex_keys, key_passwords,
platform_api_level, codename_to_api_level_map,
- compressed_extension, sepolicy_keys):
+ compressed_extension):
# maxsize measures the maximum filename length, including the ones to be
# skipped.
try:
@@ -619,17 +587,6 @@
print(" : %-*s payload (%s)" % (
maxsize, name, payload_key))
- sepolicy_key = None
- sepolicy_cert = None
- fsverity_tool = None
-
- if IsSepolicyApex(name):
- (sepolicy_key, sepolicy_cert, fsverity_tool) = sepolicy_keys[name]
- print(" : %-*s sepolicy key (%s)" % (
- maxsize, name, sepolicy_key))
- print(" : %-*s sepolicy cert (%s)" % (
- maxsize, name, sepolicy_cert))
-
signed_apex = apex_utils.SignApex(
misc_info['avb_avbtool'],
data,
@@ -640,11 +597,7 @@
codename_to_api_level_map,
no_hashtree=None, # Let apex_util determine if hash tree is needed
signing_args=OPTIONS.avb_extra_args.get('apex'),
- sign_tool=sign_tool,
- is_sepolicy=IsSepolicyApex(name),
- sepolicy_key=sepolicy_key,
- sepolicy_cert=sepolicy_cert,
- fsverity_tool=fsverity_tool)
+ sign_tool=sign_tool)
common.ZipWrite(output_tf_zip, signed_apex, filename)
else:
@@ -1254,24 +1207,20 @@
def ReadApexKeysInfo(tf_zip):
"""Parses the APEX keys info from a given target-files zip.
- Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns
- two dicts, the first one contains the mapping from APEX names
- (e.g. com.android.tzdata) to a tuple of (payload_key, container_key,
- sign_tool). The second one maps the sepolicy APEX name to a tuple containing
- (sepolicy_key, sepolicy_cert, fsverity_tool).
+ Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns a
+ dict that contains the mapping from APEX names (e.g. com.android.tzdata) to a
+ tuple of (payload_key, container_key, sign_tool).
Args:
tf_zip: The input target_files ZipFile (already open).
Returns:
- name : (payload_key, container_key, sign_tool)
+ (payload_key, container_key, sign_tool):
- payload_key contains the path to the payload signing key
- container_key contains the path to the container signing key
- sign_tool is an apex-specific signing tool for its payload contents
- name : (sepolicy_key, sepolicy_cert, fsverity_tool)
"""
keys = {}
- sepolicy_keys = {}
for line in tf_zip.read('META/apexkeys.txt').decode().split('\n'):
line = line.strip()
if not line:
@@ -1282,9 +1231,6 @@
r'private_key="(?P<PAYLOAD_PRIVATE_KEY>.*)"\s+'
r'container_certificate="(?P<CONTAINER_CERT>.*)"\s+'
r'container_private_key="(?P<CONTAINER_PRIVATE_KEY>.*?)"'
- r'(\s+sepolicy_key="(?P<SEPOLICY_KEY>.*?)")?'
- r'(\s+sepolicy_certificate="(?P<SEPOLICY_CERT>.*?)")?'
- r'(\s+fsverity_tool="(?P<FSVERITY_TOOL>.*?)")?'
r'(\s+partition="(?P<PARTITION>.*?)")?'
r'(\s+sign_tool="(?P<SIGN_TOOL>.*?)")?$',
line)
@@ -1313,18 +1259,12 @@
container_private_key, OPTIONS.private_key_suffix):
container_key = container_cert[:-len(OPTIONS.public_key_suffix)]
else:
- raise ValueError("Failed to parse container keys: \n{} **** {}".format(container_cert, container_private_key))
+ raise ValueError("Failed to parse container keys: \n{}".format(line))
sign_tool = matches.group("SIGN_TOOL")
keys[name] = (payload_private_key, container_key, sign_tool)
- if IsSepolicyApex(name):
- sepolicy_key = matches.group('SEPOLICY_KEY')
- sepolicy_cert = matches.group('SEPOLICY_CERT')
- fsverity_tool = matches.group('FSVERITY_TOOL')
- sepolicy_keys[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
-
- return keys, sepolicy_keys
+ return keys
def BuildVendorPartitions(output_zip_path):
@@ -1541,12 +1481,6 @@
OPTIONS.vendor_otatools = a
elif o == "--vendor_partitions":
OPTIONS.vendor_partitions = set(a.split(","))
- elif o == '--sepolicy_key':
- OPTIONS.sepolicy_key = a
- elif o == '--sepolicy_cert':
- OPTIONS.sepolicy_cert = a
- elif o == '--fsverity_tool':
- OPTIONS.fsverity_tool = a
elif o == "--allow_gsi_debug_sepolicy":
OPTIONS.allow_gsi_debug_sepolicy = True
else:
@@ -1601,9 +1535,6 @@
"gki_signing_extra_args=",
"vendor_partitions=",
"vendor_otatools=",
- "sepolicy_key=",
- "sepolicy_cert=",
- "fsverity_tool=",
"allow_gsi_debug_sepolicy",
],
extra_option_handler=option_handler)
@@ -1626,9 +1557,8 @@
apk_keys_info, compressed_extension = common.ReadApkCerts(input_zip)
apk_keys = GetApkCerts(apk_keys_info)
- apex_keys_info, sepolicy_keys_info = ReadApexKeysInfo(input_zip)
+ apex_keys_info = ReadApexKeysInfo(input_zip)
apex_keys = GetApexKeys(apex_keys_info, apk_keys)
- sepolicy_keys = GetSepolicyKeys(sepolicy_keys_info)
# TODO(xunchang) check for the apks inside the apex files, and abort early if
# the keys are not available.
@@ -1646,7 +1576,7 @@
ProcessTargetFiles(input_zip, output_zip, misc_info,
apk_keys, apex_keys, key_passwords,
platform_api_level, codename_to_api_level_map,
- compressed_extension, sepolicy_keys)
+ compressed_extension)
common.ZipClose(input_zip)
common.ZipClose(output_zip)