Remove replace verity key args
We are removing VB support from release tools. This change aims to
remove the args related to replace verity key.
Bug: 242672222
Test: atest under build/make
Change-Id: I446a0b16e482c43542a1c0e41b24e80eb9fbc8e6
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 979f42b..9b5bcab 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -188,9 +188,6 @@
OPTIONS.key_map = {}
OPTIONS.rebuild_recovery = False
OPTIONS.replace_ota_keys = False
-OPTIONS.replace_verity_public_key = False
-OPTIONS.replace_verity_private_key = False
-OPTIONS.replace_verity_keyid = False
OPTIONS.remove_avb_public_keys = None
OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys")
OPTIONS.avb_keys = {}
@@ -663,11 +660,6 @@
elif filename == "META/misc_info.txt":
pass
- # Skip verity public key if we will replace it.
- elif (OPTIONS.replace_verity_public_key and
- filename in ("BOOT/RAMDISK/verity_key",
- "ROOT/verity_key")):
- pass
elif (OPTIONS.remove_avb_public_keys and
(filename.startswith("BOOT/RAMDISK/avb/") or
filename.startswith("BOOT/RAMDISK/first_stage_ramdisk/avb/"))):
@@ -681,10 +673,6 @@
# Copy it verbatim if we don't want to remove it.
common.ZipWriteStr(output_tf_zip, out_info, data)
- # Skip verity keyid (for system_root_image use) if we will replace it.
- elif OPTIONS.replace_verity_keyid and filename == "BOOT/cmdline":
- pass
-
# Skip the vbmeta digest as we will recalculate it.
elif filename == "META/vbmeta_digest.txt":
pass
@@ -766,27 +754,6 @@
if OPTIONS.replace_ota_keys:
ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info)
- # Replace the keyid string in misc_info dict.
- if OPTIONS.replace_verity_private_key:
- ReplaceVerityPrivateKey(misc_info, OPTIONS.replace_verity_private_key[1])
-
- if OPTIONS.replace_verity_public_key:
- # Replace the one in root dir in system.img.
- ReplaceVerityPublicKey(
- output_tf_zip, 'ROOT/verity_key', OPTIONS.replace_verity_public_key[1])
-
- if not system_root_image:
- # Additionally replace the copy in ramdisk if not using system-as-root.
- ReplaceVerityPublicKey(
- output_tf_zip,
- 'BOOT/RAMDISK/verity_key',
- OPTIONS.replace_verity_public_key[1])
-
- # Replace the keyid string in BOOT/cmdline.
- if OPTIONS.replace_verity_keyid:
- ReplaceVerityKeyId(input_tf_zip, output_tf_zip,
- OPTIONS.replace_verity_keyid[1])
-
# Replace the AVB signing keys, if any.
ReplaceAvbSigningKeys(misc_info)
@@ -1003,64 +970,6 @@
WriteOtacerts(output_tf_zip, info.filename, mapped_keys + extra_keys)
-def ReplaceVerityPublicKey(output_zip, filename, key_path):
- """Replaces the verity public key at the given path in the given zip.
-
- Args:
- output_zip: The output target_files zip.
- filename: The archive name in the output zip.
- key_path: The path to the public key.
- """
- print("Replacing verity public key with %s" % (key_path,))
- common.ZipWrite(output_zip, key_path, arcname=filename)
-
-
-def ReplaceVerityPrivateKey(misc_info, key_path):
- """Replaces the verity private key in misc_info dict.
-
- Args:
- misc_info: The info dict.
- key_path: The path to the private key in PKCS#8 format.
- """
- print("Replacing verity private key with %s" % (key_path,))
- misc_info["verity_key"] = key_path
-
-
-def ReplaceVerityKeyId(input_zip, output_zip, key_path):
- """Replaces the veritykeyid parameter in BOOT/cmdline.
-
- Args:
- input_zip: The input target_files zip, which should be already open.
- output_zip: The output target_files zip, which should be already open and
- writable.
- key_path: The path to the PEM encoded X.509 certificate.
- """
- in_cmdline = input_zip.read("BOOT/cmdline").decode()
- # Copy in_cmdline to output_zip if veritykeyid is not present.
- if "veritykeyid" not in in_cmdline:
- common.ZipWriteStr(output_zip, "BOOT/cmdline", in_cmdline)
- return
-
- out_buffer = []
- for param in in_cmdline.split():
- if "veritykeyid" not in param:
- out_buffer.append(param)
- continue
-
- # Extract keyid using openssl command.
- p = common.Run(["openssl", "x509", "-in", key_path, "-text"],
- stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- keyid, stderr = p.communicate()
- assert p.returncode == 0, "Failed to dump certificate: {}".format(stderr)
- keyid = re.search(
- r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower()
- print("Replacing verity keyid with {}".format(keyid))
- out_buffer.append("veritykeyid=id:%s" % (keyid,))
-
- out_cmdline = ' '.join(out_buffer).strip() + '\n'
- common.ZipWriteStr(output_zip, "BOOT/cmdline", out_cmdline)
-
-
def ReplaceMiscInfoTxt(input_zip, output_zip, misc_info):
"""Replaces META/misc_info.txt.
@@ -1425,11 +1334,14 @@
new.append(i[0] + i[1:].strip())
OPTIONS.tag_changes = tuple(new)
elif o == "--replace_verity_public_key":
- OPTIONS.replace_verity_public_key = (True, a)
+ raise ValueError("--replace_verity_public_key is no longer supported,"
+ " please switch to AVB")
elif o == "--replace_verity_private_key":
- OPTIONS.replace_verity_private_key = (True, a)
+ raise ValueError("--replace_verity_private_key is no longer supported,"
+ " please switch to AVB")
elif o == "--replace_verity_keyid":
- OPTIONS.replace_verity_keyid = (True, a)
+ raise ValueError("--replace_verity_keyid is no longer supported, please"
+ " switch to AVB")
elif o == "--remove_avb_public_keys":
OPTIONS.remove_avb_public_keys = a.split(",")
elif o == "--avb_vbmeta_key":