AI 144270: am: CL 144269 Relocate the new (google-indepedent) tools for signing and
  building images & OTA packages out of vendor/google.
  No device code is touched by this change.
  Original author: dougz
  Merged from: //branches/cupcake/...

Automated import of CL 144270
diff --git a/tools/releasetools/sign_target_files_apks b/tools/releasetools/sign_target_files_apks
new file mode 100755
index 0000000..a87d198
--- /dev/null
+++ b/tools/releasetools/sign_target_files_apks
@@ -0,0 +1,193 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2008 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+Signs all the APK files in a target-files zipfile, producing a new
+target-files zip.
+
+Usage:  sign_target_files_apks [flags] input_target_files output_target_files
+
+  -s  (--signapk_jar)  <path>
+      Path of the signapks.jar file used to sign an individual APK
+      file.
+
+  -e  (--extra_apks)  <name,name,...=key>
+      Add extra APK name/key pairs as though they appeared in
+      apkcerts.zip.  Option may be repeated to give multiple extra
+      packages.
+
+  -k  (--key_mapping)  <src_key=dest_key>
+      Add a mapping from the key name as specified in apkcerts.txt (the
+      src_key) to the real key you wish to sign the package with
+      (dest_key).  Option may be repeated to give multiple key
+      mappings.
+
+  -d  (--default_key_mappings)  <dir>
+      Set up the following key mappings:
+
+        build/target/product/security/testkey   ==>  $dir/releasekey
+        build/target/product/security/media     ==>  $dir/media
+        build/target/product/security/shared    ==>  $dir/shared
+        build/target/product/security/platform  ==>  $dir/platform
+
+      -d and -k options are added to the set of mappings in the order
+      in which they appear on the command line.
+"""
+
+import sys
+
+if sys.hexversion < 0x02040000:
+  print >> sys.stderr, "Python 2.4 or newer is required."
+  sys.exit(1)
+
+import os
+import re
+import subprocess
+import tempfile
+import zipfile
+
+import common
+
+OPTIONS = common.OPTIONS
+
+OPTIONS.extra_apks = {}
+OPTIONS.key_map = {}
+
+
+def GetApkCerts(tf_zip):
+  certmap = OPTIONS.extra_apks.copy()
+  for line in tf_zip.read("META/apkcerts.txt").split("\n"):
+    line = line.strip()
+    if not line: continue
+    m = re.match(r'^name="(.*)"\s+certificate="(.*)\.x509\.pem"\s+'
+                 r'private_key="\2\.pk8"$', line)
+    if not m:
+      raise SigningError("failed to parse line from apkcerts.txt:\n" + line)
+    certmap[m.group(1)] = OPTIONS.key_map.get(m.group(2), m.group(2))
+  return certmap
+
+
+def SignApk(data, keyname, pw):
+  unsigned = tempfile.NamedTemporaryFile()
+  unsigned.write(data)
+  unsigned.flush()
+
+  signed = tempfile.NamedTemporaryFile()
+
+  common.SignFile(unsigned.name, signed.name, keyname, pw, align=4)
+
+  data = signed.read()
+  unsigned.close()
+  signed.close()
+
+  return data
+
+
+def SignApks(input_tf_zip, output_tf_zip):
+  apk_key_map = GetApkCerts(input_tf_zip)
+
+  key_passwords = common.GetKeyPasswords(set(apk_key_map.values()))
+
+  maxsize = max([len(os.path.basename(i.filename))
+                 for i in input_tf_zip.infolist()
+                 if i.filename.endswith('.apk')])
+
+  for info in input_tf_zip.infolist():
+    data = input_tf_zip.read(info.filename)
+    if info.filename.endswith(".apk"):
+      name = os.path.basename(info.filename)
+      key = apk_key_map.get(name, None)
+      if key is not None:
+        print "signing: %-*s (%s)" % (maxsize, name, key)
+        signed_data = SignApk(data, key, key_passwords[key])
+        output_tf_zip.writestr(info, signed_data)
+      else:
+        # an APK we're not supposed to sign.
+        print "skipping: %s" % (name,)
+        output_tf_zip.writestr(info, data)
+    elif info.filename == "SYSTEM/build.prop":
+      # Change build fingerprint to reflect the fact that apps are signed.
+      m = re.search(r"ro\.build\.fingerprint=.*\b(test-keys)\b.*", data)
+      if not m:
+        print 'WARNING: ro.build.fingerprint does not contain "test-keys"'
+      else:
+        data = data[:m.start(1)] + "release-keys" + data[m.end(1):]
+      m = re.search(r"ro\.build\.description=.*\b(test-keys)\b.*", data)
+      if not m:
+        print 'WARNING: ro.build.description does not contain "test-keys"'
+      else:
+        data = data[:m.start(1)] + "release-keys" + data[m.end(1):]
+      output_tf_zip.writestr(info, data)
+    else:
+      # a non-APK file; copy it verbatim
+      output_tf_zip.writestr(info, data)
+
+
+def main(argv):
+
+  def option_handler(o, a):
+    if o in ("-s", "--signapk_jar"):
+      OPTIONS.signapk_jar = a
+    elif o in ("-e", "--extra_apks"):
+      names, key = a.split("=")
+      names = names.split(",")
+      for n in names:
+        OPTIONS.extra_apks[n] = key
+    elif o in ("-d", "--default_key_mappings"):
+      OPTIONS.key_map.update({
+          "build/target/product/security/testkey": "%s/releasekey" % (a,),
+          "build/target/product/security/media": "%s/media" % (a,),
+          "build/target/product/security/shared": "%s/shared" % (a,),
+          "build/target/product/security/platform": "%s/platform" % (a,),
+          })
+    elif o in ("-k", "--key_mapping"):
+      s, d = a.split("=")
+      OPTIONS.key_map[s] = d
+    else:
+      return False
+    return True
+
+  args = common.ParseOptions(argv, __doc__,
+                             extra_opts="s:e:d:k:",
+                             extra_long_opts=["signapk_jar=",
+                                              "extra_apks=",
+                                              "default_key_mappings=",
+                                              "key_mapping="],
+                             extra_option_handler=option_handler)
+
+  if len(args) != 2:
+    common.Usage(__doc__)
+    sys.exit(1)
+
+  input_zip = zipfile.ZipFile(args[0], "r")
+  output_zip = zipfile.ZipFile(args[1], "w")
+
+  SignApks(input_zip, output_zip)
+
+  input_zip.close()
+  output_zip.close()
+
+  print "done."
+
+
+if __name__ == '__main__':
+  try:
+    main(sys.argv[1:])
+  except common.ExternalError, e:
+    print
+    print "   ERROR: %s" % (e,)
+    print
+    sys.exit(1)