releasetools: Write back default_system_dev_certificate.
When signing a target_files.zip, the OTA certificate specified by
default_system_dev_certificate could be replaced with a mapped key. When
that happens, we must explicitly specify --package_key when generating
OTA packages with ota_from_target_files.py. Otherwise the OTA package
will be signed with the wrong key, which leads to verification failures.
This CL updates the default_system_dev_certificate value in
misc_info.txt accordingly.
Test: Sign a target_files.zip and replace the OTA key. Check
META/misc_info.txt in the generated target_files.zip.
$ ./build/make/tools/releasetools/sign_target_files_apks.py -v \
--replace_ota_keys \
-k build/target/product/security/testkey=build/target/product/security/platform \
out/dist/aosp_marlin-target_files-eng.tbao.zip \
signed-marlin-target_files-test.zip
Change-Id: I093234b5add3e27c5b3887cefeffd74e6f0a3e98
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 58bf489..e4ef2c1 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -402,7 +402,7 @@
except KeyError:
raise common.ExternalError("can't read META/otakeys.txt from input")
- extra_recovery_keys = misc_info.get("extra_recovery_keys", None)
+ extra_recovery_keys = misc_info.get("extra_recovery_keys")
if extra_recovery_keys:
extra_recovery_keys = [OPTIONS.key_map.get(k, k) + ".x509.pem"
for k in extra_recovery_keys.split()]
@@ -426,8 +426,10 @@
else:
devkey = misc_info.get("default_system_dev_certificate",
"build/target/product/security/testkey")
- mapped_keys.append(
- OPTIONS.key_map.get(devkey, devkey) + ".x509.pem")
+ mapped_devkey = OPTIONS.key_map.get(devkey, devkey)
+ if mapped_devkey != devkey:
+ misc_info["default_system_dev_certificate"] = mapped_devkey
+ mapped_keys.append(mapped_devkey + ".x509.pem")
print("META/otakeys.txt has no keys; using %s for OTA package"
" verification." % (mapped_keys[0],))