Gitiles
Code Review Sign In
gerrit.omnirom.org / android_build / ffc9a3094605b186dbd0f065b9743eb4eda29824^! / . / tools / releasetools / sign_target_files_apks.py
commitffc9a3094605b186dbd0f065b9743eb4eda29824[log] [tgz]
authorTao Bao <tbao@google.com>Fri Mar 22 23:16:58 2019 -0700
committerTao Bao <tbao@google.com>Sat Mar 23 10:27:43 2019 -0700
tree74576cfea8da490c926ebb23070bc2c9f2b3e60a
parent1e4cbfaf5c23c8a3be92b747725d18bc31d2d1d6 [diff] [blame]
releasetools: Fix alignment issue when signing APEXes.

Previously it was following a wrong order by doing `zipalign` after
calling SignApk, which effectively compromised the signature. This CL
corrects the logic, and follows the same flow as in build system:
 - Pack APEX file;
 - `zipalign -f 4096`;
 - Call SignApk to sign the container with `-a 4096` flag.

Bug: 129148142
Test: Run sign_target_files_apks.py on taimen target_files.zip. Boot the
      image after signing.
Change-Id: I91bd3dce4f45c1891c5e122212a699f4808618fa
(cherry picked from commit 0e06cb0a8b86374a259fd27811e50c0bbb28fbf8)

diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 2a5cd4a..16c1840 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py

@@ -400,7 +400,6 @@
 
   APEX_PAYLOAD_IMAGE = 'apex_payload.img'
 
-  # Signing an APEX is a two step process.
   # 1. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given payload_key.
   payload_dir = common.MakeTempDir(prefix='apex-payload-')
   with zipfile.ZipFile(apex_file) as apex_fd:
@@ -420,21 +419,28 @@
   common.ZipWrite(apex_zip, payload_file, arcname=APEX_PAYLOAD_IMAGE)
   common.ZipClose(apex_zip)
 
-  # 2. Sign the overall APEX container with container_key.
+  # 2. Align the files at page boundary (same as in apexer).
+  aligned_apex = common.MakeTempFile(
+      prefix='apex-container-', suffix='.apex')
+  common.RunAndCheckOutput(
+      ['zipalign', '-f', '4096', apex_file, aligned_apex])
+
+  # 3. Sign the APEX container with container_key.
   signed_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
+
+  # Specify the 4K alignment when calling SignApk.
+  extra_signapk_args = OPTIONS.extra_signapk_args[:]
+  extra_signapk_args.extend(['-a', '4096'])
+
   common.SignFile(
-      apex_file,
+      aligned_apex,
       signed_apex,
       container_key,
       container_pw,
-      codename_to_api_level_map=codename_to_api_level_map)
+      codename_to_api_level_map=codename_to_api_level_map,
+      extra_signapk_args=extra_signapk_args)
 
-  signed_and_aligned_apex = common.MakeTempFile(
-      prefix='apex-container-', suffix='.apex')
-  common.RunAndCheckOutput(
-      ['zipalign', '-f', '4096', signed_apex, signed_and_aligned_apex])
-
-  return (signed_and_aligned_apex, payload_info['apex.key'])
+  return (signed_apex, payload_info['apex.key'])
 
 
 def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,