tools/releasetools/sign_target_files_apks

#!/usr/bin/env python
#
# Copyright (C) 2008 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"""
Signs all the APK files in a target-files zipfile, producing a new
target-files zip.

Usage:  sign_target_files_apks [flags] input_target_files output_target_files

  -e  (--extra_apks)  <name,name,...=key>
      Add extra APK name/key pairs as though they appeared in
      apkcerts.txt (so mappings specified by -k and -d are applied).
      Keys specified in -e override any value for that app contained
      in the apkcerts.txt file.  Option may be repeated to give
      multiple extra packages.

  -k  (--key_mapping)  <src_key=dest_key>
      Add a mapping from the key name as specified in apkcerts.txt (the
      src_key) to the real key you wish to sign the package with
      (dest_key).  Option may be repeated to give multiple key
      mappings.

  -d  (--default_key_mappings)  <dir>
      Set up the following key mappings:

        build/target/product/security/testkey   ==>  $dir/releasekey
        build/target/product/security/media     ==>  $dir/media
        build/target/product/security/shared    ==>  $dir/shared
        build/target/product/security/platform  ==>  $dir/platform

      -d and -k options are added to the set of mappings in the order
      in which they appear on the command line.

  -o  (--replace_ota_keys)
      Replace the certificate (public key) used by OTA package
      verification with the one specified in the input target_files
      zip (in the META/otakeys.txt file).  Key remapping (-k and -d)
      is performed on this key.

  -t  (--tag_changes)  <+tag>,<-tag>,...
      Comma-separated list of changes to make to the set of tags (in
      the last component of the build fingerprint).  Prefix each with
      '+' or '-' to indicate whether that tag should be added or
      removed.  Changes are processed in the order they appear.
      Default value is "-test-keys,+ota-rel-keys,+release-keys".

"""

import sys

if sys.hexversion < 0x02040000:
  print >> sys.stderr, "Python 2.4 or newer is required."
  sys.exit(1)

import cStringIO
import copy
import os
import re
import subprocess
import tempfile
import zipfile

import common

OPTIONS = common.OPTIONS

OPTIONS.extra_apks = {}
OPTIONS.key_map = {}
OPTIONS.replace_ota_keys = False
OPTIONS.tag_changes = ("-test-keys", "+ota-rel-keys", "+release-keys")

def GetApkCerts(tf_zip):
  certmap = {}
  for line in tf_zip.read("META/apkcerts.txt").split("\n"):
    line = line.strip()
    if not line: continue
    m = re.match(r'^name="(.*)"\s+certificate="(.*)\.x509\.pem"\s+'
                 r'private_key="\2\.pk8"$', line)
    if not m:
      raise SigningError("failed to parse line from apkcerts.txt:\n" + line)
    certmap[m.group(1)] = OPTIONS.key_map.get(m.group(2), m.group(2))
  for apk, cert in OPTIONS.extra_apks.iteritems():
    certmap[apk] = OPTIONS.key_map.get(cert, cert)
  return certmap


def CheckAllApksSigned(input_tf_zip, apk_key_map):
  """Check that all the APKs we want to sign have keys specified, and
  error out if they don't."""
  unknown_apks = []
  for info in input_tf_zip.infolist():
    if info.filename.endswith(".apk"):
      name = os.path.basename(info.filename)
      if name not in apk_key_map:
        unknown_apks.append(name)
  if unknown_apks:
    print "ERROR: no key specified for:\n\n ",
    print "\n  ".join(unknown_apks)
    print "\nUse '-e <apkname>=' to specify a key (which may be an"
    print "empty string to not sign this apk)."
    sys.exit(1)


def SharedUserForApk(data):
  tmp = tempfile.NamedTemporaryFile()
  tmp.write(data)
  tmp.flush()

  p = common.Run(["aapt", "dump", "xmltree", tmp.name, "AndroidManifest.xml"],
                 stdout=subprocess.PIPE)
  data, _ = p.communicate()
  if p.returncode != 0:
    raise ExternalError("failed to run aapt dump")
  lines = data.split("\n")
  for i in lines:
    m = re.match(r'^\s*A: android:sharedUserId\([0-9a-fx]*\)="([^"]*)" .*$', i)
    if m:
      return m.group(1)
  return None


def CheckSharedUserIdsConsistent(input_tf_zip, apk_key_map):
  """Check that all packages that request the same shared user id are
  going to be signed with the same key."""

  shared_user_apks = {}
  maxlen = len("(unknown key)")

  for info in input_tf_zip.infolist():
    if info.filename.endswith(".apk"):
      data = input_tf_zip.read(info.filename)

      name = os.path.basename(info.filename)
      shared_user = SharedUserForApk(data)
      key = apk_key_map[name]
      maxlen = max(maxlen, len(key))

      if shared_user is not None:
        shared_user_apks.setdefault(
            shared_user, {}).setdefault(key, []).append(name)

  errors = []
  for k, v in shared_user_apks.iteritems():
    # each shared user should have exactly one key used for all the
    # apks that want that user.
    if len(v) > 1:
      errors.append((k, v))

  if not errors: return

  print "ERROR:  shared user inconsistency.  All apks wanting to use"
  print "        a given shared user must be signed with the same key."
  print
  errors.sort()
  for user, keys in errors:
    print 'shared user id "%s":' % (user,)
    for key, apps in keys.iteritems():
      print '  %-*s   %s' % (maxlen, key or "(unknown key)", apps[0])
      for a in apps[1:]:
        print (' ' * (maxlen+5)) + a
    print

  sys.exit(1)


def SignApk(data, keyname, pw):
  unsigned = tempfile.NamedTemporaryFile()
  unsigned.write(data)
  unsigned.flush()

  signed = tempfile.NamedTemporaryFile()

  common.SignFile(unsigned.name, signed.name, keyname, pw, align=4)

  data = signed.read()
  unsigned.close()
  signed.close()

  return data


def SignApks(input_tf_zip, output_tf_zip, apk_key_map, key_passwords):
  maxsize = max([len(os.path.basename(i.filename))
                 for i in input_tf_zip.infolist()
                 if i.filename.endswith('.apk')])

  for info in input_tf_zip.infolist():
    data = input_tf_zip.read(info.filename)
    out_info = copy.copy(info)
    if info.filename.endswith(".apk"):
      name = os.path.basename(info.filename)
      key = apk_key_map[name]
      if key:
        print "    signing: %-*s (%s)" % (maxsize, name, key)
        signed_data = SignApk(data, key, key_passwords[key])
        output_tf_zip.writestr(out_info, signed_data)
      else:
        # an APK we're not supposed to sign.
        print "NOT signing: %s" % (name,)
        output_tf_zip.writestr(out_info, data)
    elif info.filename in ("SYSTEM/build.prop",
                           "RECOVERY/RAMDISK/default.prop"):
      print "rewriting %s:" % (info.filename,)
      new_data = RewriteProps(data)
      output_tf_zip.writestr(out_info, new_data)
    else:
      # a non-APK file; copy it verbatim
      output_tf_zip.writestr(out_info, data)


def RewriteProps(data):
  output = []
  for line in data.split("\n"):
    line = line.strip()
    original_line = line
    if line and line[0] != '#':
      key, value = line.split("=", 1)
      if key == "ro.build.fingerprint":
        pieces = line.split("/")
        tags = set(pieces[-1].split(","))
        for ch in OPTIONS.tag_changes:
          if ch[0] == "-":
            tags.discard(ch[1:])
          elif ch[0] == "+":
            tags.add(ch[1:])
        line = "/".join(pieces[:-1] + [",".join(sorted(tags))])
      elif key == "ro.build.description":
        pieces = line.split(" ")
        assert len(pieces) == 5
        tags = set(pieces[-1].split(","))
        for ch in OPTIONS.tag_changes:
          if ch[0] == "-":
            tags.discard(ch[1:])
          elif ch[0] == "+":
            tags.add(ch[1:])
        line = " ".join(pieces[:-1] + [",".join(sorted(tags))])
    if line != original_line:
      print "  replace: ", original_line
      print "     with: ", line
    output.append(line)
  return "\n".join(output) + "\n"


def ReplaceOtaKeys(input_tf_zip, output_tf_zip):
  try:
    keylist = input_tf_zip.read("META/otakeys.txt").split()
  except KeyError:
    raise ExternalError("can't read META/otakeys.txt from input")

  mapped_keys = []
  for k in keylist:
    m = re.match(r"^(.*)\.x509\.pem$", k)
    if not m:
      raise ExternalError("can't parse \"%s\" from META/otakeys.txt" % (k,))
    k = m.group(1)
    mapped_keys.append(OPTIONS.key_map.get(k, k) + ".x509.pem")

  print "using:\n   ", "\n   ".join(mapped_keys)
  print "for OTA package verification"

  # recovery uses a version of the key that has been slightly
  # predigested (by DumpPublicKey.java) and put in res/keys.

  p = common.Run(["java", "-jar",
                  os.path.join(OPTIONS.search_path, "framework", "dumpkey.jar")]
                 + mapped_keys,
                 stdout=subprocess.PIPE)
  data, _ = p.communicate()
  if p.returncode != 0:
    raise ExternalError("failed to run dumpkeys")
  common.ZipWriteStr(output_tf_zip, "RECOVERY/RAMDISK/res/keys", data)

  # SystemUpdateActivity uses the x509.pem version of the keys, but
  # put into a zipfile system/etc/security/otacerts.zip.

  tempfile = cStringIO.StringIO()
  certs_zip = zipfile.ZipFile(tempfile, "w")
  for k in mapped_keys:
    certs_zip.write(k)
  certs_zip.close()
  common.ZipWriteStr(output_tf_zip, "SYSTEM/etc/security/otacerts.zip",
                     tempfile.getvalue())


def main(argv):

  def option_handler(o, a):
    if o in ("-e", "--extra_apks"):
      names, key = a.split("=")
      names = names.split(",")
      for n in names:
        OPTIONS.extra_apks[n] = key
    elif o in ("-d", "--default_key_mappings"):
      OPTIONS.key_map.update({
          "build/target/product/security/testkey": "%s/releasekey" % (a,),
          "build/target/product/security/media": "%s/media" % (a,),
          "build/target/product/security/shared": "%s/shared" % (a,),
          "build/target/product/security/platform": "%s/platform" % (a,),
          })
    elif o in ("-k", "--key_mapping"):
      s, d = a.split("=")
      OPTIONS.key_map[s] = d
    elif o in ("-o", "--replace_ota_keys"):
      OPTIONS.replace_ota_keys = True
    elif o in ("-t", "--tag_changes"):
      new = []
      for i in a.split(","):
        i = i.strip()
        if not i or i[0] not in "-+":
          raise ValueError("Bad tag change '%s'" % (i,))
        new.append(i[0] + i[1:].strip())
      OPTIONS.tag_changes = tuple(new)
    else:
      return False
    return True

  args = common.ParseOptions(argv, __doc__,
                             extra_opts="e:d:k:ot:",
                             extra_long_opts=["extra_apks=",
                                              "default_key_mappings=",
                                              "key_mapping=",
                                              "replace_ota_keys",
                                              "tag_changes="],
                             extra_option_handler=option_handler)

  if len(args) != 2:
    common.Usage(__doc__)
    sys.exit(1)

  input_zip = zipfile.ZipFile(args[0], "r")
  output_zip = zipfile.ZipFile(args[1], "w")

  apk_key_map = GetApkCerts(input_zip)
  CheckAllApksSigned(input_zip, apk_key_map)
  CheckSharedUserIdsConsistent(input_zip, apk_key_map)

  key_passwords = common.GetKeyPasswords(set(apk_key_map.values()))
  SignApks(input_zip, output_zip, apk_key_map, key_passwords)

  if OPTIONS.replace_ota_keys:
    ReplaceOtaKeys(input_zip, output_zip)

  input_zip.close()
  output_zip.close()

  print "done."


if __name__ == '__main__':
  try:
    main(sys.argv[1:])
  except common.ExternalError, e:
    print
    print "   ERROR: %s" % (e,)
    print
    sys.exit(1)