blob: 2f26f23f53086e37be017d213613e86a0a1142a7 [file] [log] [blame]
Tao Bao1cd59f22019-03-15 15:13:01 -07001#!/usr/bin/env python
2#
3# Copyright (C) 2019 The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17import logging
18import os.path
19import re
20import shlex
Tianjie Xu88a759d2020-01-23 10:47:54 -080021import shutil
Tao Baoe7354ba2019-05-09 16:54:15 -070022import zipfile
Tao Bao1cd59f22019-03-15 15:13:01 -070023
24import common
25
26logger = logging.getLogger(__name__)
27
Tao Baoe7354ba2019-05-09 16:54:15 -070028OPTIONS = common.OPTIONS
29
Tianjiea28c5262020-03-23 18:14:09 -070030APEX_PAYLOAD_IMAGE = 'apex_payload.img'
31
Tao Bao1cd59f22019-03-15 15:13:01 -070032
33class ApexInfoError(Exception):
34 """An Exception raised during Apex Information command."""
35
36 def __init__(self, message):
37 Exception.__init__(self, message)
38
39
40class ApexSigningError(Exception):
41 """An Exception raised during Apex Payload signing."""
42
43 def __init__(self, message):
44 Exception.__init__(self, message)
45
46
Tianjie Xu88a759d2020-01-23 10:47:54 -080047class ApexApkSigner(object):
48 """Class to sign the apk files in a apex payload image and repack the apex"""
49
50 def __init__(self, apex_path, key_passwords, codename_to_api_level_map):
51 self.apex_path = apex_path
Oleh Cherpake555ab12020-10-05 17:04:59 +030052 if not key_passwords:
53 self.key_passwords = dict()
54 else:
55 self.key_passwords = key_passwords
Tianjie Xu88a759d2020-01-23 10:47:54 -080056 self.codename_to_api_level_map = codename_to_api_level_map
57
Baligh Uddin0d40e212020-03-25 20:50:23 -070058 def ProcessApexFile(self, apk_keys, payload_key, signing_args=None):
Tianjie Xu88a759d2020-01-23 10:47:54 -080059 """Scans and signs the apk files and repack the apex
60
61 Args:
62 apk_keys: A dict that holds the signing keys for apk files.
Tianjie Xu88a759d2020-01-23 10:47:54 -080063
64 Returns:
65 The repacked apex file containing the signed apk files.
66 """
67 list_cmd = ['deapexer', 'list', self.apex_path]
68 entries_names = common.RunAndCheckOutput(list_cmd).split()
69 apk_entries = [name for name in entries_names if name.endswith('.apk')]
70
71 # No need to sign and repack, return the original apex path.
72 if not apk_entries:
73 logger.info('No apk file to sign in %s', self.apex_path)
74 return self.apex_path
75
76 for entry in apk_entries:
77 apk_name = os.path.basename(entry)
78 if apk_name not in apk_keys:
79 raise ApexSigningError('Failed to find signing keys for apk file {} in'
80 ' apex {}. Use "-e <apkname>=" to specify a key'
81 .format(entry, self.apex_path))
82 if not any(dirname in entry for dirname in ['app/', 'priv-app/',
83 'overlay/']):
84 logger.warning('Apk path does not contain the intended directory name:'
85 ' %s', entry)
86
87 payload_dir, has_signed_apk = self.ExtractApexPayloadAndSignApks(
88 apk_entries, apk_keys)
89 if not has_signed_apk:
90 logger.info('No apk file has been signed in %s', self.apex_path)
91 return self.apex_path
92
Baligh Uddin0d40e212020-03-25 20:50:23 -070093 return self.RepackApexPayload(payload_dir, payload_key, signing_args)
Tianjie Xu88a759d2020-01-23 10:47:54 -080094
95 def ExtractApexPayloadAndSignApks(self, apk_entries, apk_keys):
96 """Extracts the payload image and signs the containing apk files."""
97 payload_dir = common.MakeTempDir()
98 extract_cmd = ['deapexer', 'extract', self.apex_path, payload_dir]
99 common.RunAndCheckOutput(extract_cmd)
100
101 has_signed_apk = False
102 for entry in apk_entries:
103 apk_path = os.path.join(payload_dir, entry)
104 assert os.path.exists(self.apex_path)
105
106 key_name = apk_keys.get(os.path.basename(entry))
107 if key_name in common.SPECIAL_CERT_STRINGS:
108 logger.info('Not signing: %s due to special cert string', apk_path)
109 continue
110
111 logger.info('Signing apk file %s in apex %s', apk_path, self.apex_path)
112 # Rename the unsigned apk and overwrite the original apk path with the
113 # signed apk file.
114 unsigned_apk = common.MakeTempFile()
115 os.rename(apk_path, unsigned_apk)
Oleh Cherpake555ab12020-10-05 17:04:59 +0300116 common.SignFile(unsigned_apk, apk_path, key_name, self.key_passwords.get(key_name),
Tianjie Xu88a759d2020-01-23 10:47:54 -0800117 codename_to_api_level_map=self.codename_to_api_level_map)
118 has_signed_apk = True
119 return payload_dir, has_signed_apk
120
Baligh Uddin0d40e212020-03-25 20:50:23 -0700121 def RepackApexPayload(self, payload_dir, payload_key, signing_args=None):
Tianjie Xu88a759d2020-01-23 10:47:54 -0800122 """Rebuilds the apex file with the updated payload directory."""
123 apex_dir = common.MakeTempDir()
124 # Extract the apex file and reuse its meta files as repack parameters.
125 common.UnzipToDir(self.apex_path, apex_dir)
Tianjie Xu88a759d2020-01-23 10:47:54 -0800126 arguments_dict = {
127 'manifest': os.path.join(apex_dir, 'apex_manifest.pb'),
128 'build_info': os.path.join(apex_dir, 'apex_build_info.pb'),
Tianjie Xu88a759d2020-01-23 10:47:54 -0800129 'key': payload_key,
Tianjie Xu88a759d2020-01-23 10:47:54 -0800130 }
131 for filename in arguments_dict.values():
132 assert os.path.exists(filename), 'file {} not found'.format(filename)
133
134 # The repack process will add back these files later in the payload image.
135 for name in ['apex_manifest.pb', 'apex_manifest.json', 'lost+found']:
136 path = os.path.join(payload_dir, name)
137 if os.path.isfile(path):
138 os.remove(path)
139 elif os.path.isdir(path):
140 shutil.rmtree(path)
141
Tianjiea28c5262020-03-23 18:14:09 -0700142 # TODO(xunchang) the signing process can be improved by using
143 # '--unsigned_payload_only'. But we need to parse the vbmeta earlier for
144 # the signing arguments, e.g. algorithm, salt, etc.
145 payload_img = os.path.join(apex_dir, APEX_PAYLOAD_IMAGE)
146 generate_image_cmd = ['apexer', '--force', '--payload_only',
147 '--do_not_check_keyname', '--apexer_tool_path',
148 os.getenv('PATH')]
Tianjie Xu88a759d2020-01-23 10:47:54 -0800149 for key, val in arguments_dict.items():
Tianjiea28c5262020-03-23 18:14:09 -0700150 generate_image_cmd.extend(['--' + key, val])
Baligh Uddin0d40e212020-03-25 20:50:23 -0700151
152 # Add quote to the signing_args as we will pass
153 # --signing_args "--signing_helper_with_files=%path" to apexer
154 if signing_args:
155 generate_image_cmd.extend(['--signing_args', '"{}"'.format(signing_args)])
156
Tianjie Xu83bd55c2020-01-29 11:37:43 -0800157 # optional arguments for apex repacking
Tianjie Xu88a759d2020-01-23 10:47:54 -0800158 manifest_json = os.path.join(apex_dir, 'apex_manifest.json')
159 if os.path.exists(manifest_json):
Tianjiea28c5262020-03-23 18:14:09 -0700160 generate_image_cmd.extend(['--manifest_json', manifest_json])
161 generate_image_cmd.extend([payload_dir, payload_img])
Tianjie Xucea6ad12020-01-30 17:12:05 -0800162 if OPTIONS.verbose:
Tianjiea28c5262020-03-23 18:14:09 -0700163 generate_image_cmd.append('-v')
164 common.RunAndCheckOutput(generate_image_cmd)
Tianjie Xu88a759d2020-01-23 10:47:54 -0800165
Tianjiea28c5262020-03-23 18:14:09 -0700166 # Add the payload image back to the apex file.
167 common.ZipDelete(self.apex_path, APEX_PAYLOAD_IMAGE)
168 with zipfile.ZipFile(self.apex_path, 'a') as output_apex:
169 common.ZipWrite(output_apex, payload_img, APEX_PAYLOAD_IMAGE,
170 compress_type=zipfile.ZIP_STORED)
171 return self.apex_path
Tianjie Xu88a759d2020-01-23 10:47:54 -0800172
173
Tao Bao1ac886e2019-06-26 11:58:22 -0700174def SignApexPayload(avbtool, payload_file, payload_key_path, payload_key_name,
Jiyong Parkb3a54022020-05-19 23:18:03 +0900175 algorithm, salt, hash_algorithm, no_hashtree, signing_args=None):
Tao Bao1cd59f22019-03-15 15:13:01 -0700176 """Signs a given payload_file with the payload key."""
177 # Add the new footer. Old footer, if any, will be replaced by avbtool.
Tao Bao1ac886e2019-06-26 11:58:22 -0700178 cmd = [avbtool, 'add_hashtree_footer',
Tao Bao1cd59f22019-03-15 15:13:01 -0700179 '--do_not_generate_fec',
180 '--algorithm', algorithm,
181 '--key', payload_key_path,
182 '--prop', 'apex.key:{}'.format(payload_key_name),
183 '--image', payload_file,
Jiyong Parkb3a54022020-05-19 23:18:03 +0900184 '--salt', salt,
185 '--hash_algorithm', hash_algorithm]
Tao Bao448004a2019-09-19 07:55:02 -0700186 if no_hashtree:
187 cmd.append('--no_hashtree')
Tao Bao1cd59f22019-03-15 15:13:01 -0700188 if signing_args:
189 cmd.extend(shlex.split(signing_args))
190
191 try:
192 common.RunAndCheckOutput(cmd)
193 except common.ExternalError as e:
Tao Bao86b529a2019-06-19 17:03:37 -0700194 raise ApexSigningError(
Tao Bao1cd59f22019-03-15 15:13:01 -0700195 'Failed to sign APEX payload {} with {}:\n{}'.format(
Tao Bao86b529a2019-06-19 17:03:37 -0700196 payload_file, payload_key_path, e))
Tao Bao1cd59f22019-03-15 15:13:01 -0700197
198 # Verify the signed payload image with specified public key.
199 logger.info('Verifying %s', payload_file)
Tao Bao448004a2019-09-19 07:55:02 -0700200 VerifyApexPayload(avbtool, payload_file, payload_key_path, no_hashtree)
Tao Bao1cd59f22019-03-15 15:13:01 -0700201
202
Tao Bao448004a2019-09-19 07:55:02 -0700203def VerifyApexPayload(avbtool, payload_file, payload_key, no_hashtree=False):
Tao Bao1cd59f22019-03-15 15:13:01 -0700204 """Verifies the APEX payload signature with the given key."""
Tao Bao1ac886e2019-06-26 11:58:22 -0700205 cmd = [avbtool, 'verify_image', '--image', payload_file,
Tao Bao1cd59f22019-03-15 15:13:01 -0700206 '--key', payload_key]
Tao Bao448004a2019-09-19 07:55:02 -0700207 if no_hashtree:
208 cmd.append('--accept_zeroed_hashtree')
Tao Bao1cd59f22019-03-15 15:13:01 -0700209 try:
210 common.RunAndCheckOutput(cmd)
211 except common.ExternalError as e:
Tao Bao86b529a2019-06-19 17:03:37 -0700212 raise ApexSigningError(
Tao Bao1cd59f22019-03-15 15:13:01 -0700213 'Failed to validate payload signing for {} with {}:\n{}'.format(
Tao Bao86b529a2019-06-19 17:03:37 -0700214 payload_file, payload_key, e))
Tao Bao1cd59f22019-03-15 15:13:01 -0700215
216
Tao Bao1ac886e2019-06-26 11:58:22 -0700217def ParseApexPayloadInfo(avbtool, payload_path):
Tao Bao1cd59f22019-03-15 15:13:01 -0700218 """Parses the APEX payload info.
219
220 Args:
Tao Bao1ac886e2019-06-26 11:58:22 -0700221 avbtool: The AVB tool to use.
Tao Bao1cd59f22019-03-15 15:13:01 -0700222 payload_path: The path to the payload image.
223
224 Raises:
225 ApexInfoError on parsing errors.
226
227 Returns:
228 A dict that contains payload property-value pairs. The dict should at least
Tao Bao448004a2019-09-19 07:55:02 -0700229 contain Algorithm, Salt, Tree Size and apex.key.
Tao Bao1cd59f22019-03-15 15:13:01 -0700230 """
231 if not os.path.exists(payload_path):
232 raise ApexInfoError('Failed to find image: {}'.format(payload_path))
233
Tao Bao1ac886e2019-06-26 11:58:22 -0700234 cmd = [avbtool, 'info_image', '--image', payload_path]
Tao Bao1cd59f22019-03-15 15:13:01 -0700235 try:
236 output = common.RunAndCheckOutput(cmd)
237 except common.ExternalError as e:
Tao Bao86b529a2019-06-19 17:03:37 -0700238 raise ApexInfoError(
Tao Bao1cd59f22019-03-15 15:13:01 -0700239 'Failed to get APEX payload info for {}:\n{}'.format(
Tao Bao86b529a2019-06-19 17:03:37 -0700240 payload_path, e))
Tao Bao1cd59f22019-03-15 15:13:01 -0700241
Jiyong Parkb3a54022020-05-19 23:18:03 +0900242 # Extract the Algorithm / Hash Algorithm / Salt / Prop info / Tree size from
243 # payload (i.e. an image signed with avbtool). For example,
Tao Bao1cd59f22019-03-15 15:13:01 -0700244 # Algorithm: SHA256_RSA4096
245 PAYLOAD_INFO_PATTERN = (
Jiyong Parkb3a54022020-05-19 23:18:03 +0900246 r'^\s*(?P<key>Algorithm|Hash Algorithm|Salt|Prop|Tree Size)\:\s*(?P<value>.*?)$')
Tao Bao1cd59f22019-03-15 15:13:01 -0700247 payload_info_matcher = re.compile(PAYLOAD_INFO_PATTERN)
248
249 payload_info = {}
250 for line in output.split('\n'):
251 line_info = payload_info_matcher.match(line)
252 if not line_info:
253 continue
254
255 key, value = line_info.group('key'), line_info.group('value')
256
257 if key == 'Prop':
258 # Further extract the property key-value pair, from a 'Prop:' line. For
259 # example,
260 # Prop: apex.key -> 'com.android.runtime'
261 # Note that avbtool writes single or double quotes around values.
262 PROPERTY_DESCRIPTOR_PATTERN = r'^\s*(?P<key>.*?)\s->\s*(?P<value>.*?)$'
263
264 prop_matcher = re.compile(PROPERTY_DESCRIPTOR_PATTERN)
265 prop = prop_matcher.match(value)
266 if not prop:
267 raise ApexInfoError(
268 'Failed to parse prop string {}'.format(value))
269
270 prop_key, prop_value = prop.group('key'), prop.group('value')
271 if prop_key == 'apex.key':
272 # avbtool dumps the prop value with repr(), which contains single /
273 # double quotes that we don't want.
274 payload_info[prop_key] = prop_value.strip('\"\'')
275
276 else:
277 payload_info[key] = value
278
279 # Sanity check.
Jiyong Parkb3a54022020-05-19 23:18:03 +0900280 for key in ('Algorithm', 'Salt', 'apex.key', 'Hash Algorithm'):
Tao Bao1cd59f22019-03-15 15:13:01 -0700281 if key not in payload_info:
282 raise ApexInfoError(
283 'Failed to find {} prop in {}'.format(key, payload_path))
284
285 return payload_info
Tao Baoe7354ba2019-05-09 16:54:15 -0700286
287
Tao Bao1ac886e2019-06-26 11:58:22 -0700288def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
Tianjie Xu88a759d2020-01-23 10:47:54 -0800289 apk_keys, codename_to_api_level_map,
290 no_hashtree, signing_args=None):
Tao Baoe7354ba2019-05-09 16:54:15 -0700291 """Signs the current APEX with the given payload/container keys.
292
293 Args:
294 apex_data: Raw APEX data.
295 payload_key: The path to payload signing key (w/ extension).
296 container_key: The path to container signing key (w/o extension).
297 container_pw: The matching password of the container_key, or None.
Tianjie Xu88a759d2020-01-23 10:47:54 -0800298 apk_keys: A dict that holds the signing keys for apk files.
Tao Baoe7354ba2019-05-09 16:54:15 -0700299 codename_to_api_level_map: A dict that maps from codename to API level.
Tao Bao448004a2019-09-19 07:55:02 -0700300 no_hashtree: Don't include hashtree in the signed APEX.
Tao Baoe7354ba2019-05-09 16:54:15 -0700301 signing_args: Additional args to be passed to the payload signer.
302
303 Returns:
304 The path to the signed APEX file.
305 """
306 apex_file = common.MakeTempFile(prefix='apex-', suffix='.apex')
307 with open(apex_file, 'wb') as apex_fp:
308 apex_fp.write(apex_data)
309
Tao Baoe7354ba2019-05-09 16:54:15 -0700310 APEX_PUBKEY = 'apex_pubkey'
311
Tianjie Xu88a759d2020-01-23 10:47:54 -0800312 # 1. Extract the apex payload image and sign the containing apk files. Repack
313 # the apex file after signing.
Tianjie Xu88a759d2020-01-23 10:47:54 -0800314 apk_signer = ApexApkSigner(apex_file, container_pw,
315 codename_to_api_level_map)
Baligh Uddin0d40e212020-03-25 20:50:23 -0700316 apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args)
Tianjie Xu88a759d2020-01-23 10:47:54 -0800317
318 # 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
Tao Baoe7354ba2019-05-09 16:54:15 -0700319 # payload_key.
320 payload_dir = common.MakeTempDir(prefix='apex-payload-')
321 with zipfile.ZipFile(apex_file) as apex_fd:
322 payload_file = apex_fd.extract(APEX_PAYLOAD_IMAGE, payload_dir)
Baligh Uddin15881282019-08-25 12:01:44 -0700323 zip_items = apex_fd.namelist()
Tao Baoe7354ba2019-05-09 16:54:15 -0700324
Tao Bao1ac886e2019-06-26 11:58:22 -0700325 payload_info = ParseApexPayloadInfo(avbtool, payload_file)
Tao Baoe7354ba2019-05-09 16:54:15 -0700326 SignApexPayload(
Tao Bao1ac886e2019-06-26 11:58:22 -0700327 avbtool,
Tao Baoe7354ba2019-05-09 16:54:15 -0700328 payload_file,
329 payload_key,
330 payload_info['apex.key'],
331 payload_info['Algorithm'],
332 payload_info['Salt'],
Jiyong Parkb3a54022020-05-19 23:18:03 +0900333 payload_info['Hash Algorithm'],
Tao Bao448004a2019-09-19 07:55:02 -0700334 no_hashtree,
Tao Baoe7354ba2019-05-09 16:54:15 -0700335 signing_args)
336
Tianjie Xu88a759d2020-01-23 10:47:54 -0800337 # 2b. Update the embedded payload public key.
Tianjiea28c5262020-03-23 18:14:09 -0700338 payload_public_key = common.ExtractAvbPublicKey(avbtool, payload_key)
Tao Baoe7354ba2019-05-09 16:54:15 -0700339 common.ZipDelete(apex_file, APEX_PAYLOAD_IMAGE)
Baligh Uddin15881282019-08-25 12:01:44 -0700340 if APEX_PUBKEY in zip_items:
341 common.ZipDelete(apex_file, APEX_PUBKEY)
Tao Baoe7354ba2019-05-09 16:54:15 -0700342 apex_zip = zipfile.ZipFile(apex_file, 'a')
343 common.ZipWrite(apex_zip, payload_file, arcname=APEX_PAYLOAD_IMAGE)
344 common.ZipWrite(apex_zip, payload_public_key, arcname=APEX_PUBKEY)
345 common.ZipClose(apex_zip)
346
Tianjie Xu88a759d2020-01-23 10:47:54 -0800347 # 3. Align the files at page boundary (same as in apexer).
Tao Baoe7354ba2019-05-09 16:54:15 -0700348 aligned_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
349 common.RunAndCheckOutput(['zipalign', '-f', '4096', apex_file, aligned_apex])
350
Tianjie Xu88a759d2020-01-23 10:47:54 -0800351 # 4. Sign the APEX container with container_key.
Tao Baoe7354ba2019-05-09 16:54:15 -0700352 signed_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
353
354 # Specify the 4K alignment when calling SignApk.
355 extra_signapk_args = OPTIONS.extra_signapk_args[:]
356 extra_signapk_args.extend(['-a', '4096'])
357
358 common.SignFile(
359 aligned_apex,
360 signed_apex,
361 container_key,
Oleh Cherpake555ab12020-10-05 17:04:59 +0300362 container_pw.get(container_key),
Tao Baoe7354ba2019-05-09 16:54:15 -0700363 codename_to_api_level_map=codename_to_api_level_map,
364 extra_signapk_args=extra_signapk_args)
365
366 return signed_apex