commit 98498f48d92115179e7c0dcc214d7982eef6f907
author Jooyung Han <jooyung@google.com> Mon Feb 07 15:23:08 2022 +0900
committer Jooyung Han <jooyung@google.com> Mon Feb 07 07:11:42 2022 +0000
tree efc7ce9ffeb8e9478b3290317f04830db2580d3e
parent eedbc06088db7d9c215d73d6fb425b325b8a91ba

sign_virt_apex: --signing_args for avbtool's extra args

avbtool's --signing_helper/--signing_helper_with_files args can be used
to delegate signing to an external tool. This is used typically when
signing infra can't access private keys.

Now build/tools/releasetools/apex_utils.py passes those extra args for
avbtool via --signing_args argument of a custom APEX signing tool.

And sign_virt_apex forwards it to avbtool for commands like
'add_hashtree_footer'.

Bug: 216971834
Test: tbd
Change-Id: I2b730527e4b95e0e7732492559d2e4c10d80c43c

apex/sign_virt_apex.py

diff --git a/apex/sign_virt_apex.py b/apex/sign_virt_apex.py
index 8fe3403..207c938 100644
--- a/apex/sign_virt_apex.py
+++ b/apex/sign_virt_apex.py
@@ -15,7 +15,8 @@
 # limitations under the License.
 """sign_virt_apex is a command line tool for sign the Virt APEX file.
 
-Typical usage: sign_virt_apex [-v] [--avbtool path_to_avbtool] path_to_key payload_contents_dir
+Typical usage:
+  sign_virt_apex [-v] [--avbtool path_to_avbtool] [--signing_args args] payload_key payload_dir
 
 sign_virt_apex uses external tools which are assumed to be available via PATH.
 - avbtool (--avbtool can override the tool)
@@ -26,6 +27,7 @@
 import hashlib
 import os
 import re
+import shlex
 import shutil
 import subprocess
 import sys
@@ -45,6 +47,10 @@
         default='avbtool',
         help='Optional flag that specifies the AVB tool to use. Defaults to `avbtool`.')
     parser.add_argument(
+        '--signing_args',
+        help='the extra signing arguments passed to avbtool.'
+    )
+    parser.add_argument(
         'key',
         help='path to the private key file.')
     parser.add_argument(
@@ -163,6 +169,8 @@
                '--partition_name', partition_name,
                '--partition_size', partition_size,
                '--image', image_path]
+        if args.signing_args:
+            cmd.extend(shlex.split(args.signing_args))
         RunCommand(args, cmd)
 
 
@@ -182,6 +190,8 @@
                '--partition_size', partition_size,
                '--do_not_generate_fec',
                '--image', image_path]
+        if args.signing_args:
+            cmd.extend(shlex.split(args.signing_args))
         RunCommand(args, cmd)
 
 
@@ -216,6 +226,9 @@
                 cmd.extend(['--chain_partition', '%s:%s:%s' %
                            (part_name, ril, avbpubkey)])
 
+        if args.signing_args:
+            cmd.extend(shlex.split(args.signing_args))
+
         RunCommand(args, cmd)
         # libavb expects to be able to read the maximum vbmeta size, so we must provide a partition
         # which matches this or the read will fail.