Don't generate hashtree when signing bundled APEXes.

Bug: 139957269 Test: Sign a target_files.zip. Extract a re-signed APEX and check the hashtree size (being zero). Test: Use sign_apex to sign an APEX file. Check the hashtree size (not being zero). Test: python -m unittest test_apex_utils Test: python -m unittest test_sign_apex Change-Id: I927b7681d66920d7732b700ec3a8f7a65b4cb351
2019-09-19 07:55:02 -07:00 · 2019-09-19 07:55:02 -07:00 · 448004af9d
parent 7be2b01f3c
commit 448004af9d
4 changed files with 54 additions and 17 deletions
--- a/tools/releasetools/apex_utils.py
+++ b/tools/releasetools/apex_utils.py
@ -42,7 +42,7 @@ class ApexSigningError(Exception):


 def SignApexPayload(avbtool, payload_file, payload_key_path, payload_key_name,
-                    algorithm, salt, signing_args=None):
+                    algorithm, salt, no_hashtree, signing_args=None):
  """Signs a given payload_file with the payload key."""
  # Add the new footer. Old footer, if any, will be replaced by avbtool.
  cmd = [avbtool, 'add_hashtree_footer',
@ -52,6 +52,8 @@ def SignApexPayload(avbtool, payload_file, payload_key_path, payload_key_name,
         '--prop', 'apex.key:{}'.format(payload_key_name),
         '--image', payload_file,
         '--salt', salt]
+  if no_hashtree:
+    cmd.append('--no_hashtree')
  if signing_args:
    cmd.extend(shlex.split(signing_args))

@ -64,13 +66,15 @@ def SignApexPayload(avbtool, payload_file, payload_key_path, payload_key_name,

  # Verify the signed payload image with specified public key.
  logger.info('Verifying %s', payload_file)
-  VerifyApexPayload(avbtool, payload_file, payload_key_path)
+  VerifyApexPayload(avbtool, payload_file, payload_key_path, no_hashtree)


-def VerifyApexPayload(avbtool, payload_file, payload_key):
+def VerifyApexPayload(avbtool, payload_file, payload_key, no_hashtree=False):
  """Verifies the APEX payload signature with the given key."""
  cmd = [avbtool, 'verify_image', '--image', payload_file,
         '--key', payload_key]
+  if no_hashtree:
+    cmd.append('--accept_zeroed_hashtree')
  try:
    common.RunAndCheckOutput(cmd)
  except common.ExternalError as e:
@ -91,7 +95,7 @@ def ParseApexPayloadInfo(avbtool, payload_path):

  Returns:
    A dict that contains payload property-value pairs. The dict should at least
-    contain Algorithm, Salt and apex.key.
+    contain Algorithm, Salt, Tree Size and apex.key.
  """
  if not os.path.exists(payload_path):
    raise ApexInfoError('Failed to find image: {}'.format(payload_path))
@ -104,11 +108,11 @@ def ParseApexPayloadInfo(avbtool, payload_path):
        'Failed to get APEX payload info for {}:\n{}'.format(
            payload_path, e))

-  # Extract the Algorithm / Salt / Prop info from payload (i.e. an image signed
-  # with avbtool). For example,
+  # Extract the Algorithm / Salt / Prop info / Tree size from payload (i.e. an
+  # image signed with avbtool). For example,
  # Algorithm:                SHA256_RSA4096
  PAYLOAD_INFO_PATTERN = (
-      r'^\s*(?P<key>Algorithm|Salt|Prop)\:\s*(?P<value>.*?)$')
+      r'^\s*(?P<key>Algorithm|Salt|Prop|Tree Size)\:\s*(?P<value>.*?)$')
  payload_info_matcher = re.compile(PAYLOAD_INFO_PATTERN)

  payload_info = {}
@ -151,7 +155,7 @@ def ParseApexPayloadInfo(avbtool, payload_path):


 def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
-             codename_to_api_level_map, signing_args=None):
+             codename_to_api_level_map, no_hashtree, signing_args=None):
  """Signs the current APEX with the given payload/container keys.

  Args:
@ -160,6 +164,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
    container_key: The path to container signing key (w/o extension).
    container_pw: The matching password of the container_key, or None.
    codename_to_api_level_map: A dict that maps from codename to API level.
+    no_hashtree: Don't include hashtree in the signed APEX.
    signing_args: Additional args to be passed to the payload signer.

  Returns:
@ -187,6 +192,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
      payload_info['apex.key'],
      payload_info['Algorithm'],
      payload_info['Salt'],
+      no_hashtree,
      signing_args)

  # 1b. Update the embedded payload public key.
--- a/tools/releasetools/sign_apex.py
+++ b/tools/releasetools/sign_apex.py
@ -56,6 +56,7 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key,
      container_key=container_key,
      container_pw=None,
      codename_to_api_level_map=None,
+      no_hashtree=False,
      signing_args=signing_args)


@ -103,7 +104,8 @@ def main(argv):
      args[0],
      options['payload_key'],
      options['container_key'],
-      options.get('payload_extra_args'))
+      no_hashtree=False,
+      signing_args=options.get('payload_extra_args'))
  shutil.copyfile(signed_apex, args[1])
  logger.info("done.")

--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@ -479,7 +479,8 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
            container_key,
            key_passwords[container_key],
            codename_to_api_level_map,
-            OPTIONS.avb_extra_args.get('apex'))
+            no_hashtree=True,
+            signing_args=OPTIONS.avb_extra_args.get('apex'))
        common.ZipWrite(output_tf_zip, signed_apex, filename)

      else:
--- a/tools/releasetools/test_apex_utils.py
+++ b/tools/releasetools/test_apex_utils.py
@ -44,19 +44,42 @@ class ApexUtilsTest(test_utils.ReleaseToolsTestCase):
    payload_file = self._GetTestPayload()
    apex_utils.SignApexPayload(
        'avbtool', payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048',
-        self.SALT)
+        self.SALT, no_hashtree=True)
    payload_info = apex_utils.ParseApexPayloadInfo('avbtool', payload_file)
    self.assertEqual('SHA256_RSA2048', payload_info['Algorithm'])
    self.assertEqual(self.SALT, payload_info['Salt'])
    self.assertEqual('testkey', payload_info['apex.key'])
+    self.assertEqual('0 bytes', payload_info['Tree Size'])

  @test_utils.SkipIfExternalToolsUnavailable()
  def test_SignApexPayload(self):
    payload_file = self._GetTestPayload()
    apex_utils.SignApexPayload(
        'avbtool', payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048',
-        self.SALT)
+        self.SALT, no_hashtree=True)
+    apex_utils.VerifyApexPayload(
+        'avbtool', payload_file, self.payload_key, True)
+
+  @test_utils.SkipIfExternalToolsUnavailable()
+  def test_SignApexPayload_withHashtree(self):
+    payload_file = self._GetTestPayload()
+    apex_utils.SignApexPayload(
+        'avbtool', payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048',
+        self.SALT, no_hashtree=False)
    apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key)
+    payload_info = apex_utils.ParseApexPayloadInfo('avbtool', payload_file)
+    self.assertEqual('4096 bytes', payload_info['Tree Size'])
+
+  @test_utils.SkipIfExternalToolsUnavailable()
+  def test_SignApexPayload_noHashtree(self):
+    payload_file = self._GetTestPayload()
+    apex_utils.SignApexPayload(
+        'avbtool', payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048',
+        self.SALT, no_hashtree=True)
+    apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key,
+                                 no_hashtree=True)
+    payload_info = apex_utils.ParseApexPayloadInfo('avbtool', payload_file)
+    self.assertEqual('0 bytes', payload_info['Tree Size'])

  @test_utils.SkipIfExternalToolsUnavailable()
  def test_SignApexPayload_withSignerHelper(self):
@ -70,8 +93,10 @@ class ApexUtilsTest(test_utils.ReleaseToolsTestCase):
        payload_file,
        self.payload_key,
        'testkey', 'SHA256_RSA2048', self.SALT,
+        True,
        payload_signer_args)
-    apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key)
+    apex_utils.VerifyApexPayload(
+        'avbtool', payload_file, self.payload_key, True)

  @test_utils.SkipIfExternalToolsUnavailable()
  def test_SignApexPayload_invalidKey(self):
@ -83,18 +108,21 @@ class ApexUtilsTest(test_utils.ReleaseToolsTestCase):
        os.path.join(self.testdata_dir, 'testkey.x509.pem'),
        'testkey',
        'SHA256_RSA2048',
-        self.SALT)
+        self.SALT,
+        no_hashtree=True)

  @test_utils.SkipIfExternalToolsUnavailable()
  def test_VerifyApexPayload_wrongKey(self):
    payload_file = self._GetTestPayload()
    apex_utils.SignApexPayload(
        'avbtool', payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048',
-        self.SALT)
-    apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key)
+        self.SALT, True)
+    apex_utils.VerifyApexPayload(
+        'avbtool', payload_file, self.payload_key, True)
    self.assertRaises(
        apex_utils.ApexSigningError,
        apex_utils.VerifyApexPayload,
        'avbtool',
        payload_file,
-        os.path.join(self.testdata_dir, 'testkey_with_passwd.key'))
+        os.path.join(self.testdata_dir, 'testkey_with_passwd.key'),
+        no_hashtree=True)