diff --git a/tools/releasetools/apex_utils.py b/tools/releasetools/apex_utils.py index 18ad8cec0..ee3c46365 100644 --- a/tools/releasetools/apex_utils.py +++ b/tools/releasetools/apex_utils.py @@ -42,7 +42,7 @@ class ApexSigningError(Exception): def SignApexPayload(avbtool, payload_file, payload_key_path, payload_key_name, - algorithm, salt, signing_args=None): + algorithm, salt, no_hashtree, signing_args=None): """Signs a given payload_file with the payload key.""" # Add the new footer. Old footer, if any, will be replaced by avbtool. cmd = [avbtool, 'add_hashtree_footer', @@ -52,6 +52,8 @@ def SignApexPayload(avbtool, payload_file, payload_key_path, payload_key_name, '--prop', 'apex.key:{}'.format(payload_key_name), '--image', payload_file, '--salt', salt] + if no_hashtree: + cmd.append('--no_hashtree') if signing_args: cmd.extend(shlex.split(signing_args)) @@ -64,13 +66,15 @@ def SignApexPayload(avbtool, payload_file, payload_key_path, payload_key_name, # Verify the signed payload image with specified public key. logger.info('Verifying %s', payload_file) - VerifyApexPayload(avbtool, payload_file, payload_key_path) + VerifyApexPayload(avbtool, payload_file, payload_key_path, no_hashtree) -def VerifyApexPayload(avbtool, payload_file, payload_key): +def VerifyApexPayload(avbtool, payload_file, payload_key, no_hashtree=False): """Verifies the APEX payload signature with the given key.""" cmd = [avbtool, 'verify_image', '--image', payload_file, '--key', payload_key] + if no_hashtree: + cmd.append('--accept_zeroed_hashtree') try: common.RunAndCheckOutput(cmd) except common.ExternalError as e: @@ -91,7 +95,7 @@ def ParseApexPayloadInfo(avbtool, payload_path): Returns: A dict that contains payload property-value pairs. The dict should at least - contain Algorithm, Salt and apex.key. + contain Algorithm, Salt, Tree Size and apex.key. """ if not os.path.exists(payload_path): raise ApexInfoError('Failed to find image: {}'.format(payload_path)) @@ -104,11 +108,11 @@ def ParseApexPayloadInfo(avbtool, payload_path): 'Failed to get APEX payload info for {}:\n{}'.format( payload_path, e)) - # Extract the Algorithm / Salt / Prop info from payload (i.e. an image signed - # with avbtool). For example, + # Extract the Algorithm / Salt / Prop info / Tree size from payload (i.e. an + # image signed with avbtool). For example, # Algorithm: SHA256_RSA4096 PAYLOAD_INFO_PATTERN = ( - r'^\s*(?PAlgorithm|Salt|Prop)\:\s*(?P.*?)$') + r'^\s*(?PAlgorithm|Salt|Prop|Tree Size)\:\s*(?P.*?)$') payload_info_matcher = re.compile(PAYLOAD_INFO_PATTERN) payload_info = {} @@ -151,7 +155,7 @@ def ParseApexPayloadInfo(avbtool, payload_path): def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, - codename_to_api_level_map, signing_args=None): + codename_to_api_level_map, no_hashtree, signing_args=None): """Signs the current APEX with the given payload/container keys. Args: @@ -160,6 +164,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, container_key: The path to container signing key (w/o extension). container_pw: The matching password of the container_key, or None. codename_to_api_level_map: A dict that maps from codename to API level. + no_hashtree: Don't include hashtree in the signed APEX. signing_args: Additional args to be passed to the payload signer. Returns: @@ -187,6 +192,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw, payload_info['apex.key'], payload_info['Algorithm'], payload_info['Salt'], + no_hashtree, signing_args) # 1b. Update the embedded payload public key. diff --git a/tools/releasetools/sign_apex.py b/tools/releasetools/sign_apex.py index 2516e15ca..f2daa46e9 100755 --- a/tools/releasetools/sign_apex.py +++ b/tools/releasetools/sign_apex.py @@ -56,6 +56,7 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, container_key=container_key, container_pw=None, codename_to_api_level_map=None, + no_hashtree=False, signing_args=signing_args) @@ -103,7 +104,8 @@ def main(argv): args[0], options['payload_key'], options['container_key'], - options.get('payload_extra_args')) + no_hashtree=False, + signing_args=options.get('payload_extra_args')) shutil.copyfile(signed_apex, args[1]) logger.info("done.") diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py index 1f41431b7..710147bb2 100755 --- a/tools/releasetools/sign_target_files_apks.py +++ b/tools/releasetools/sign_target_files_apks.py @@ -479,7 +479,8 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, container_key, key_passwords[container_key], codename_to_api_level_map, - OPTIONS.avb_extra_args.get('apex')) + no_hashtree=True, + signing_args=OPTIONS.avb_extra_args.get('apex')) common.ZipWrite(output_tf_zip, signed_apex, filename) else: diff --git a/tools/releasetools/test_apex_utils.py b/tools/releasetools/test_apex_utils.py index e9c26f0d9..5d4cc7749 100644 --- a/tools/releasetools/test_apex_utils.py +++ b/tools/releasetools/test_apex_utils.py @@ -44,19 +44,42 @@ class ApexUtilsTest(test_utils.ReleaseToolsTestCase): payload_file = self._GetTestPayload() apex_utils.SignApexPayload( 'avbtool', payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048', - self.SALT) + self.SALT, no_hashtree=True) payload_info = apex_utils.ParseApexPayloadInfo('avbtool', payload_file) self.assertEqual('SHA256_RSA2048', payload_info['Algorithm']) self.assertEqual(self.SALT, payload_info['Salt']) self.assertEqual('testkey', payload_info['apex.key']) + self.assertEqual('0 bytes', payload_info['Tree Size']) @test_utils.SkipIfExternalToolsUnavailable() def test_SignApexPayload(self): payload_file = self._GetTestPayload() apex_utils.SignApexPayload( 'avbtool', payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048', - self.SALT) + self.SALT, no_hashtree=True) + apex_utils.VerifyApexPayload( + 'avbtool', payload_file, self.payload_key, True) + + @test_utils.SkipIfExternalToolsUnavailable() + def test_SignApexPayload_withHashtree(self): + payload_file = self._GetTestPayload() + apex_utils.SignApexPayload( + 'avbtool', payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048', + self.SALT, no_hashtree=False) apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key) + payload_info = apex_utils.ParseApexPayloadInfo('avbtool', payload_file) + self.assertEqual('4096 bytes', payload_info['Tree Size']) + + @test_utils.SkipIfExternalToolsUnavailable() + def test_SignApexPayload_noHashtree(self): + payload_file = self._GetTestPayload() + apex_utils.SignApexPayload( + 'avbtool', payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048', + self.SALT, no_hashtree=True) + apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key, + no_hashtree=True) + payload_info = apex_utils.ParseApexPayloadInfo('avbtool', payload_file) + self.assertEqual('0 bytes', payload_info['Tree Size']) @test_utils.SkipIfExternalToolsUnavailable() def test_SignApexPayload_withSignerHelper(self): @@ -70,8 +93,10 @@ class ApexUtilsTest(test_utils.ReleaseToolsTestCase): payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048', self.SALT, + True, payload_signer_args) - apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key) + apex_utils.VerifyApexPayload( + 'avbtool', payload_file, self.payload_key, True) @test_utils.SkipIfExternalToolsUnavailable() def test_SignApexPayload_invalidKey(self): @@ -83,18 +108,21 @@ class ApexUtilsTest(test_utils.ReleaseToolsTestCase): os.path.join(self.testdata_dir, 'testkey.x509.pem'), 'testkey', 'SHA256_RSA2048', - self.SALT) + self.SALT, + no_hashtree=True) @test_utils.SkipIfExternalToolsUnavailable() def test_VerifyApexPayload_wrongKey(self): payload_file = self._GetTestPayload() apex_utils.SignApexPayload( 'avbtool', payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048', - self.SALT) - apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key) + self.SALT, True) + apex_utils.VerifyApexPayload( + 'avbtool', payload_file, self.payload_key, True) self.assertRaises( apex_utils.ApexSigningError, apex_utils.VerifyApexPayload, 'avbtool', payload_file, - os.path.join(self.testdata_dir, 'testkey_with_passwd.key')) + os.path.join(self.testdata_dir, 'testkey_with_passwd.key'), + no_hashtree=True)