From f718f902120b4d1d3019dd51e42d2f55e863377a Mon Sep 17 00:00:00 2001 From: Tao Bao Date: Thu, 9 Nov 2017 10:10:10 -0800 Subject: [PATCH] releasetools: Write back default_system_dev_certificate. When signing a target_files.zip, the OTA certificate specified by default_system_dev_certificate could be replaced with a mapped key. When that happens, we must explicitly specify --package_key when generating OTA packages with ota_from_target_files.py. Otherwise the OTA package will be signed with the wrong key, which leads to verification failures. This CL updates the default_system_dev_certificate value in misc_info.txt accordingly. Test: Sign a target_files.zip and replace the OTA key. Check META/misc_info.txt in the generated target_files.zip. $ ./build/make/tools/releasetools/sign_target_files_apks.py -v \ --replace_ota_keys \ -k build/target/product/security/testkey=build/target/product/security/platform \ out/dist/aosp_marlin-target_files-eng.tbao.zip \ signed-marlin-target_files-test.zip Change-Id: I093234b5add3e27c5b3887cefeffd74e6f0a3e98 --- tools/releasetools/sign_target_files_apks.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py index 58bf4896a..e4ef2c113 100755 --- a/tools/releasetools/sign_target_files_apks.py +++ b/tools/releasetools/sign_target_files_apks.py @@ -402,7 +402,7 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): except KeyError: raise common.ExternalError("can't read META/otakeys.txt from input") - extra_recovery_keys = misc_info.get("extra_recovery_keys", None) + extra_recovery_keys = misc_info.get("extra_recovery_keys") if extra_recovery_keys: extra_recovery_keys = [OPTIONS.key_map.get(k, k) + ".x509.pem" for k in extra_recovery_keys.split()] @@ -426,8 +426,10 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): else: devkey = misc_info.get("default_system_dev_certificate", "build/target/product/security/testkey") - mapped_keys.append( - OPTIONS.key_map.get(devkey, devkey) + ".x509.pem") + mapped_devkey = OPTIONS.key_map.get(devkey, devkey) + if mapped_devkey != devkey: + misc_info["default_system_dev_certificate"] = mapped_devkey + mapped_keys.append(mapped_devkey + ".x509.pem") print("META/otakeys.txt has no keys; using %s for OTA package" " verification." % (mapped_keys[0],))