Commit Graph

37 Commits

Author SHA1 Message Date
Alex Klyubin f735851fa9 Use Jan 1 2009 as timestamp in OTA update ZIPs.
This is a follow-up to 6c41036bcf where
I forgot to update a section of OTA update ZIP code.

Bug: 26864066
Change-Id: Idbcde71d6377a16807e41c999120eeddd5b4d8a4
2016-02-09 13:09:57 -08:00
Dan Willemsen 0d85dab09a Merge "Use Jan 1 2009 as timestamp in APKs and OTA update ZIPs." 2016-01-30 02:44:27 +00:00
Lee Campbell 3d8bf2994c brillo: Remove dependency on java for Brillo
Brillo does not require Java. Add a JAVA_NOT_REQUIRED
flag to the build system to make the jdk requirment optional

Also don't build signapk for Brillo

BUG: 25281898
Change-Id: I31e68cc7d076bf6c234699c77c0ea1ea428be4f5
2016-01-29 15:38:53 -08:00
Alex Klyubin 6c41036bcf Use Jan 1 2009 as timestamp in APKs and OTA update ZIPs.
Previously, the timestamp was one hour ahead of NotBefore of the
signer's certificate, adjusted for the current timezone. With this
change the MS-DOS timestamp in output APK/ZIP files is
Jan 1 2009 00:00:00.

Bug: 26864066
Change-Id: Id6263c38ac7042489ab695454f8e0fb2d85a3958
2016-01-29 13:10:03 -08:00
Alex Klyubin dd910c5945 Make signapk sign using APK Signature Scheme v2.
APKs are now signed with the usual JAR signature scheme and then
with the APK Signature Scheme v2.

APK Signature Scheme v2 is a whole-file signature scheme which aims
to protect every single bit of the APK as opposed to the JAR signature
scheme which protects only the names and uncompressed contents of ZIP
entries.

The two main goals of APK Signature Scheme v2 are:
1. Detect any unauthorized modifications to the APK. This is achieved
   by making the signature cover every byte of the APK being signed.
2. Enable much faster signature and integrity verification. This is
   achieved by requiring only a minimal amount of APK parsing before
   the signature is verified, thus completely bypassing ZIP entry
   decompression and by making integrity verification parallelizable
   by employing a hash tree.

Bug: 25794543
Change-Id: I275d2a6d0a98504891985309b9dfff2e0e44b878
2016-01-20 13:35:21 -08:00
Alex Klyubin 9b54a565c9 Command-line flag to disable signing with APK Signature Scheme v2.
This change makes signapk not reject the --disable-v2 command-line
flag which may be used by build scripts in some branches. The flag
is currently ignored.

This change is landed separately from the actual support for APK
Signature Scheme v2 because of unbundled branches which use prebuilt
versions of signapk.

Bug: 25794543
Change-Id: I900966244b8b6296b1f443bf98830cc7f7cc81a8
2016-01-20 12:55:16 -08:00
Alex Klyubin c2c49ed0c1 Unconditionally use SHA-256 when minSdkVersion is 18 or higher.
SHA-1 is deprecated, but the replacement SHA-256 is only supported
for JAR/APK and OTA update package signatures on API Level 18 and
newer. This change thus adds a --min-sdk-version command-line
parameter to signapk. When this parameter is set to 18 or higher,
SHA-256 is used instead of SHA-1. When the parameter is not provided,
SHA-1 is used same as before.

This change also removes any other digests from the MANIFEST.MF.
This is to ignore any MANIFEST.MF digests already there in the APK,
such as when re-signing an already signed APK.

Build scripts will be modified to provide the --min-sdk-version
parameter in a follow-up change. This is not done in this change
because of prebuilts which require a prebuilt version of signapk
to support this parameter before the build scripts can be modified.

Bug: 25643280
Change-Id: I6a2782e465600fe2a3ad0c10bd80db2b80a6fb76
2016-01-12 13:31:59 -08:00
Alex Klyubin 8502937cff List SHA-1 digests of APK entries' contents in .SF files.
Due to a bug introduced in 8562fd478d
SHA-1 digests of APK entries' contents were listed under wrong
attribute name. The effect is equivalent to not listing SHA-1
digests.

This change fix the issue by listing SHA-1 digests under the correct
attribute name. However, these digests are not that useful because:
(1) typically the digest of the MANIFEST.MF verifies and thus the
per-entry digests are ignored, and (2) per-entry digests of entries
with names longer than 64 characters are wrong in any case because the
digest generation code does not take into account that such names are
split over multiple lines.

An alternative to this change would be to completely omit outputting
per-entry sections of .SF files, thus saving space and speeding up APK
verification (.SF files would decompress faster).

Bug: 26513901
Change-Id: If95d58e9baa62b1113639fe70724e1e9c9f4e15c
2016-01-12 12:36:46 -08:00
Alex Klyubin fe7c1e59d1 Move signapk sources to src dir.
This also makes source files follow the standard directory structure
based on Java package names.

Bug: 25794543
Change-Id: Ie0b568057f836e56407f76d29eeacd28ab907ba8
2015-12-15 09:08:45 -08:00
Alex Klyubin 9667b18f23 Make signapk use Conscrypt.
This makes the signapk tool use Conscrypt (where possible) instead of
the platform-default JCA providers and the Bouncy Castle JCA provider.
This speeds up (by 10-30%) APK and OTA update signing because
Conscrypt's crypto primitives are backed by BoringSSL.

Previously, the signapk tool consisted only of the signapk.jar.
Because Conscrypt is backed by native code, signapk now consists of
signapk.jar and crypto_openjdk_jni shared library. This requires that
users of the tool be updated to provide a suitable -Djava.library.path
argument to the Java runtime. This change updates all known users of
the tool inside the Android source tree to do so.

Bug: 26097626
Change-Id: I8411b37d7f771ed99269751a3007dff103083552
2015-12-11 08:36:42 -08:00
Alex Klyubin 924a683760 Make signapk align .so entries to 4096 bytes.
This makes signapk align uncompressed .so entries to memory page
boundary (4096 bytes) to enable such libraries to be loaded at runtime
through memory-mapping the APK.

With this change in place, there should no longer be a need to run
zipalign after (or before) signapk.

Bug: 25794543
Change-Id: I74775af15a683791f57fcbd3497a79951b3f63a1
2015-12-02 19:02:01 -08:00
Alex Klyubin c218d3eca3 Clean up compiler warnings in signapk.
Bug: 25794543
Change-Id: Ia7da4fbaed77af4020e5aa0b14fe5e1bd8521edb
2015-11-24 09:27:55 -08:00
adattatr 50c7c5a722 If a console doesn't exist, read password from stdin.
When signapk.jar is invoked by scripts like
sign_target_files_apks.py, there is no console as signapk is
invoked using popen(). To support signing of APKs using
software keys with passwords, we need to read
the password from stdin if there is no console.

Change-Id: Icf69ba1e58bf1f91979eaf1d3b91cb202782e8fd
Signed-off-by: adattatr <anisha.dattatraya.kulkarni@intel.com>
Signed-off-by: Brad Geltz <brad.geltz@intel.com>
2015-09-28 11:44:27 -07:00
Ying Wang fafe5ac819 Merge "Signapk.java: hide the password" 2015-03-11 16:46:00 +00:00
Kenny Root bda807d3a1 Track bouncycastle upgrade to 1.51
The new API in 1.51 will allow null return values.

Change-Id: I583690bf0740b2d0962f02edea3896e18626e548
2014-08-07 12:11:47 -07:00
zhang jun 22717f9f9e Signapk.java: hide the password
Reads the password through console instead of stdin directly and returns it as a string.

Change-Id: I52e525680b93e9729158f4902b22f985245dbf2f
Signed-off-by: zhang jun <jun.zhang@intel.com>
Signed-off-by: Mingwei Shi <mingwei.shi@intel.com>
2014-07-17 18:13:51 +08:00
Doug Zongker 1d67eec191 make SignApk do zip alignment
When signing an APK, make the SignApk tool align the stored entries to
(by default) 4-byte boundaries.  This obviates the need to run the
separate zipalign tool, which currently does this job.

The alignment byte count can be specified with the -a option.  OTA
package signing (with -w) never does alignment.

The order of files in the output APK is changed so that all stored
files come first in the output, followed by all non-stored files.
This is not expected to have any impact in practice.

Change-Id: Iaeef89b2a7283e25fadb99c0a0f0641f682d76b8
2014-05-15 09:54:26 -07:00
Kenny Root 01ed66d2ba Allow ECDSA signing OTA files
ECDSA works in the recovery verifier, so we can allow OTA updates to be
signed with EC keys.

Change-Id: If8f2be028843fbfd6c8c9c41b492605d9b5cbeb0
2013-10-09 15:00:24 -07:00
Kenny Root 89c961aa11 SignApk: add argument for loading a Provider
For supporting loading a custom key type provider, add a -providerClass
argument that loads the selected JCE at the front of the provider list.

Change-Id: I3df16f7c570d36e08806b614d6f30c41cb117565
2013-09-25 11:37:52 -07:00
Kenny Root 62ea4a5c3c Read algorithm OID directly from PKCS#8 container
The PKCS#8 PrivateKeyInfo structure has the algorithm OID encoded right
before the actual key octet stream is encoded. Use Bouncycastle to read
the OID for creation with the key factory.

This aids in the creation of custom key types that are backed by
hardware devices (e.g., HSMs) and have their own assigned OIDs.

Change-Id: If5d8fe07bc157e9bb5a3fb5f99091e924143105f
2013-09-25 09:59:10 -07:00
Kenny Root 3d2365c068 SignApk: add support for EC keys
Change-Id: I09bc0e52fc84ec321b997016a8f97de1bfd2770d
2013-09-20 15:00:49 -07:00
Doug Zongker 8562fd478d SignApk: update SignApk to support SHA256withRSA signing
(cherry picked from commit c0581a02ed)

Change-Id: I6212e0f3a6aa3265b111f0f7348b667af4a668b0
2013-09-20 13:14:32 -07:00
Koushik Dutta 29706d155a SignApk: perform the whole file signature in a single streaming pass.
Author: Koushik Dutta <koushd@gmail.com>

Change-Id: I58a68fa4bd4c0c3bb0e025d4311186195fb90e5a
2013-01-03 14:00:40 -08:00
Doug Zongker b14c97621b add multiple key support to signapk
Support signing .apks (but not OTA packages) with multiple keys.

Bug: 7350459
Change-Id: I794e1da0555e2bb9247a59c756656d4ca7ee04cf
2013-01-02 13:31:00 -08:00
Doug Zongker 147626e624 change SignApk.java to use bouncy castle for signing
Remove use of the private sun.security.* classes for generating pkcs7
signatures and use bouncy castle instead.

Change-Id: Ie8213575461975085d119e000e764d2a28c26715
2012-09-18 23:29:10 -07:00
Doug Zongker e691373514 make SignApk faster for OTA packages
Change to the default compression level instead of the max compression
level for OTA packages (-w): it's much faster and the difference in
output size is usually negligible.

Bug: 6778962
Change-Id: I82a6acc19be8b3289fd84c8c15f03ebeb7a1ce63
2012-07-03 15:03:04 -07:00
Doug Zongker 7bb042317a add copy of public cert used for signing to OTA packages
When signing a file with -w (ie, an OTA package), add the file
META-INF/com/android/otacert, which is a copy of the public key
certificate.  While this can be extracted from the CERT.RSA file,
having a copy of it more easily accessible makes it easier to write
tools.

Bug: 6477365
Change-Id: I8cdb19536eca9a223c2b954e3f8ea0d9f3f86f02
2012-05-11 09:22:29 -07:00
Ficus Kirkpatrick 7978d50edb Add a workaround for a platform JAR parsing bug.
The java.util.jar implementation through Android 1.6 has a
bug where if the signature file in META-INF is a multiple
of 1024 bytes, it will throw an IOException attempting to
read it.

If signapk would produce a CERT.SF in a multiple of 1024
bytes, add an extra CRLF to the end of the file.

Bug: 3019677
Change-Id: I23d4a36e12e224be600d3ac39379b5b5a022a628
2010-09-24 10:24:53 -07:00
Joe Onorato da12daf15f Add a tapas command.
(Actually there was a tapas command that just called choosecombo).

The new better tapas command is for building unbundled apps.  Run
it with one or more modules to build and optionally a build variant.

tapas [variant] App1 App2 ...

If you don't supply a build variant, it defaults to eng.

Change-Id: I02214abd0b5ad02e364fcb024e10cf6ad17a9e68
2010-06-10 18:38:37 -07:00
Doug Zongker badd2ca451 fix endianness problem with the tail of the signature comment
The two 0xff bytes were intended to easily distinguish files with
whole file signatures from those without, but I got the endianness
backwards.  Go ahead and fix that, as long as I'm making changes to
the verifier anyway.

Check for a signature that includes the sequence 0x50 0x4b 0x05 0x06,
which looks to minzip like the start of the EOCD block.
2009-08-14 17:15:46 -07:00
Doug Zongker c6cf01a117 add whole-file signature mode to SignApk
Make SignApk generate a signature for (nearly) the entire zip file
when run with the -w option.  The signature covers all of the zip file
except for the archive comment (conveniently the last thing in a zip
file); the archive comment field is used to contain the signature
itself.
2009-08-14 12:25:05 -07:00
Doug Zongker a237874ccf fix the modtime of files in the apk when signing
SignApk fixes the timestamp of the signature files it adds.  Use that
same timestamp for all the files, so that the modtime doesn't vary
from build to build.  (Incremental OTAs currently spend significant
time rewriting every .apk to do nothing but patch in timestamp
changes.)
2009-07-15 15:43:39 -07:00
Doug Zongker af482b62e5 make signapk strip other signatures
Change signapk to not propagate other signatures to the output
archive.  Multiple signatures seem to confuse the package manager, as
we saw with Maps, and other partners are checking in prebuilt APKs for
google experience devices signed with random other things.
2009-06-11 19:24:50 -07:00
The Android Open Source Project 88b607994a auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
The Android Open Source Project 05806d7af6 auto import from //depot/cupcake/@135843 2009-03-03 18:28:14 -08:00
The Android Open Source Project dcc08f073b Code drop from //branches/cupcake/...@124589 2008-12-17 18:03:49 -08:00
The Android Open Source Project b6c1cf6de7 Initial Contribution 2008-10-21 07:00:00 -07:00