Makefile: Add the payload public key into system image.

For non-Brillo devices using AB update, add the payload signing public key to the system image (system/etc/update_engine/update-payload-key.pub.pem). We first need to sign the payload with some private key, and pack it into an Android OTA package. Then the whole zip package will be signed again with the device key. This is to comply with the two existing OTA flows (Android and CrOS). We use the same device key to do the two signings, but update_engine expects the key in RSA public key format. This CL extracts the public key from x509 certificate and adds it to the system image. Bug: 25715402 Change-Id: I6f6c1148534250ddb6d9e554175c7a35bceda99e
2016-01-20 20:58:20 -08:00 · 2016-01-20 20:58:20 -08:00 · 38812d684b
parent 3cc3605010
commit 38812d684b
1 changed files with 13 additions and 0 deletions
--- a/core/Makefile
+++ b/core/Makefile
@ -695,6 +695,19 @@ $(TARGET_OUT_ETC)/security/otacerts.zip: $(addsuffix .x509.pem,$(DEFAULT_KEY_CER
 	$(hide) zip -qjX $@ $<
 	$(remove-timestamps-from-package)

+# Carry the public key for update_engine if it's a non-Brillo target that
+# uses the AB updater. We use the same key as otacerts but in RSA public key
+# format.
+ifeq ($(AB_OTA_UPDATER),true)
+ifeq ($(BRILLO),)
+ALL_DEFAULT_INSTALLED_MODULES += $(TARGET_OUT_ETC)/security/update_engine/update-payload-key.pub.pem
+$(TARGET_OUT_ETC)/security/update_engine/update-payload-key.pub.pem: $(addsuffix .x509.pem,$(DEFAULT_KEY_CERT_PAIR))
+	$(hide) rm -f $@
+	$(hide) mkdir -p $(dir $@)
+	$(hide) openssl x509 -pubkey -noout -in $< > $@
+endif
+endif
+
 .PHONY: otacerts
 otacerts: $(TARGET_OUT_ETC)/security/otacerts.zip