Merge "Add sign_apex.py that signs a given APEX file."

This commit is contained in:
Tao Bao 2019-05-13 22:47:24 +00:00 committed by Gerrit Code Review
commit bc7e3f98f4
3 changed files with 176 additions and 72 deletions

View File

@ -19,11 +19,14 @@ import os.path
import re
import shlex
import sys
import zipfile
import common
logger = logging.getLogger(__name__)
OPTIONS = common.OPTIONS
class ApexInfoError(Exception):
"""An Exception raised during Apex Information command."""
@ -145,3 +148,72 @@ def ParseApexPayloadInfo(payload_path):
'Failed to find {} prop in {}'.format(key, payload_path))
return payload_info
def SignApex(apex_data, payload_key, container_key, container_pw,
codename_to_api_level_map, signing_args=None):
"""Signs the current APEX with the given payload/container keys.
Args:
apex_data: Raw APEX data.
payload_key: The path to payload signing key (w/ extension).
container_key: The path to container signing key (w/o extension).
container_pw: The matching password of the container_key, or None.
codename_to_api_level_map: A dict that maps from codename to API level.
signing_args: Additional args to be passed to the payload signer.
Returns:
The path to the signed APEX file.
"""
apex_file = common.MakeTempFile(prefix='apex-', suffix='.apex')
with open(apex_file, 'wb') as apex_fp:
apex_fp.write(apex_data)
APEX_PAYLOAD_IMAGE = 'apex_payload.img'
APEX_PUBKEY = 'apex_pubkey'
# 1a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
# payload_key.
payload_dir = common.MakeTempDir(prefix='apex-payload-')
with zipfile.ZipFile(apex_file) as apex_fd:
payload_file = apex_fd.extract(APEX_PAYLOAD_IMAGE, payload_dir)
payload_info = ParseApexPayloadInfo(payload_file)
SignApexPayload(
payload_file,
payload_key,
payload_info['apex.key'],
payload_info['Algorithm'],
payload_info['Salt'],
signing_args)
# 1b. Update the embedded payload public key.
payload_public_key = common.ExtractAvbPublicKey(payload_key)
common.ZipDelete(apex_file, APEX_PAYLOAD_IMAGE)
common.ZipDelete(apex_file, APEX_PUBKEY)
apex_zip = zipfile.ZipFile(apex_file, 'a')
common.ZipWrite(apex_zip, payload_file, arcname=APEX_PAYLOAD_IMAGE)
common.ZipWrite(apex_zip, payload_public_key, arcname=APEX_PUBKEY)
common.ZipClose(apex_zip)
# 2. Align the files at page boundary (same as in apexer).
aligned_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
common.RunAndCheckOutput(['zipalign', '-f', '4096', apex_file, aligned_apex])
# 3. Sign the APEX container with container_key.
signed_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
# Specify the 4K alignment when calling SignApk.
extra_signapk_args = OPTIONS.extra_signapk_args[:]
extra_signapk_args.extend(['-a', '4096'])
common.SignFile(
aligned_apex,
signed_apex,
container_key,
container_pw,
codename_to_api_level_map=codename_to_api_level_map,
extra_signapk_args=extra_signapk_args)
return signed_apex

103
tools/releasetools/sign_apex.py Executable file
View File

@ -0,0 +1,103 @@
#!/usr/bin/env python
#
# Copyright (C) 2019 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""
Signs a standalone APEX file.
Usage: sign_apex [flags] input_apex_file output_apex_file
--container_key <key>
Mandatory flag that specifies the container signing key.
--payload_key <key>
Mandatory flag that specifies the payload signing key.
--payload_extra_args <args>
Optional flag that specifies any extra args to be passed to payload signer
(e.g. --payload_extra_args="--signing_helper_with_files /path/to/helper").
"""
import logging
import shutil
import sys
import apex_utils
import common
logger = logging.getLogger(__name__)
def main(argv):
options = {}
def option_handler(o, a):
if o == '--container_key':
# Strip the suffix if any, as common.SignFile expects no suffix.
DEFAULT_CONTAINER_KEY_SUFFIX = '.x509.pem'
if a.endswith(DEFAULT_CONTAINER_KEY_SUFFIX):
a = a[:-len(DEFAULT_CONTAINER_KEY_SUFFIX)]
options['container_key'] = a
elif o == '--payload_key':
options['payload_key'] = a
elif o == '--payload_extra_args':
options['payload_extra_args'] = a
else:
return False
return True
args = common.ParseOptions(
argv, __doc__,
extra_opts='',
extra_long_opts=[
'container_key=',
'payload_extra_args=',
'payload_key=',
],
extra_option_handler=option_handler)
if (len(args) != 2 or 'container_key' not in options or
'payload_key' not in options):
common.Usage(__doc__)
sys.exit(1)
common.InitLogging()
input_zip = args[0]
output_zip = args[1]
with open(input_zip) as input_fp:
apex_data = input_fp.read()
signed_apex = apex_utils.SignApex(
apex_data,
payload_key=options['payload_key'],
container_key=options['container_key'],
container_pw=None,
codename_to_api_level_map=None,
signing_args=options.get('payload_extra_args'))
shutil.copyfile(signed_apex, output_zip)
logger.info("done.")
if __name__ == '__main__':
try:
main(sys.argv[1:])
except common.ExternalError:
logger.exception("\n ERROR:\n")
sys.exit(1)
finally:
common.Cleanup()

View File

@ -403,77 +403,6 @@ def SignApk(data, keyname, pw, platform_api_level, codename_to_api_level_map,
return data
def SignApex(apex_data, payload_key, container_key, container_pw,
codename_to_api_level_map, signing_args=None):
"""Signs the current APEX with the given payload/container keys.
Args:
apex_data: Raw APEX data.
payload_key: The path to payload signing key (w/ extension).
container_key: The path to container signing key (w/o extension).
container_pw: The matching password of the container_key, or None.
codename_to_api_level_map: A dict that maps from codename to API level.
signing_args: Additional args to be passed to the payload signer.
Returns:
The path to the signed APEX file.
"""
apex_file = common.MakeTempFile(prefix='apex-', suffix='.apex')
with open(apex_file, 'wb') as apex_fp:
apex_fp.write(apex_data)
APEX_PAYLOAD_IMAGE = 'apex_payload.img'
APEX_PUBKEY = 'apex_pubkey'
# 1a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
# payload_key.
payload_dir = common.MakeTempDir(prefix='apex-payload-')
with zipfile.ZipFile(apex_file) as apex_fd:
payload_file = apex_fd.extract(APEX_PAYLOAD_IMAGE, payload_dir)
payload_info = apex_utils.ParseApexPayloadInfo(payload_file)
apex_utils.SignApexPayload(
payload_file,
payload_key,
payload_info['apex.key'],
payload_info['Algorithm'],
payload_info['Salt'],
signing_args)
# 1b. Update the embedded payload public key.
payload_public_key = common.ExtractAvbPublicKey(payload_key)
common.ZipDelete(apex_file, APEX_PAYLOAD_IMAGE)
common.ZipDelete(apex_file, APEX_PUBKEY)
apex_zip = zipfile.ZipFile(apex_file, 'a')
common.ZipWrite(apex_zip, payload_file, arcname=APEX_PAYLOAD_IMAGE)
common.ZipWrite(apex_zip, payload_public_key, arcname=APEX_PUBKEY)
common.ZipClose(apex_zip)
# 2. Align the files at page boundary (same as in apexer).
aligned_apex = common.MakeTempFile(
prefix='apex-container-', suffix='.apex')
common.RunAndCheckOutput(
['zipalign', '-f', '4096', apex_file, aligned_apex])
# 3. Sign the APEX container with container_key.
signed_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
# Specify the 4K alignment when calling SignApk.
extra_signapk_args = OPTIONS.extra_signapk_args[:]
extra_signapk_args.extend(['-a', '4096'])
common.SignFile(
aligned_apex,
signed_apex,
container_key,
container_pw,
codename_to_api_level_map=codename_to_api_level_map,
extra_signapk_args=extra_signapk_args)
return signed_apex
def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
apk_keys, apex_keys, key_passwords,
platform_api_level, codename_to_api_level_map,
@ -538,7 +467,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
print(" : %-*s payload (%s)" % (
maxsize, name, payload_key))
signed_apex = SignApex(
signed_apex = apex_utils.SignApex(
data,
payload_key,
container_key,