image_signing: Support AOSP dev signing keys

Following ag/3536780, aosp_cheets targets have their APKs signed with keys https://android.googlesource.com/platform/build/+/master/target/product/security/ The image signing script now: - detects if it's an aosp_cheets or cheets build - checks the correct signing keys have been used in either case - logs more information about the Android image BUG=b:72947583 TEST=manually test sign_framework_apks against AOSP and cheets builds TEST=aosp_cheets builds prior to ag/3536780 are now failing (expected) TEST=aosp_cheets builds posterior to ag/3536780 are passing TEST=cheets builds (before and after) are passing TEST=check that commenting out ro.product.name in build.prop triggers an error TEST=check that an invalid value in ro.product.name triggers an error BRANCH=None Change-Id: I72abea5182fbfe76820e3f48831be04f39cb334e Reviewed-on: https://chromium-review.googlesource.com/904726 Commit-Ready: Nicolas Norvez <norvez@chromium.org> Tested-by: Nicolas Norvez <norvez@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org>
2025-12-31 11:01:19 +00:00 · 2018-02-05 11:50:52 -08:00
parent a4a8c02ad5
commit 2fbb522949
1 changed files with 57 additions and 10 deletions
--- a/scripts/image_signing/sign_android_image.sh
+++ b/scripts/image_signing/sign_android_image.sh
@@ -31,29 +31,53 @@ EOF
  exit 0
 }

-# Return name according to the current signing debug key.  The name is used to
+# Return name according to the current signing debug key. The name is used to
 # select key files.
 choose_key() {
-  local apk="$1"
+  local sha1="$1"
+  local flavor="$2"

-  local sha1=$(unzip -p "${apk}" META-INF/CERT.RSA | \
-      keytool -printcert | awk '/^\s*SHA1:/ {print $2}')
+  if [[ "${flavor}" != "aosp" && "${flavor}" != "cheets" ]]; then
+    error "Unknown Android build flavor '${flavor}'"
+    return 1
+  fi

  # Fingerprints below are generated by:
+  # 'cheets' flavor:
  # $ keytool -file vendor/google/certs/cheetskeys/$NAME.x509.pem -printcert \
  #     | grep SHA1:
+  # 'aosp' flavor:
+  # $ keytool -file build/target/product/security/$NAME.x509.pem -printcert \
+  #     | grep SHA1:
+  declare -A platform_sha=(
+    ['cheets']='AA:04:E0:5F:82:9C:7E:D1:B9:F8:FC:99:6C:5A:54:43:83:D9:F5:BC'
+    ['aosp']='27:19:6E:38:6B:87:5E:76:AD:F7:00:E7:EA:84:E4:C6:EE:E3:3D:FA'
+  )
+  declare -A media_sha=(
+    ['cheets']='D4:C4:2D:E0:B9:1B:15:72:FA:7D:A7:21:E0:A6:09:94:B4:4C:B5:AE'
+    ['aosp']='B7:9D:F4:A8:2E:90:B5:7E:A7:65:25:AB:70:37:AB:23:8A:42:F5:D3'
+  )
+  declare -A shared_sha=(
+    ['cheets']='38:B6:2C:E1:75:98:E3:E1:1C:CC:F6:6B:83:BB:97:0E:2D:40:6C:AE'
+    ['aosp']='5B:36:8C:FF:2D:A2:68:69:96:BC:95:EA:C1:90:EA:A4:F5:63:0F:E5'
+  )
+  declare -A release_sha=(
+    ['cheets']='EC:63:36:20:23:B7:CB:66:18:70:D3:39:3C:A9:AE:7E:EF:A9:32:42'
+    ['aosp']='61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81'
+  )
+
  case "${sha1}" in
-    "AA:04:E0:5F:82:9C:7E:D1:B9:F8:FC:99:6C:5A:54:43:83:D9:F5:BC")
+    "${platform_sha["${flavor}"]}")
      echo "platform"
      ;;
-    "D4:C4:2D:E0:B9:1B:15:72:FA:7D:A7:21:E0:A6:09:94:B4:4C:B5:AE")
+    "${media_sha["${flavor}"]}")
      echo "media"
      ;;
-    "38:B6:2C:E1:75:98:E3:E1:1C:CC:F6:6B:83:BB:97:0E:2D:40:6C:AE")
+    "${shared_sha["${flavor}"]}")
      echo "shared"
      ;;
-    "EC:63:36:20:23:B7:CB:66:18:70:D3:39:3C:A9:AE:7E:EF:A9:32:42")
-      # The above fingerprint is from devkey.  Translate to releasekey.
+    "${release_sha["${flavor}"]}")
+      # The release_sha[] fingerprint is from devkey. Translate to releasekey.
      echo "releasekey"
      ;;
    *)
@@ -61,6 +85,7 @@ choose_key() {
      echo ""
      ;;
  esac
+  return 0
 }

 # Re-sign framework apks with the corresponding release keys.  Only apk with
@@ -69,6 +94,14 @@ choose_key() {
 sign_framework_apks() {
  local system_mnt="$1"
  local key_dir="$2"
+  local product=""
+  local build_flavor=""
+
+  product=$(grep -a "^ro\.product\.name=" "${system_mnt}/system/build.prop" | \
+    cut -d "=" -f2)
+  build_flavor=$(echo "${product}" | cut -d "_" -f1)
+  info "Found product name '${product}'."
+  info "Detected build flavor '${build_flavor}'."

  info "Start signing framework apks"

@@ -81,7 +114,16 @@ sign_framework_apks() {

  local apk
  while read -d $'\0' -r apk; do
-    local keyname=$(choose_key "${apk}")
+    local sha1=""
+    local keyname=""
+
+    sha1=$(unzip -p "${apk}" META-INF/CERT.RSA | \
+      keytool -printcert | awk '/^\s*SHA1:/ {print $2}')
+
+    if  ! keyname=$(choose_key "${sha1}" "${build_flavor}"); then
+      die "Failed to choose signing key for APK '${apk}' (SHA1 '${sha1}') in \
+build flavor '${build_flavor}'."
+    fi
    if [[ -z "${keyname}" ]]; then
      continue
    fi
@@ -109,6 +151,11 @@ sign_framework_apks() {
    : $(( counter_total += 1 ))
  done < <(find "${system_mnt}/system" -type f -name '*.apk' -print0)

+  info "Found ${counter_platform} platform APKs."
+  info "Found ${counter_media} media APKs."
+  info "Found ${counter_shared} shared APKs."
+  info "Found ${counter_releasekey} release APKs."
+  info "Found ${counter_total} total APKs."
  # Sanity check.
  if [[ ${counter_platform} -lt 2 || ${counter_media} -lt 2 ||
        ${counter_shared} -lt 2 || ${counter_releasekey} -lt 2 ||