image_signing: Fix detection of build flavor

The original "ro.product.name" of the Android image is modified by the Chrome OS build process to change it to the CrOS device name instead, which breaks the detection of the build flavor. Instead, we now rely on the "ro.build.flavor" property which is not modified. If the build flavor is either cheets_* or sdk_google_cheets_*, we expect the keys to be the cheets keys. AOSP keys are used for aosp_cheets_* build flavors. BUG=b:72947583 TEST=run against caroline image, scripts detects 'cheets' build flavor TEST=run against novato-arc64 image (SDK), script detects 'cheets' build flavor TEST=run against newbie image (AOSP), script detects 'aosp' build flavor TEST=run against invalid build property 'paosp_cheets_...', script aborts as expected BRANCH=None Change-Id: I662436b256b59238b00c7374120f315b538fcd75 Reviewed-on: https://chromium-review.googlesource.com/911905 Commit-Ready: Nicolas Norvez <norvez@chromium.org> Tested-by: Nicolas Norvez <norvez@chromium.org> Reviewed-by: Victor Hsieh <victorhsieh@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> (cherry picked from commit 7efa7465b17adc361c00e4e7e92f74a256038d52) Reviewed-on: https://chromium-review.googlesource.com/947389 Reviewed-by: Furquan Shaikh <furquan@chromium.org> Commit-Queue: Furquan Shaikh <furquan@chromium.org> Tested-by: Furquan Shaikh <furquan@chromium.org> Trybot-Ready: Furquan Shaikh <furquan@chromium.org>
author: Nicolas Norvez <norvez@chromium.org> 2018-02-07 17:21:43 -0800
committer: ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> 2018-03-03 00:11:00 +0000
commit: a03dd79eaa0a97b2c761594929f43e8cb56119db (patch)
tree: 705a83bdb32de28b3554cda29ca285b46e5ba0bc
parent: a5d52043f1feb843f29ed6c91498dff09f2ccc48 (diff)
download: vboot-a03dd79eaa0a97b2c761594929f43e8cb56119db.tar.gz
1 files changed, 36 insertions, 19 deletions
diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh
index 3bd61686..a205b5ae 100755
--- a/scripts/image_signing/sign_android_image.sh
+++ b/scripts/image_signing/sign_android_image.sh
@@ -35,18 +35,18 @@ EOF
 # select key files.
 choose_key() {
   local sha1="$1"
-  local flavor="$2"
+  local keyset="$2"
 
-  if [[ "${flavor}" != "aosp" && "${flavor}" != "cheets" ]]; then
-    error "Unknown Android build flavor '${flavor}'"
+  if [[ "${keyset}" != "aosp" && "${keyset}" != "cheets" ]]; then
+    error "Unknown Android build keyset '${keyset}'"
     return 1
   fi
 
   # Fingerprints below are generated by:
-  # 'cheets' flavor:
+  # 'cheets' keyset:
   # $ keytool -file vendor/google/certs/cheetskeys/$NAME.x509.pem -printcert \
   #     | grep SHA1:
-  # 'aosp' flavor:
+  # 'aosp' keyset:
   # $ keytool -file build/target/product/security/$NAME.x509.pem -printcert \
   #     | grep SHA1:
   declare -A platform_sha=(
@@ -67,16 +67,16 @@ choose_key() {
   )
 
   case "${sha1}" in
-    "${platform_sha["${flavor}"]}")
+    "${platform_sha["${keyset}"]}")
       echo "platform"
       ;;
-    "${media_sha["${flavor}"]}")
+    "${media_sha["${keyset}"]}")
       echo "media"
       ;;
-    "${shared_sha["${flavor}"]}")
+    "${shared_sha["${keyset}"]}")
       echo "shared"
       ;;
-    "${release_sha["${flavor}"]}")
+    "${release_sha["${keyset}"]}")
       # The release_sha[] fingerprint is from devkey. Translate to releasekey.
       echo "releasekey"
       ;;
@@ -94,14 +94,31 @@ choose_key() {
 sign_framework_apks() {
   local system_mnt="$1"
   local key_dir="$2"
-  local product=""
-  local build_flavor=""
-
-  product=$(grep -a "^ro\.product\.name=" "${system_mnt}/system/build.prop" | \
-    cut -d "=" -f2)
-  build_flavor=$(echo "${product}" | cut -d "_" -f1)
-  info "Found product name '${product}'."
-  info "Detected build flavor '${build_flavor}'."
+  local flavor_prop=""
+  local keyset=""
+
+  # Property ro.build.flavor follows those patterns:
+  # - cheets builds:
+  #   ro.build.flavor=cheets_${arch}-user(debug)
+  # - SDK builds:
+  #   ro.build.flavor=sdk_google_cheets_${arch}-user(debug)
+  # - AOSP builds:
+  #   ro.build.flavor=aosp_cheets_${arch}-user(debug)
+  # "cheets" and "SDK" builds both use the same signing keys, cheetskeys. "AOSP"
+  # builds use the public AOSP signing keys.
+  flavor_prop=$(grep -a "^ro\.build\.flavor=" \
+    "${system_mnt}/system/build.prop" | cut -d "=" -f2)
+
+  info "Found build flavor property '${flavor_prop}'."
+  if [[ "${flavor_prop}" == aosp_cheets_* ]]; then
+    keyset="aosp"
+  elif [[ "${flavor_prop}" == cheets_* ||
+    "${flavor_prop}" == sdk_google_cheets_* ]]; then
+    keyset="cheets"
+  else
+    die "Unknown build flavor property '${flavor_prop}'."
+  fi
+  info "Expecting signing keyset '${keyset}'."
 
   info "Start signing framework apks"
 
@@ -120,9 +137,9 @@ sign_framework_apks() {
     sha1=$(unzip -p "${apk}" META-INF/CERT.RSA | \
       keytool -printcert | awk '/^\s*SHA1:/ {print $2}')
 
-    if  ! keyname=$(choose_key "${sha1}" "${build_flavor}"); then
+    if  ! keyname=$(choose_key "${sha1}" "${keyset}"); then
       die "Failed to choose signing key for APK '${apk}' (SHA1 '${sha1}') in \
-build flavor '${build_flavor}'."
+build flavor '${flavor_prop}'."
     fi
     if [[ -z "${keyname}" ]]; then
       continue
author	Nicolas Norvez <norvez@chromium.org>	2018-02-07 17:21:43 -0800
committer	ChromeOS Commit Bot <chromeos-commit-bot@chromium.org>	2018-03-03 00:11:00 +0000
commit	a03dd79eaa0a97b2c761594929f43e8cb56119db (patch)
tree	705a83bdb32de28b3554cda29ca285b46e5ba0bc
parent	a5d52043f1feb843f29ed6c91498dff09f2ccc48 (diff)
download	vboot-a03dd79eaa0a97b2c761594929f43e8cb56119db.tar.gz