Support signing Android APKs with apksigner

* To enable, use --use_apksigner. * Drop signature schemes that we don't really need. * Supports key rotation. In this case, the signing lineage will be honored if the file exists next to the keys. * Update key generation script to auto generate the signing lineage. TEST=the script runs successfully with and without the flag TEST=`apksigner lineage --print-certs -v -in foo.apk` shows correct rotation info TEST=keygeneration/create_new_android_keys.sh --rotate-from old new BUG=None BRANCH=None Change-Id: Ic7b7b0ed4ea707a748dc42a1f39d6eb79d53cf1b Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1643411 Tested-by: Victor Hsieh <victorhsieh@chromium.org> Reviewed-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: Victor Hsieh <victorhsieh@chromium.org>
author: Victor Hsieh <victorhsieh@chromium.org> 2019-06-04 09:18:41 -0700
committer: Commit Bot <commit-bot@chromium.org> 2019-06-05 20:00:19 +0000
commit: 79ecc414b64e1d2b0ebc1be255f497ed1886a0ef (patch)
tree: fd4ca85184b9e889d79f495bc7440eb700619a1c
parent: b00d3fd7adab63fb6372fb4c9e363615eda994d1 (diff)
download: vboot-79ecc414b64e1d2b0ebc1be255f497ed1886a0ef.tar.gz
2 files changed, 60 insertions, 24 deletions
diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh
index 4bd31056..22347317 100755
--- a/scripts/image_signing/sign_android_image.sh
+++ b/scripts/image_signing/sign_android_image.sh
@@ -6,31 +6,30 @@
 
 . "$(dirname "$0")/common.sh"
 . "$(dirname "$0")/lib/sign_android_lib.sh"
+load_shflags || exit 1
 
-set -e
+DEFINE_boolean use_apksigner "${FLAGS_FALSE}" \
+  "Use apksigner instead of signapk for APK signing"
 
-# Print usage string
-usage() {
-  cat <<EOF
+FLAGS_HELP="
 Usage: $PROG /path/to/cros_root_fs/dir /path/to/keys/dir
 
 Re-sign framework apks in an Android system image.  The image itself does not
 need to be signed since it is shipped with Chrome OS image, which is already
 signed.
 
-Android has many "framework apks" that are signed with 4 different framework
+Android has many ``framework apks'' that are signed with 4 different framework
 keys, depends on the purpose of the apk.  During development, apks are signed
 with the debug one.  This script is to re-sign those apks with corresponding
 release key.  It also handles some of the consequences of the key changes, such
 as sepolicy update.
+"
 
-EOF
-  if [[ $# -gt 0 ]]; then
-    error "$*"
-    exit 1
-  fi
-  exit 0
-}
+# Parse command line.
+FLAGS "$@" || exit 1
+eval set -- "${FLAGS_ARGV}"
+
+set -e
 
 # Re-sign framework apks with the corresponding release keys.  Only apk with
 # known key fingerprint are re-signed.  We should not re-sign non-framework
@@ -89,11 +88,33 @@ build flavor '${flavor_prop}'."
     # Explicitly remove existing signature.
     zip -q "${temp_apk}" -d "META-INF/*"
 
-    # Signapk now creates signature of APK Signature Scheme v2. No further APK
-    # changes should happen afterward.  Also note that signapk now takes care of
-    # zipalign.
-    signapk "${key_dir}/$keyname.x509.pem" "${key_dir}/$keyname.pk8" \
-        "${temp_apk}" "${signed_apk}" > /dev/null
+    if [ "${FLAGS_use_apksigner}" = "$FLAGS_FALSE" ]; then
+      # Signapk now creates signature of APK Signature Scheme v2. No further APK
+      # changes should happen afterward.  Also note that signapk now takes care
+      # of zipalign.
+      signapk "${key_dir}/$keyname.x509.pem" "${key_dir}/$keyname.pk8" \
+          "${temp_apk}" "${signed_apk}" > /dev/null
+    else
+      # Key rotation: old key can sign a new key and generate a lineage file.
+      # Provided the lineage file, Android P can honor the new key. Lineage file
+      # can be generated similar to the following command:
+      #
+      # apksigner rotate --out media.lineage --old-signer --key old-media.pk8
+      # --cert old-media.x509.pem --new-signer --key new-media.pk8 --cert
+      # new-media.x509.pem
+      #
+      # TODO(b/132818552): disable v1 signing once a check is removed.
+
+      local extra_flags
+      local lineage_file="${key_dir}/$keyname.lineage}"
+      if [ -f ${lineage_file} ]; then
+        extra_flags="--lineage ${lineage_file}"
+      fi
+      apksigner sign --v1-signing-enabled true --v2-signing-enabled false \
+        --key "${key_dir}/$keyname.pk8" --cert "${key_dir}/$keyname.x509.pem" \
+        --in "${temp_apk}" --out "${signed_apk}" \
+        ${extra_flags}
+    fi
 
     # Copy the content instead of mv to avoid owner/mode changes.
     sudo cp "${signed_apk}" "${apk}" && rm -f "${signed_apk}"
@@ -206,14 +227,16 @@ main() {
   local mksquashfs=$(which mksquashfs)
 
   if [[ $# -ne 2 ]]; then
-    usage "command takes exactly 2 args"
+    flags_help
+    die "command takes exactly 2 args"
   fi
 
   if [[ ! -f "${system_img}" ]]; then
     die "System image does not exist: ${system_img}"
   fi
 
-  if ! type -P zipalign &>/dev/null || ! type -P signapk &>/dev/null; then
+  if ! type -P zipalign &>/dev/null || ! type -P signapk &>/dev/null \
+    || ! type -P apksigner &>/dev/null; then
     # TODO(victorhsieh): Make this an error.  This is not treating as error
     # just to make an unrelated test pass by skipping this signing.
     warn "Skip signing Android apks (some of executables are not found)."
diff --git a/scripts/keygeneration/create_new_android_keys.sh b/scripts/keygeneration/create_new_android_keys.sh
index 32fa3c77..5e865c8a 100755
--- a/scripts/keygeneration/create_new_android_keys.sh
+++ b/scripts/keygeneration/create_new_android_keys.sh
@@ -9,12 +9,14 @@
 
 usage() {
   cat <<EOF
-Usage: ${PROG} DIR
+Usage: ${PROG} [FLAGS] DIR
 
 Generate Android's 4 framework key pairs at DIR.  For detail, please refer to
 "Certificates and private keys" and "Manually generating keys" in
 https://source.android.com/devices/tech/ota/sign_builds.html.
 
+FLAGS:
+  --rotate-from  Directory containing a set of old key pairs to rotate from
 EOF
 
   if [[ $# -ne 0 ]]; then
@@ -51,12 +53,17 @@ main() {
   set -e
 
   local dir
+  local old_dir
 
   while [[ $# -gt 0 ]]; do
     case $1 in
     -h|--help)
       usage
       ;;
+    --rotate-from)
+      old_dir="$2"
+      shift
+      ;;
     -*)
       usage "Unknown option: $1"
       ;;
@@ -71,10 +78,16 @@ main() {
   fi
   dir=$1
 
-  make_pair "${dir}" platform
-  make_pair "${dir}" shared
-  make_pair "${dir}" media
-  make_pair "${dir}" releasekey
+  for name in platform shared media releasekey; do
+    make_pair "${dir}" "${name}"
+
+    if [ -d "${old_dir}" ]; then
+      apksigner rotate --out "${dir}/${name}.lineage" \
+        --old-signer --key "${old_dir}/${name}.pk8" \
+            --cert "${old_dir}/${name}.x509.pem" \
+        --new-signer --key "${dir}/${name}.pk8" --cert "${dir}/${name}.x509.pem"
+    fi
+  done
 }
 
 main "$@"
author	Victor Hsieh <victorhsieh@chromium.org>	2019-06-04 09:18:41 -0700
committer	Commit Bot <commit-bot@chromium.org>	2019-06-05 20:00:19 +0000
commit	79ecc414b64e1d2b0ebc1be255f497ed1886a0ef (patch)
tree	fd4ca85184b9e889d79f495bc7440eb700619a1c
parent	b00d3fd7adab63fb6372fb4c9e363615eda994d1 (diff)
download	vboot-79ecc414b64e1d2b0ebc1be255f497ed1886a0ef.tar.gz