diff options
| author | Victor Hsieh <victorhsieh@chromium.org> | 2020-10-05 15:40:32 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-10-08 00:00:31 +0000 |
| commit | 6f5af922dfcc7b7c196537900b9229004ad1d025 (patch) | |
| tree | 76833b44fc84cabff981cf940c10020277d65584 | |
| parent | d8367f0d08a1af4655bfd4c5cef54dc5c79cca07 (diff) | |
| download | vboot-6f5af922dfcc7b7c196537900b9229004ad1d025.tar.gz | |
Deal with Android's new networkstack key
BUG=b:170156734
TEST=run signing script locally
BRANCH=None
Signed-off-by: Victor HSieh <victorhsieh@chromium.org>
Change-Id: I4f045729241b479b56fef5687b721b5b59c2eed8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2450551
Reviewed-by: George Engelbrecht <engeg@google.com>
| -rw-r--r-- | scripts/image_signing/lib/sign_android_lib.sh | 11 | ||||
| -rwxr-xr-x | scripts/image_signing/sign_android_image.sh | 4 | ||||
| -rwxr-xr-x | scripts/keygeneration/create_new_android_keys.sh | 6 |
3 files changed, 15 insertions, 6 deletions
diff --git a/scripts/image_signing/lib/sign_android_lib.sh b/scripts/image_signing/lib/sign_android_lib.sh index 985e709d..4c1d25fa 100644 --- a/scripts/image_signing/lib/sign_android_lib.sh +++ b/scripts/image_signing/lib/sign_android_lib.sh @@ -30,8 +30,8 @@ android_choose_key() { # Fingerprints below are generated by: # 'cheets' keyset: - # $ keytool -file vendor/google/certs/cheetskeys/$NAME.x509.pem -printcert \ - # | grep SHA1: + # $ keytool -file vendor/google_arc/certs/cheetskeys/$NAME.x509.pem \ + # -printcert | grep SHA1: # 'aosp' keyset: # $ keytool -file build/target/product/security/$NAME.x509.pem -printcert \ # | grep SHA1: @@ -51,6 +51,10 @@ android_choose_key() { ['cheets']='EC:63:36:20:23:B7:CB:66:18:70:D3:39:3C:A9:AE:7E:EF:A9:32:42' ['aosp']='61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81' ) + declare -A networkstack_sha=( + ['cheets']='7C:AD:D6:52:41:69:E7:A4:47:6F:DA:74:D0:8E:F0:48:3A:6F:00:ED' + ['aosp']='7C:8B:DA:BD:21:F9:53:A1:B1:8C:CB:E7:B9:13:93:D9:FD:F9:48:30' + ) case "${sha1}" in "${platform_sha["${keyset}"]}") @@ -66,6 +70,9 @@ android_choose_key() { # The release_sha[] fingerprint is from devkey. Translate to releasekey. echo "releasekey" ;; + "${networkstack_sha["${keyset}"]}") + echo "networkstack" + ;; *) # Not a framework apk. Do not re-sign. echo "" diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh index f9253789..5b1758c4 100755 --- a/scripts/image_signing/sign_android_image.sh +++ b/scripts/image_signing/sign_android_image.sh @@ -18,7 +18,7 @@ Re-sign framework apks in an Android system image. The image itself does not need to be signed since it is shipped with Chrome OS image, which is already signed. -Android has many ``framework apks'' that are signed with 4 different framework +Android has many ``framework apks'' that are signed with different framework keys, depends on the purpose of the apk. During development, apks are signed with the debug one. This script is to re-sign those apks with corresponding release key. It also handles some of the consequences of the key changes, such @@ -58,6 +58,7 @@ sign_framework_apks() { local counter_media=0 local counter_shared=0 local counter_releasekey=0 + local counter_networkstack=0 local counter_total=0 local apk @@ -132,6 +133,7 @@ build flavor '${flavor_prop}'." info "Found ${counter_media} media APKs." info "Found ${counter_shared} shared APKs." info "Found ${counter_releasekey} release APKs." + info "Found ${counter_networkstack} networkstack APKs." info "Found ${counter_total} total APKs." # Validity check. if [[ ${counter_platform} -lt 2 || ${counter_media} -lt 2 || diff --git a/scripts/keygeneration/create_new_android_keys.sh b/scripts/keygeneration/create_new_android_keys.sh index ce8253d1..9701d417 100755 --- a/scripts/keygeneration/create_new_android_keys.sh +++ b/scripts/keygeneration/create_new_android_keys.sh @@ -11,8 +11,8 @@ usage() { cat <<EOF Usage: ${PROG} [FLAGS] DIR -Generate Android's 4 framework key pairs at DIR. For detail, please refer to -"Certificates and private keys" and "Manually generating keys" in +Generate Android's set of framework key pairs at DIR. For detail, please refer +to "Certificates and private keys" and "Manually generating keys" in https://source.android.com/devices/tech/ota/sign_builds.html. FLAGS: @@ -78,7 +78,7 @@ main() { fi dir=$1 - for name in platform shared media releasekey; do + for name in platform shared media releasekey networkstack; do make_pair "${dir}" "${name}" if [ -d "${old_dir}" ]; then |