diff options
| author | Victor Hsieh <victorhsieh@chromium.org> | 2016-08-18 14:07:51 -0700 |
|---|---|---|
| committer | Victor Hsieh <victorhsieh@chromium.org> | 2016-08-18 23:51:30 +0000 |
| commit | 928f2405b8374a07a8dd0b1364ffac077f1e9b1f (patch) | |
| tree | ae5bd72212c30a18cdbd20e62d567881cb6f59ed | |
| parent | 7be7de45063136004a9ea27726c75a995cdd1570 (diff) | |
| download | vboot-928f2405b8374a07a8dd0b1364ffac077f1e9b1f.tar.gz | |
Fix file ownership during Android apk signing
Several files were changed to own by root instead of the original owner
in the squashfs image. This has caused problem to boot Android.
TEST=./sign_official_image with local keys, extract system.raw.img and
override device copy. Able to launch ARC.
BUG=b:29915721,b:30919855
Change-Id: Ic2595c99cbb7f7c2a2c543612a368681220cb3d9
Reviewed-on: https://chromium-review.googlesource.com/372312
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Victor Hsieh <victorhsieh@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_android_image.sh | 47 |
1 files changed, 30 insertions, 17 deletions
diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh index 6f999793..90b92484 100755 --- a/scripts/image_signing/sign_android_image.sh +++ b/scripts/image_signing/sign_android_image.sh @@ -97,14 +97,15 @@ sign_framework_apks() { # Follow the standard manual signing process. See # https://developer.android.com/studio/publish/app-signing.html. - cp "${apk}" "${temp_apk}" + cp -a "${apk}" "${temp_apk}" # Explicitly remove existing signature. zip -q "${temp_apk}" -d "META-INF/*" signapk "${key_dir}/$keyname.x509.pem" "${key_dir}/$keyname.pk8" \ "${temp_apk}" "${signed_apk}" > /dev/null zipalign 4 "${signed_apk}" "${aligned_apk}" - sudo mv -f "${aligned_apk}" "${apk}" + # Copy the content instead of mv to avoid owner/mode changes. + sudo cp "${aligned_apk}" "${apk}" && rm -f "${aligned_apk}" : $(( counter_${keyname} += 1 )) : $(( counter_total += 1 )) @@ -137,17 +138,16 @@ update_sepolicy() { die "Unable to get the public platform key" fi - local output=$(make_temp_file) + local orig=$(make_temp_file) local xml="${system_mnt}/system/etc/security/mac_permissions.xml" local pattern='(<signer signature=")\w+("><seinfo value="platform)' - sed -E "s/${pattern}/\1${new_cert}"'\2/g' "${xml}" > "${output}" + cp "${xml}" "${orig}" + sudo sed -i -E "s/${pattern}/\1${new_cert}"'\2/g' "${xml}" # Sanity check. - if cmp "${xml}" "${output}"; then + if cmp "${xml}" "${orig}"; then die "Failed to replace SELinux policy cert" fi - - sudo mv -f "${output}" "${xml}" } # Replace the debug key in OTA cert with release key. @@ -161,8 +161,10 @@ replace_ota_cert() { local temp_dir=$(make_temp_dir) pushd "${temp_dir}" > /dev/null cp "${release_cert}" . - sudo rm "${ota_zip}" - sudo zip -q -r "${ota_zip}" . + local temp_zip=$(make_temp_file) + zip -q -r "${temp_zip}.zip" . + # Copy the content instead of mv to avoid owner/mode changes. + sudo cp "${temp_zip}.zip" "${ota_zip}" popd > /dev/null } @@ -179,6 +181,12 @@ reapply_file_security_context() { "${system_mnt}" } +# Snapshot file properties in a directory recursively. +snapshot_file_properties() { + local dir=$1 + sudo find "${dir}" -exec stat -c '%n:%u:%g:%a:%C' {} + | sort +} + main() { local root_fs_dir=$1 local key_dir=$2 @@ -197,23 +205,28 @@ main() { local system_mnt="${working_dir}/mnt" info "Unpacking sqaushfs image to ${system_img}" - sudo unsquashfs -f -d "${system_mnt}" "${system_img}" + sudo unsquashfs -f -no-progress -d "${system_mnt}" "${system_img}" + + snapshot_file_properties "${system_mnt}" > "${working_dir}/properties.orig" sign_framework_apks "${system_mnt}" "${key_dir}" update_sepolicy "${system_mnt}" "${key_dir}" replace_ota_cert "${system_mnt}" "${key_dir}/releasekey.x509.pem" reapply_file_security_context "${system_mnt}" "${root_fs_dir}" - info "Repacking sqaushfs image" - - local new_system_img="${working_dir}/system.raw.img" - sudo mksquashfs "${system_mnt}" "${new_system_img}" -comp lzo + # Sanity check. + snapshot_file_properties "${system_mnt}" > "${working_dir}/properties.new" + local d + if ! d=$(diff "${working_dir}"/properties.{orig,new}); then + die "Unexpected change of file property, diff\n${d}" + fi + info "Repacking sqaushfs image" local old_size=$(stat -c '%s' "${system_img}") - local new_size=$(stat -c '%s' "${new_system_img}") + # Overwrite the original image. + sudo mksquashfs "${system_mnt}" "${system_img}" -no-progress -comp lzo -noappend + local new_size=$(stat -c '%s' "${system_img}") info "Android system image size change: ${old_size} -> ${new_size}" - - sudo mv -f "${new_system_img}" "${system_img}" } main "$@" |