diff options
author | Victor Hsieh <victorhsieh@chromium.org> | 2016-08-02 16:47:01 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2016-08-15 15:19:52 -0700 |
commit | 7573ff7efb99d93274305f69ea07b505f3921a57 (patch) | |
tree | 0cdc533af348a746ffc609f6526b0868ca00c27d /scripts/image_signing/sign_official_build.sh | |
parent | 8e917140b7ffafebb82d32998e9f56ad215a53c6 (diff) | |
download | vboot-7573ff7efb99d93274305f69ea07b505f3921a57.tar.gz |
Add script to sign Android image
sign_android_image.sh is the main script that signs the image. It makes
similar changes to an image like the Android official signing tool
(sign_target_files_apks.py) does, but more Chrome OS specific.
TEST=./sign_official_build.sh recovery recovery_image.bin \
../../tests/devkeys/ out_img
TEST=Same above but with a recovery image without Android image.
Android signing was skipping.
TEST=Same above but with a M53 image. Android signing was skipped.
TEST=Unpack the image and diff the before and after. Looks correct.
BUG=b:29915721
Change-Id: I0ae5f0ad8d2b05e485d60262558517ea563bf527
Reviewed-on: https://chromium-review.googlesource.com/366794
Commit-Ready: Victor Hsieh <victorhsieh@chromium.org>
Tested-by: Victor Hsieh <victorhsieh@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Diffstat (limited to 'scripts/image_signing/sign_official_build.sh')
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 4f3407ef..badfaa92 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -590,6 +590,35 @@ resign_firmware_payload() { echo "Re-signed firmware AU payload in $image" } +# Re-sign Android image if exists. +resign_android_image_if_exists() { + local image=$1 + + local rootfs_dir=$(make_temp_dir) + mount_image_partition "${image}" 3 "${rootfs_dir}" + + local system_img="${rootfs_dir}/opt/google/containers/android/system.raw.img" + + if [[ ! -e "${system_img}" ]]; then + info "Android image not found. Not signing Android APKs." + sudo umount "${rootfs_dir}" + return + fi + + # Sign only 54+ images to make sure it works on dev channel first. + local milestone=$(grep CHROMEOS_RELEASE_CHROME_MILESTONE= \ + "${rootfs_dir}/etc/lsb-release" | cut -d= -f2) + if [[ "${milestone}" -le 53 ]]; then + info "Not signing Android apks before 53 (incl.). Current: ${milestone}." + return + fi + + "${SCRIPT_DIR}/sign_android_image.sh" "${rootfs_dir}" "${KEY_DIR}/android" + + sudo umount "${rootfs_dir}" + echo "Re-signed Android image" +} + # Verify an image including rootfs hash using the specified keys. verify_image() { local rootfs_image=$(make_temp_file) @@ -772,6 +801,7 @@ sign_image_file() { echo "Preparing ${image_type} image..." cp --sparse=always "${input}" "${output}" resign_firmware_payload "${output}" + resign_android_image_if_exists "${output}" # We do NOT strip /boot for factory installer, since some devices need it to # boot EFI. crbug.com/260512 would obsolete this requirement. # |