summaryrefslogtreecommitdiff
path: root/scripts/image_signing/sign_official_build.sh
diff options
context:
space:
mode:
authorVictor Hsieh <victorhsieh@chromium.org>2016-08-02 16:47:01 -0700
committerchrome-bot <chrome-bot@chromium.org>2016-08-15 15:19:52 -0700
commit7573ff7efb99d93274305f69ea07b505f3921a57 (patch)
tree0cdc533af348a746ffc609f6526b0868ca00c27d /scripts/image_signing/sign_official_build.sh
parent8e917140b7ffafebb82d32998e9f56ad215a53c6 (diff)
downloadvboot-7573ff7efb99d93274305f69ea07b505f3921a57.tar.gz
Add script to sign Android image
sign_android_image.sh is the main script that signs the image. It makes similar changes to an image like the Android official signing tool (sign_target_files_apks.py) does, but more Chrome OS specific. TEST=./sign_official_build.sh recovery recovery_image.bin \ ../../tests/devkeys/ out_img TEST=Same above but with a recovery image without Android image. Android signing was skipping. TEST=Same above but with a M53 image. Android signing was skipped. TEST=Unpack the image and diff the before and after. Looks correct. BUG=b:29915721 Change-Id: I0ae5f0ad8d2b05e485d60262558517ea563bf527 Reviewed-on: https://chromium-review.googlesource.com/366794 Commit-Ready: Victor Hsieh <victorhsieh@chromium.org> Tested-by: Victor Hsieh <victorhsieh@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org>
Diffstat (limited to 'scripts/image_signing/sign_official_build.sh')
-rwxr-xr-xscripts/image_signing/sign_official_build.sh30
1 files changed, 30 insertions, 0 deletions
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index 4f3407ef..badfaa92 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -590,6 +590,35 @@ resign_firmware_payload() {
echo "Re-signed firmware AU payload in $image"
}
+# Re-sign Android image if exists.
+resign_android_image_if_exists() {
+ local image=$1
+
+ local rootfs_dir=$(make_temp_dir)
+ mount_image_partition "${image}" 3 "${rootfs_dir}"
+
+ local system_img="${rootfs_dir}/opt/google/containers/android/system.raw.img"
+
+ if [[ ! -e "${system_img}" ]]; then
+ info "Android image not found. Not signing Android APKs."
+ sudo umount "${rootfs_dir}"
+ return
+ fi
+
+ # Sign only 54+ images to make sure it works on dev channel first.
+ local milestone=$(grep CHROMEOS_RELEASE_CHROME_MILESTONE= \
+ "${rootfs_dir}/etc/lsb-release" | cut -d= -f2)
+ if [[ "${milestone}" -le 53 ]]; then
+ info "Not signing Android apks before 53 (incl.). Current: ${milestone}."
+ return
+ fi
+
+ "${SCRIPT_DIR}/sign_android_image.sh" "${rootfs_dir}" "${KEY_DIR}/android"
+
+ sudo umount "${rootfs_dir}"
+ echo "Re-signed Android image"
+}
+
# Verify an image including rootfs hash using the specified keys.
verify_image() {
local rootfs_image=$(make_temp_file)
@@ -772,6 +801,7 @@ sign_image_file() {
echo "Preparing ${image_type} image..."
cp --sparse=always "${input}" "${output}"
resign_firmware_payload "${output}"
+ resign_android_image_if_exists "${output}"
# We do NOT strip /boot for factory installer, since some devices need it to
# boot EFI. crbug.com/260512 would obsolete this requirement.
#
View Lorry Controller Status