diff options
author | Victor Hsieh <victorhsieh@chromium.org> | 2019-06-04 09:18:41 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2019-06-05 20:00:19 +0000 |
commit | 79ecc414b64e1d2b0ebc1be255f497ed1886a0ef (patch) | |
tree | fd4ca85184b9e889d79f495bc7440eb700619a1c /scripts/keygeneration | |
parent | b00d3fd7adab63fb6372fb4c9e363615eda994d1 (diff) | |
download | vboot-79ecc414b64e1d2b0ebc1be255f497ed1886a0ef.tar.gz |
Support signing Android APKs with apksigner
* To enable, use --use_apksigner.
* Drop signature schemes that we don't really need.
* Supports key rotation. In this case, the signing lineage
will be honored if the file exists next to the keys.
* Update key generation script to auto generate the signing lineage.
TEST=the script runs successfully with and without the flag
TEST=`apksigner lineage --print-certs -v -in foo.apk` shows
correct rotation info
TEST=keygeneration/create_new_android_keys.sh --rotate-from old new
BUG=None
BRANCH=None
Change-Id: Ic7b7b0ed4ea707a748dc42a1f39d6eb79d53cf1b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1643411
Tested-by: Victor Hsieh <victorhsieh@chromium.org>
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: Victor Hsieh <victorhsieh@chromium.org>
Diffstat (limited to 'scripts/keygeneration')
-rwxr-xr-x | scripts/keygeneration/create_new_android_keys.sh | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/scripts/keygeneration/create_new_android_keys.sh b/scripts/keygeneration/create_new_android_keys.sh index 32fa3c77..5e865c8a 100755 --- a/scripts/keygeneration/create_new_android_keys.sh +++ b/scripts/keygeneration/create_new_android_keys.sh @@ -9,12 +9,14 @@ usage() { cat <<EOF -Usage: ${PROG} DIR +Usage: ${PROG} [FLAGS] DIR Generate Android's 4 framework key pairs at DIR. For detail, please refer to "Certificates and private keys" and "Manually generating keys" in https://source.android.com/devices/tech/ota/sign_builds.html. +FLAGS: + --rotate-from Directory containing a set of old key pairs to rotate from EOF if [[ $# -ne 0 ]]; then @@ -51,12 +53,17 @@ main() { set -e local dir + local old_dir while [[ $# -gt 0 ]]; do case $1 in -h|--help) usage ;; + --rotate-from) + old_dir="$2" + shift + ;; -*) usage "Unknown option: $1" ;; @@ -71,10 +78,16 @@ main() { fi dir=$1 - make_pair "${dir}" platform - make_pair "${dir}" shared - make_pair "${dir}" media - make_pair "${dir}" releasekey + for name in platform shared media releasekey; do + make_pair "${dir}" "${name}" + + if [ -d "${old_dir}" ]; then + apksigner rotate --out "${dir}/${name}.lineage" \ + --old-signer --key "${old_dir}/${name}.pk8" \ + --cert "${old_dir}/${name}.x509.pem" \ + --new-signer --key "${dir}/${name}.pk8" --cert "${dir}/${name}.x509.pem" + fi + done } main "$@" |