diff options
author | Victor Hsieh <victorhsieh@chromium.org> | 2019-06-04 09:18:41 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2019-06-05 20:00:19 +0000 |
commit | 79ecc414b64e1d2b0ebc1be255f497ed1886a0ef (patch) | |
tree | fd4ca85184b9e889d79f495bc7440eb700619a1c /scripts | |
parent | b00d3fd7adab63fb6372fb4c9e363615eda994d1 (diff) | |
download | vboot-79ecc414b64e1d2b0ebc1be255f497ed1886a0ef.tar.gz |
Support signing Android APKs with apksigner
* To enable, use --use_apksigner.
* Drop signature schemes that we don't really need.
* Supports key rotation. In this case, the signing lineage
will be honored if the file exists next to the keys.
* Update key generation script to auto generate the signing lineage.
TEST=the script runs successfully with and without the flag
TEST=`apksigner lineage --print-certs -v -in foo.apk` shows
correct rotation info
TEST=keygeneration/create_new_android_keys.sh --rotate-from old new
BUG=None
BRANCH=None
Change-Id: Ic7b7b0ed4ea707a748dc42a1f39d6eb79d53cf1b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1643411
Tested-by: Victor Hsieh <victorhsieh@chromium.org>
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: Victor Hsieh <victorhsieh@chromium.org>
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/image_signing/sign_android_image.sh | 61 | ||||
-rwxr-xr-x | scripts/keygeneration/create_new_android_keys.sh | 23 |
2 files changed, 60 insertions, 24 deletions
diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh index 4bd31056..22347317 100755 --- a/scripts/image_signing/sign_android_image.sh +++ b/scripts/image_signing/sign_android_image.sh @@ -6,31 +6,30 @@ . "$(dirname "$0")/common.sh" . "$(dirname "$0")/lib/sign_android_lib.sh" +load_shflags || exit 1 -set -e +DEFINE_boolean use_apksigner "${FLAGS_FALSE}" \ + "Use apksigner instead of signapk for APK signing" -# Print usage string -usage() { - cat <<EOF +FLAGS_HELP=" Usage: $PROG /path/to/cros_root_fs/dir /path/to/keys/dir Re-sign framework apks in an Android system image. The image itself does not need to be signed since it is shipped with Chrome OS image, which is already signed. -Android has many "framework apks" that are signed with 4 different framework +Android has many ``framework apks'' that are signed with 4 different framework keys, depends on the purpose of the apk. During development, apks are signed with the debug one. This script is to re-sign those apks with corresponding release key. It also handles some of the consequences of the key changes, such as sepolicy update. +" -EOF - if [[ $# -gt 0 ]]; then - error "$*" - exit 1 - fi - exit 0 -} +# Parse command line. +FLAGS "$@" || exit 1 +eval set -- "${FLAGS_ARGV}" + +set -e # Re-sign framework apks with the corresponding release keys. Only apk with # known key fingerprint are re-signed. We should not re-sign non-framework @@ -89,11 +88,33 @@ build flavor '${flavor_prop}'." # Explicitly remove existing signature. zip -q "${temp_apk}" -d "META-INF/*" - # Signapk now creates signature of APK Signature Scheme v2. No further APK - # changes should happen afterward. Also note that signapk now takes care of - # zipalign. - signapk "${key_dir}/$keyname.x509.pem" "${key_dir}/$keyname.pk8" \ - "${temp_apk}" "${signed_apk}" > /dev/null + if [ "${FLAGS_use_apksigner}" = "$FLAGS_FALSE" ]; then + # Signapk now creates signature of APK Signature Scheme v2. No further APK + # changes should happen afterward. Also note that signapk now takes care + # of zipalign. + signapk "${key_dir}/$keyname.x509.pem" "${key_dir}/$keyname.pk8" \ + "${temp_apk}" "${signed_apk}" > /dev/null + else + # Key rotation: old key can sign a new key and generate a lineage file. + # Provided the lineage file, Android P can honor the new key. Lineage file + # can be generated similar to the following command: + # + # apksigner rotate --out media.lineage --old-signer --key old-media.pk8 + # --cert old-media.x509.pem --new-signer --key new-media.pk8 --cert + # new-media.x509.pem + # + # TODO(b/132818552): disable v1 signing once a check is removed. + + local extra_flags + local lineage_file="${key_dir}/$keyname.lineage}" + if [ -f ${lineage_file} ]; then + extra_flags="--lineage ${lineage_file}" + fi + apksigner sign --v1-signing-enabled true --v2-signing-enabled false \ + --key "${key_dir}/$keyname.pk8" --cert "${key_dir}/$keyname.x509.pem" \ + --in "${temp_apk}" --out "${signed_apk}" \ + ${extra_flags} + fi # Copy the content instead of mv to avoid owner/mode changes. sudo cp "${signed_apk}" "${apk}" && rm -f "${signed_apk}" @@ -206,14 +227,16 @@ main() { local mksquashfs=$(which mksquashfs) if [[ $# -ne 2 ]]; then - usage "command takes exactly 2 args" + flags_help + die "command takes exactly 2 args" fi if [[ ! -f "${system_img}" ]]; then die "System image does not exist: ${system_img}" fi - if ! type -P zipalign &>/dev/null || ! type -P signapk &>/dev/null; then + if ! type -P zipalign &>/dev/null || ! type -P signapk &>/dev/null \ + || ! type -P apksigner &>/dev/null; then # TODO(victorhsieh): Make this an error. This is not treating as error # just to make an unrelated test pass by skipping this signing. warn "Skip signing Android apks (some of executables are not found)." diff --git a/scripts/keygeneration/create_new_android_keys.sh b/scripts/keygeneration/create_new_android_keys.sh index 32fa3c77..5e865c8a 100755 --- a/scripts/keygeneration/create_new_android_keys.sh +++ b/scripts/keygeneration/create_new_android_keys.sh @@ -9,12 +9,14 @@ usage() { cat <<EOF -Usage: ${PROG} DIR +Usage: ${PROG} [FLAGS] DIR Generate Android's 4 framework key pairs at DIR. For detail, please refer to "Certificates and private keys" and "Manually generating keys" in https://source.android.com/devices/tech/ota/sign_builds.html. +FLAGS: + --rotate-from Directory containing a set of old key pairs to rotate from EOF if [[ $# -ne 0 ]]; then @@ -51,12 +53,17 @@ main() { set -e local dir + local old_dir while [[ $# -gt 0 ]]; do case $1 in -h|--help) usage ;; + --rotate-from) + old_dir="$2" + shift + ;; -*) usage "Unknown option: $1" ;; @@ -71,10 +78,16 @@ main() { fi dir=$1 - make_pair "${dir}" platform - make_pair "${dir}" shared - make_pair "${dir}" media - make_pair "${dir}" releasekey + for name in platform shared media releasekey; do + make_pair "${dir}" "${name}" + + if [ -d "${old_dir}" ]; then + apksigner rotate --out "${dir}/${name}.lineage" \ + --old-signer --key "${old_dir}/${name}.pk8" \ + --cert "${old_dir}/${name}.x509.pem" \ + --new-signer --key "${dir}/${name}.pk8" --cert "${dir}/${name}.x509.pem" + fi + done } main "$@" |