diff options
Diffstat (limited to 'scripts/image_signing/lib/sign_android_lib.sh')
-rw-r--r-- | scripts/image_signing/lib/sign_android_lib.sh | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/scripts/image_signing/lib/sign_android_lib.sh b/scripts/image_signing/lib/sign_android_lib.sh new file mode 100644 index 00000000..eae2a360 --- /dev/null +++ b/scripts/image_signing/lib/sign_android_lib.sh @@ -0,0 +1,133 @@ +#!/bin/bash + +# Copyright 2018 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +. "$(dirname "$0")/common.sh" + +####################################### +# Return name according to the current signing debug key. The name is used to +# select key files. +# Globals: +# None +# Arguments: +# sha1: signature of the APK. +# keyset: "cheets" or "aosp" build? +# Outputs: +# Writes the name of the key to stdout. +# Returns: +# 0 on success, non-zero on error. +####################################### +android_choose_key() { + local sha1="$1" + local keyset="$2" + + if [[ "${keyset}" != "aosp" && "${keyset}" != "cheets" ]]; then + error "Unknown Android build keyset '${keyset}'." + return 1 + fi + + # Fingerprints below are generated by: + # 'cheets' keyset: + # $ keytool -file vendor/google/certs/cheetskeys/$NAME.x509.pem -printcert \ + # | grep SHA1: + # 'aosp' keyset: + # $ keytool -file build/target/product/security/$NAME.x509.pem -printcert \ + # | grep SHA1: + declare -A platform_sha=( + ['cheets']='AA:04:E0:5F:82:9C:7E:D1:B9:F8:FC:99:6C:5A:54:43:83:D9:F5:BC' + ['aosp']='27:19:6E:38:6B:87:5E:76:AD:F7:00:E7:EA:84:E4:C6:EE:E3:3D:FA' + ) + declare -A media_sha=( + ['cheets']='D4:C4:2D:E0:B9:1B:15:72:FA:7D:A7:21:E0:A6:09:94:B4:4C:B5:AE' + ['aosp']='B7:9D:F4:A8:2E:90:B5:7E:A7:65:25:AB:70:37:AB:23:8A:42:F5:D3' + ) + declare -A shared_sha=( + ['cheets']='38:B6:2C:E1:75:98:E3:E1:1C:CC:F6:6B:83:BB:97:0E:2D:40:6C:AE' + ['aosp']='5B:36:8C:FF:2D:A2:68:69:96:BC:95:EA:C1:90:EA:A4:F5:63:0F:E5' + ) + declare -A release_sha=( + ['cheets']='EC:63:36:20:23:B7:CB:66:18:70:D3:39:3C:A9:AE:7E:EF:A9:32:42' + ['aosp']='61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81' + ) + + case "${sha1}" in + "${platform_sha["${keyset}"]}") + echo "platform" + ;; + "${media_sha["${keyset}"]}") + echo "media" + ;; + "${shared_sha["${keyset}"]}") + echo "shared" + ;; + "${release_sha["${keyset}"]}") + # The release_sha[] fingerprint is from devkey. Translate to releasekey. + echo "releasekey" + ;; + *) + # Not a framework apk. Do not re-sign. + echo "" + ;; + esac + return 0 +} + +####################################### +# Extract 'ro.build.flavor' property from build property file. +# Globals: +# None +# Arguments: +# build_prop_file: path to build property file. +# Outputs: +# Writes the value of the property to stdout. +# Returns: +# 0 on success, non-zero on error. +####################################### +android_get_build_flavor_prop() { + local build_prop_file="$1" + local flavor_prop="" + + if ! flavor_prop=$(grep -a "^ro\.build\.flavor=" "${build_prop_file}"); then + return 1 + fi + flavor_prop=$(echo "${flavor_prop}" | cut -d "=" -f2) + echo "${flavor_prop}" + return 0 +} + +####################################### +# Pick the expected keyset ('cheets', 'aosp') depending on the build flavor. +# Globals: +# None +# Arguments: +# flavor_prop: the value of the build flavor property. +# Outputs: +# Writes the name of the keyset to stdout. +# Returns: +# 0 on success, non-zero on error. +####################################### +android_choose_signing_keyset() { + local flavor_prop="$1" + + # Property ro.build.flavor follows those patterns: + # - cheets builds: + # ro.build.flavor=cheets_${arch}-user(debug) + # - SDK builds: + # ro.build.flavor=sdk_google_cheets_${arch}-user(debug) + # - AOSP builds: + # ro.build.flavor=aosp_cheets_${arch}-user(debug) + # "cheets" and "SDK" builds both use the same signing keys, cheetskeys. "AOSP" + # builds use the public AOSP signing keys. + if [[ "${flavor_prop}" == aosp_cheets_* ]]; then + keyset="aosp" + elif [[ "${flavor_prop}" == cheets_* || + "${flavor_prop}" == sdk_google_cheets_* ]]; then + keyset="cheets" + else + return 1 + fi + echo "${keyset}" + return 0 +} |