From 2fbb522949cd5c7a4f203a90da1bcdbf6057b5ae Mon Sep 17 00:00:00 2001
From: Nicolas Norvez <norvez@chromium.org>
Date: Mon, 5 Feb 2018 11:50:52 -0800
Subject: image_signing: Support AOSP dev signing keys

Following ag/3536780, aosp_cheets targets have their APKs signed with
keys https://android.googlesource.com/platform/build/+/master/target/product/security/
The image signing script now:
- detects if it's an aosp_cheets or cheets build
- checks the correct signing keys have been used in either case
- logs more information about the Android image

BUG=b:72947583
TEST=manually test sign_framework_apks against AOSP and cheets builds
TEST=aosp_cheets builds prior to ag/3536780 are now failing (expected)
TEST=aosp_cheets builds posterior to ag/3536780 are passing
TEST=cheets builds (before and after) are passing

TEST=check that commenting out ro.product.name in build.prop triggers an
error
TEST=check that an invalid value in ro.product.name triggers an error
BRANCH=None

Change-Id: I72abea5182fbfe76820e3f48831be04f39cb334e
Reviewed-on: https://chromium-review.googlesource.com/904726
Commit-Ready: Nicolas Norvez <norvez@chromium.org>
Tested-by: Nicolas Norvez <norvez@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
---
 scripts/image_signing/sign_android_image.sh | 67 ++++++++++++++++++++++++-----
 1 file changed, 57 insertions(+), 10 deletions(-)

diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh
index bf5098d0..3bd61686 100755
--- a/scripts/image_signing/sign_android_image.sh
+++ b/scripts/image_signing/sign_android_image.sh
@@ -31,29 +31,53 @@ EOF
   exit 0
 }
 
-# Return name according to the current signing debug key.  The name is used to
+# Return name according to the current signing debug key. The name is used to
 # select key files.
 choose_key() {
-  local apk="$1"
+  local sha1="$1"
+  local flavor="$2"
 
-  local sha1=$(unzip -p "${apk}" META-INF/CERT.RSA | \
-      keytool -printcert | awk '/^\s*SHA1:/ {print $2}')
+  if [[ "${flavor}" != "aosp" && "${flavor}" != "cheets" ]]; then
+    error "Unknown Android build flavor '${flavor}'"
+    return 1
+  fi
 
   # Fingerprints below are generated by:
+  # 'cheets' flavor:
   # $ keytool -file vendor/google/certs/cheetskeys/$NAME.x509.pem -printcert \
   #     | grep SHA1:
+  # 'aosp' flavor:
+  # $ keytool -file build/target/product/security/$NAME.x509.pem -printcert \
+  #     | grep SHA1:
+  declare -A platform_sha=(
+    ['cheets']='AA:04:E0:5F:82:9C:7E:D1:B9:F8:FC:99:6C:5A:54:43:83:D9:F5:BC'
+    ['aosp']='27:19:6E:38:6B:87:5E:76:AD:F7:00:E7:EA:84:E4:C6:EE:E3:3D:FA'
+  )
+  declare -A media_sha=(
+    ['cheets']='D4:C4:2D:E0:B9:1B:15:72:FA:7D:A7:21:E0:A6:09:94:B4:4C:B5:AE'
+    ['aosp']='B7:9D:F4:A8:2E:90:B5:7E:A7:65:25:AB:70:37:AB:23:8A:42:F5:D3'
+  )
+  declare -A shared_sha=(
+    ['cheets']='38:B6:2C:E1:75:98:E3:E1:1C:CC:F6:6B:83:BB:97:0E:2D:40:6C:AE'
+    ['aosp']='5B:36:8C:FF:2D:A2:68:69:96:BC:95:EA:C1:90:EA:A4:F5:63:0F:E5'
+  )
+  declare -A release_sha=(
+    ['cheets']='EC:63:36:20:23:B7:CB:66:18:70:D3:39:3C:A9:AE:7E:EF:A9:32:42'
+    ['aosp']='61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81'
+  )
+
   case "${sha1}" in
-    "AA:04:E0:5F:82:9C:7E:D1:B9:F8:FC:99:6C:5A:54:43:83:D9:F5:BC")
+    "${platform_sha["${flavor}"]}")
       echo "platform"
       ;;
-    "D4:C4:2D:E0:B9:1B:15:72:FA:7D:A7:21:E0:A6:09:94:B4:4C:B5:AE")
+    "${media_sha["${flavor}"]}")
       echo "media"
       ;;
-    "38:B6:2C:E1:75:98:E3:E1:1C:CC:F6:6B:83:BB:97:0E:2D:40:6C:AE")
+    "${shared_sha["${flavor}"]}")
       echo "shared"
       ;;
-    "EC:63:36:20:23:B7:CB:66:18:70:D3:39:3C:A9:AE:7E:EF:A9:32:42")
-      # The above fingerprint is from devkey.  Translate to releasekey.
+    "${release_sha["${flavor}"]}")
+      # The release_sha[] fingerprint is from devkey. Translate to releasekey.
       echo "releasekey"
       ;;
     *)
@@ -61,6 +85,7 @@ choose_key() {
       echo ""
       ;;
   esac
+  return 0
 }
 
 # Re-sign framework apks with the corresponding release keys.  Only apk with
@@ -69,6 +94,14 @@ choose_key() {
 sign_framework_apks() {
   local system_mnt="$1"
   local key_dir="$2"
+  local product=""
+  local build_flavor=""
+
+  product=$(grep -a "^ro\.product\.name=" "${system_mnt}/system/build.prop" | \
+    cut -d "=" -f2)
+  build_flavor=$(echo "${product}" | cut -d "_" -f1)
+  info "Found product name '${product}'."
+  info "Detected build flavor '${build_flavor}'."
 
   info "Start signing framework apks"
 
@@ -81,7 +114,16 @@ sign_framework_apks() {
 
   local apk
   while read -d $'\0' -r apk; do
-    local keyname=$(choose_key "${apk}")
+    local sha1=""
+    local keyname=""
+
+    sha1=$(unzip -p "${apk}" META-INF/CERT.RSA | \
+      keytool -printcert | awk '/^\s*SHA1:/ {print $2}')
+
+    if  ! keyname=$(choose_key "${sha1}" "${build_flavor}"); then
+      die "Failed to choose signing key for APK '${apk}' (SHA1 '${sha1}') in \
+build flavor '${build_flavor}'."
+    fi
     if [[ -z "${keyname}" ]]; then
       continue
     fi
@@ -109,6 +151,11 @@ sign_framework_apks() {
     : $(( counter_total += 1 ))
   done < <(find "${system_mnt}/system" -type f -name '*.apk' -print0)
 
+  info "Found ${counter_platform} platform APKs."
+  info "Found ${counter_media} media APKs."
+  info "Found ${counter_shared} shared APKs."
+  info "Found ${counter_releasekey} release APKs."
+  info "Found ${counter_total} total APKs."
   # Sanity check.
   if [[ ${counter_platform} -lt 2 || ${counter_media} -lt 2 ||
         ${counter_shared} -lt 2 || ${counter_releasekey} -lt 2 ||
-- 
cgit v1.2.1