From 7efa7465b17adc361c00e4e7e92f74a256038d52 Mon Sep 17 00:00:00 2001
From: Nicolas Norvez <norvez@chromium.org>
Date: Wed, 7 Feb 2018 17:21:43 -0800
Subject: image_signing: Fix detection of build flavor

The original "ro.product.name" of the Android image is modified by the
Chrome OS build process to change it to the CrOS device name instead,
which breaks the detection of the build flavor.
Instead, we now rely on the "ro.build.flavor" property which is not
modified.
If the build flavor is either cheets_* or sdk_google_cheets_*, we expect
the keys to be the cheets keys. AOSP keys are used for aosp_cheets_*
build flavors.

BUG=b:72947583
TEST=run against caroline image, scripts detects 'cheets' build flavor
TEST=run against novato-arc64 image (SDK), script detects 'cheets' build
flavor
TEST=run against newbie image (AOSP), script detects 'aosp' build flavor
TEST=run against invalid build property 'paosp_cheets_...', script
aborts as expected
BRANCH=None

Change-Id: I662436b256b59238b00c7374120f315b538fcd75
Reviewed-on: https://chromium-review.googlesource.com/911905
Commit-Ready: Nicolas Norvez <norvez@chromium.org>
Tested-by: Nicolas Norvez <norvez@chromium.org>
Reviewed-by: Victor Hsieh <victorhsieh@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
---
 scripts/image_signing/sign_android_image.sh | 55 +++++++++++++++++++----------
 1 file changed, 36 insertions(+), 19 deletions(-)

diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh
index 3bd61686..a205b5ae 100755
--- a/scripts/image_signing/sign_android_image.sh
+++ b/scripts/image_signing/sign_android_image.sh
@@ -35,18 +35,18 @@ EOF
 # select key files.
 choose_key() {
   local sha1="$1"
-  local flavor="$2"
+  local keyset="$2"
 
-  if [[ "${flavor}" != "aosp" && "${flavor}" != "cheets" ]]; then
-    error "Unknown Android build flavor '${flavor}'"
+  if [[ "${keyset}" != "aosp" && "${keyset}" != "cheets" ]]; then
+    error "Unknown Android build keyset '${keyset}'"
     return 1
   fi
 
   # Fingerprints below are generated by:
-  # 'cheets' flavor:
+  # 'cheets' keyset:
   # $ keytool -file vendor/google/certs/cheetskeys/$NAME.x509.pem -printcert \
   #     | grep SHA1:
-  # 'aosp' flavor:
+  # 'aosp' keyset:
   # $ keytool -file build/target/product/security/$NAME.x509.pem -printcert \
   #     | grep SHA1:
   declare -A platform_sha=(
@@ -67,16 +67,16 @@ choose_key() {
   )
 
   case "${sha1}" in
-    "${platform_sha["${flavor}"]}")
+    "${platform_sha["${keyset}"]}")
       echo "platform"
       ;;
-    "${media_sha["${flavor}"]}")
+    "${media_sha["${keyset}"]}")
       echo "media"
       ;;
-    "${shared_sha["${flavor}"]}")
+    "${shared_sha["${keyset}"]}")
       echo "shared"
       ;;
-    "${release_sha["${flavor}"]}")
+    "${release_sha["${keyset}"]}")
       # The release_sha[] fingerprint is from devkey. Translate to releasekey.
       echo "releasekey"
       ;;
@@ -94,14 +94,31 @@ choose_key() {
 sign_framework_apks() {
   local system_mnt="$1"
   local key_dir="$2"
-  local product=""
-  local build_flavor=""
-
-  product=$(grep -a "^ro\.product\.name=" "${system_mnt}/system/build.prop" | \
-    cut -d "=" -f2)
-  build_flavor=$(echo "${product}" | cut -d "_" -f1)
-  info "Found product name '${product}'."
-  info "Detected build flavor '${build_flavor}'."
+  local flavor_prop=""
+  local keyset=""
+
+  # Property ro.build.flavor follows those patterns:
+  # - cheets builds:
+  #   ro.build.flavor=cheets_${arch}-user(debug)
+  # - SDK builds:
+  #   ro.build.flavor=sdk_google_cheets_${arch}-user(debug)
+  # - AOSP builds:
+  #   ro.build.flavor=aosp_cheets_${arch}-user(debug)
+  # "cheets" and "SDK" builds both use the same signing keys, cheetskeys. "AOSP"
+  # builds use the public AOSP signing keys.
+  flavor_prop=$(grep -a "^ro\.build\.flavor=" \
+    "${system_mnt}/system/build.prop" | cut -d "=" -f2)
+
+  info "Found build flavor property '${flavor_prop}'."
+  if [[ "${flavor_prop}" == aosp_cheets_* ]]; then
+    keyset="aosp"
+  elif [[ "${flavor_prop}" == cheets_* ||
+    "${flavor_prop}" == sdk_google_cheets_* ]]; then
+    keyset="cheets"
+  else
+    die "Unknown build flavor property '${flavor_prop}'."
+  fi
+  info "Expecting signing keyset '${keyset}'."
 
   info "Start signing framework apks"
 
@@ -120,9 +137,9 @@ sign_framework_apks() {
     sha1=$(unzip -p "${apk}" META-INF/CERT.RSA | \
       keytool -printcert | awk '/^\s*SHA1:/ {print $2}')
 
-    if  ! keyname=$(choose_key "${sha1}" "${build_flavor}"); then
+    if  ! keyname=$(choose_key "${sha1}" "${keyset}"); then
       die "Failed to choose signing key for APK '${apk}' (SHA1 '${sha1}') in \
-build flavor '${build_flavor}'."
+build flavor '${flavor_prop}'."
     fi
     if [[ -z "${keyname}" ]]; then
       continue
-- 
cgit v1.2.1