sign_target_files_apks.py revision ae877013ab8d87b9f0da111adcb7621f477451c6
1#!/usr/bin/env python 2# 3# Copyright (C) 2008 The Android Open Source Project 4# 5# Licensed under the Apache License, Version 2.0 (the "License"); 6# you may not use this file except in compliance with the License. 7# You may obtain a copy of the License at 8# 9# http://www.apache.org/licenses/LICENSE-2.0 10# 11# Unless required by applicable law or agreed to in writing, software 12# distributed under the License is distributed on an "AS IS" BASIS, 13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14# See the License for the specific language governing permissions and 15# limitations under the License. 16 17""" 18Signs all the APK files in a target-files zipfile, producing a new 19target-files zip. 20 21Usage: sign_target_files_apks [flags] input_target_files output_target_files 22 23 -s (--signapk_jar) <path> 24 Path of the signapks.jar file used to sign an individual APK 25 file. 26 27 -e (--extra_apks) <name,name,...=key> 28 Add extra APK name/key pairs as though they appeared in 29 apkcerts.txt (so mappings specified by -k and -d are applied). 30 Keys specified in -e override any value for that app contained 31 in the apkcerts.txt file. Option may be repeated to give 32 multiple extra packages. 33 34 -k (--key_mapping) <src_key=dest_key> 35 Add a mapping from the key name as specified in apkcerts.txt (the 36 src_key) to the real key you wish to sign the package with 37 (dest_key). Option may be repeated to give multiple key 38 mappings. 39 40 -d (--default_key_mappings) <dir> 41 Set up the following key mappings: 42 43 build/target/product/security/testkey ==> $dir/releasekey 44 build/target/product/security/media ==> $dir/media 45 build/target/product/security/shared ==> $dir/shared 46 build/target/product/security/platform ==> $dir/platform 47 48 -d and -k options are added to the set of mappings in the order 49 in which they appear on the command line. 50 51 -o (--replace_ota_keys) 52 Replace the certificate (public key) used by OTA package 53 verification with the one specified in the input target_files 54 zip (in the META/otakeys.txt file). Key remapping (-k and -d) 55 is performed on this key. 56 57 -t (--tag_changes) <+tag>,<-tag>,... 58 Comma-separated list of changes to make to the set of tags (in 59 the last component of the build fingerprint). Prefix each with 60 '+' or '-' to indicate whether that tag should be added or 61 removed. Changes are processed in the order they appear. 62 Default value is "-test-keys,+ota-rel-keys,+release-keys". 63 64""" 65 66import sys 67 68if sys.hexversion < 0x02040000: 69 print >> sys.stderr, "Python 2.4 or newer is required." 70 sys.exit(1) 71 72import cStringIO 73import copy 74import os 75import re 76import subprocess 77import tempfile 78import zipfile 79 80import common 81 82OPTIONS = common.OPTIONS 83 84OPTIONS.extra_apks = {} 85OPTIONS.key_map = {} 86OPTIONS.replace_ota_keys = False 87OPTIONS.tag_changes = ("-test-keys", "+ota-rel-keys", "+release-keys") 88 89def GetApkCerts(tf_zip): 90 certmap = {} 91 for line in tf_zip.read("META/apkcerts.txt").split("\n"): 92 line = line.strip() 93 if not line: continue 94 m = re.match(r'^name="(.*)"\s+certificate="(.*)\.x509\.pem"\s+' 95 r'private_key="\2\.pk8"$', line) 96 if not m: 97 raise SigningError("failed to parse line from apkcerts.txt:\n" + line) 98 certmap[m.group(1)] = OPTIONS.key_map.get(m.group(2), m.group(2)) 99 for apk, cert in OPTIONS.extra_apks.iteritems(): 100 certmap[apk] = OPTIONS.key_map.get(cert, cert) 101 return certmap 102 103 104def SignApk(data, keyname, pw): 105 unsigned = tempfile.NamedTemporaryFile() 106 unsigned.write(data) 107 unsigned.flush() 108 109 signed = tempfile.NamedTemporaryFile() 110 111 common.SignFile(unsigned.name, signed.name, keyname, pw, align=4) 112 113 data = signed.read() 114 unsigned.close() 115 signed.close() 116 117 return data 118 119 120def SignApks(input_tf_zip, output_tf_zip): 121 apk_key_map = GetApkCerts(input_tf_zip) 122 123 maxsize = max([len(os.path.basename(i.filename)) 124 for i in input_tf_zip.infolist() 125 if i.filename.endswith('.apk')]) 126 127 # Check that all the APKs we want to sign have keys specified, and 128 # error out if they don't. Do this before prompting for key 129 # passwords in case we're going to fail anyway. 130 unknown_apks = [] 131 for info in input_tf_zip.infolist(): 132 if info.filename.endswith(".apk"): 133 name = os.path.basename(info.filename) 134 if name not in apk_key_map: 135 unknown_apks.append(name) 136 if unknown_apks: 137 print "ERROR: no key specified for:\n\n ", 138 print "\n ".join(unknown_apks) 139 print "\nUse '-e <apkname>=' to specify a key (which may be an" 140 print "empty string to not sign this apk)." 141 sys.exit(1) 142 143 key_passwords = common.GetKeyPasswords(set(apk_key_map.values())) 144 145 for info in input_tf_zip.infolist(): 146 data = input_tf_zip.read(info.filename) 147 out_info = copy.copy(info) 148 if info.filename.endswith(".apk"): 149 name = os.path.basename(info.filename) 150 key = apk_key_map[name] 151 if key: 152 print " signing: %-*s (%s)" % (maxsize, name, key) 153 signed_data = SignApk(data, key, key_passwords[key]) 154 output_tf_zip.writestr(out_info, signed_data) 155 else: 156 # an APK we're not supposed to sign. 157 print "NOT signing: %s" % (name,) 158 output_tf_zip.writestr(out_info, data) 159 elif info.filename in ("SYSTEM/build.prop", 160 "RECOVERY/RAMDISK/default.prop"): 161 print "rewriting %s:" % (info.filename,) 162 new_data = RewriteProps(data) 163 output_tf_zip.writestr(out_info, new_data) 164 else: 165 # a non-APK file; copy it verbatim 166 output_tf_zip.writestr(out_info, data) 167 168 169def RewriteProps(data): 170 output = [] 171 for line in data.split("\n"): 172 line = line.strip() 173 original_line = line 174 if line and line[0] != '#': 175 key, value = line.split("=", 1) 176 if key == "ro.build.fingerprint": 177 pieces = line.split("/") 178 tags = set(pieces[-1].split(",")) 179 for ch in OPTIONS.tag_changes: 180 if ch[0] == "-": 181 tags.discard(ch[1:]) 182 elif ch[0] == "+": 183 tags.add(ch[1:]) 184 line = "/".join(pieces[:-1] + [",".join(sorted(tags))]) 185 elif key == "ro.build.description": 186 pieces = line.split(" ") 187 assert len(pieces) == 5 188 tags = set(pieces[-1].split(",")) 189 for ch in OPTIONS.tag_changes: 190 if ch[0] == "-": 191 tags.discard(ch[1:]) 192 elif ch[0] == "+": 193 tags.add(ch[1:]) 194 line = " ".join(pieces[:-1] + [",".join(sorted(tags))]) 195 if line != original_line: 196 print " replace: ", original_line 197 print " with: ", line 198 output.append(line) 199 return "\n".join(output) + "\n" 200 201 202def ReplaceOtaKeys(input_tf_zip, output_tf_zip): 203 try: 204 keylist = input_tf_zip.read("META/otakeys.txt").split() 205 except KeyError: 206 raise ExternalError("can't read META/otakeys.txt from input") 207 208 mapped_keys = [] 209 for k in keylist: 210 m = re.match(r"^(.*)\.x509\.pem$", k) 211 if not m: 212 raise ExternalError("can't parse \"%s\" from META/otakeys.txt" % (k,)) 213 k = m.group(1) 214 mapped_keys.append(OPTIONS.key_map.get(k, k) + ".x509.pem") 215 216 print "using:\n ", "\n ".join(mapped_keys) 217 print "for OTA package verification" 218 219 # recovery uses a version of the key that has been slightly 220 # predigested (by DumpPublicKey.java) and put in res/keys. 221 222 p = common.Run(["java", "-jar", OPTIONS.dumpkey_jar] + mapped_keys, 223 stdout=subprocess.PIPE) 224 data, _ = p.communicate() 225 if p.returncode != 0: 226 raise ExternalError("failed to run dumpkeys") 227 output_tf_zip.writestr("RECOVERY/RAMDISK/res/keys", data) 228 229 # SystemUpdateActivity uses the x509.pem version of the keys, but 230 # put into a zipfile system/etc/security/otacerts.zip. 231 232 tempfile = cStringIO.StringIO() 233 certs_zip = zipfile.ZipFile(tempfile, "w") 234 for k in mapped_keys: 235 certs_zip.write(k) 236 certs_zip.close() 237 output_tf_zip.writestr("SYSTEM/etc/security/otacerts.zip", 238 tempfile.getvalue()) 239 240 241def main(argv): 242 243 def option_handler(o, a): 244 if o in ("-s", "--signapk_jar"): 245 OPTIONS.signapk_jar = a 246 elif o in ("-e", "--extra_apks"): 247 names, key = a.split("=") 248 names = names.split(",") 249 for n in names: 250 OPTIONS.extra_apks[n] = key 251 elif o in ("-d", "--default_key_mappings"): 252 OPTIONS.key_map.update({ 253 "build/target/product/security/testkey": "%s/releasekey" % (a,), 254 "build/target/product/security/media": "%s/media" % (a,), 255 "build/target/product/security/shared": "%s/shared" % (a,), 256 "build/target/product/security/platform": "%s/platform" % (a,), 257 }) 258 elif o in ("-k", "--key_mapping"): 259 s, d = a.split("=") 260 OPTIONS.key_map[s] = d 261 elif o in ("-o", "--replace_ota_keys"): 262 OPTIONS.replace_ota_keys = True 263 elif o in ("-t", "--tag_changes"): 264 new = [] 265 for i in a.split(","): 266 i = i.strip() 267 if not i or i[0] not in "-+": 268 raise ValueError("Bad tag change '%s'" % (i,)) 269 new.append(i[0] + i[1:].strip()) 270 OPTIONS.tag_changes = tuple(new) 271 else: 272 return False 273 return True 274 275 args = common.ParseOptions(argv, __doc__, 276 extra_opts="s:e:d:k:ot:", 277 extra_long_opts=["signapk_jar=", 278 "extra_apks=", 279 "default_key_mappings=", 280 "key_mapping=", 281 "replace_ota_keys", 282 "tag_changes="], 283 extra_option_handler=option_handler) 284 285 if len(args) != 2: 286 common.Usage(__doc__) 287 sys.exit(1) 288 289 input_zip = zipfile.ZipFile(args[0], "r") 290 output_zip = zipfile.ZipFile(args[1], "w") 291 292 SignApks(input_zip, output_zip) 293 294 if OPTIONS.replace_ota_keys: 295 ReplaceOtaKeys(input_zip, output_zip) 296 297 input_zip.close() 298 output_zip.close() 299 300 print "done." 301 302 303if __name__ == '__main__': 304 try: 305 main(sys.argv[1:]) 306 except common.ExternalError, e: 307 print 308 print " ERROR: %s" % (e,) 309 print 310 sys.exit(1) 311