sign_target_files_apks.py revision e121d6acf47c3056e079ff62c82171e889cec3e0
1#!/usr/bin/env python 2# 3# Copyright (C) 2008 The Android Open Source Project 4# 5# Licensed under the Apache License, Version 2.0 (the "License"); 6# you may not use this file except in compliance with the License. 7# You may obtain a copy of the License at 8# 9# http://www.apache.org/licenses/LICENSE-2.0 10# 11# Unless required by applicable law or agreed to in writing, software 12# distributed under the License is distributed on an "AS IS" BASIS, 13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14# See the License for the specific language governing permissions and 15# limitations under the License. 16 17""" 18Signs all the APK files in a target-files zipfile, producing a new 19target-files zip. 20 21Usage: sign_target_files_apks [flags] input_target_files output_target_files 22 23 -e (--extra_apks) <name,name,...=key> 24 Add extra APK name/key pairs as though they appeared in 25 apkcerts.txt (so mappings specified by -k and -d are applied). 26 Keys specified in -e override any value for that app contained 27 in the apkcerts.txt file. Option may be repeated to give 28 multiple extra packages. 29 30 -k (--key_mapping) <src_key=dest_key> 31 Add a mapping from the key name as specified in apkcerts.txt (the 32 src_key) to the real key you wish to sign the package with 33 (dest_key). Option may be repeated to give multiple key 34 mappings. 35 36 -d (--default_key_mappings) <dir> 37 Set up the following key mappings: 38 39 build/target/product/security/testkey ==> $dir/releasekey 40 build/target/product/security/media ==> $dir/media 41 build/target/product/security/shared ==> $dir/shared 42 build/target/product/security/platform ==> $dir/platform 43 44 -d and -k options are added to the set of mappings in the order 45 in which they appear on the command line. 46 47 -o (--replace_ota_keys) 48 Replace the certificate (public key) used by OTA package 49 verification with the one specified in the input target_files 50 zip (in the META/otakeys.txt file). Key remapping (-k and -d) 51 is performed on this key. 52 53 -t (--tag_changes) <+tag>,<-tag>,... 54 Comma-separated list of changes to make to the set of tags (in 55 the last component of the build fingerprint). Prefix each with 56 '+' or '-' to indicate whether that tag should be added or 57 removed. Changes are processed in the order they appear. 58 Default value is "-test-keys,+release-keys". 59 60""" 61 62import sys 63 64if sys.hexversion < 0x02040000: 65 print >> sys.stderr, "Python 2.4 or newer is required." 66 sys.exit(1) 67 68import cStringIO 69import copy 70import os 71import re 72import subprocess 73import tempfile 74import zipfile 75 76import common 77 78OPTIONS = common.OPTIONS 79 80OPTIONS.extra_apks = {} 81OPTIONS.key_map = {} 82OPTIONS.replace_ota_keys = False 83OPTIONS.tag_changes = ("-test-keys", "+release-keys") 84 85def GetApkCerts(tf_zip): 86 certmap = common.ReadApkCerts(tf_zip) 87 88 # apply the key remapping to the contents of the file 89 for apk, cert in certmap.iteritems(): 90 certmap[apk] = OPTIONS.key_map.get(cert, cert) 91 92 # apply all the -e options, overriding anything in the file 93 for apk, cert in OPTIONS.extra_apks.iteritems(): 94 if not cert: 95 cert = "PRESIGNED" 96 certmap[apk] = OPTIONS.key_map.get(cert, cert) 97 98 return certmap 99 100 101def CheckAllApksSigned(input_tf_zip, apk_key_map): 102 """Check that all the APKs we want to sign have keys specified, and 103 error out if they don't.""" 104 unknown_apks = [] 105 for info in input_tf_zip.infolist(): 106 if info.filename.endswith(".apk"): 107 name = os.path.basename(info.filename) 108 if name not in apk_key_map: 109 unknown_apks.append(name) 110 if unknown_apks: 111 print "ERROR: no key specified for:\n\n ", 112 print "\n ".join(unknown_apks) 113 print "\nUse '-e <apkname>=' to specify a key (which may be an" 114 print "empty string to not sign this apk)." 115 sys.exit(1) 116 117 118def SignApk(data, keyname, pw): 119 unsigned = tempfile.NamedTemporaryFile() 120 unsigned.write(data) 121 unsigned.flush() 122 123 signed = tempfile.NamedTemporaryFile() 124 125 common.SignFile(unsigned.name, signed.name, keyname, pw, align=4) 126 127 data = signed.read() 128 unsigned.close() 129 signed.close() 130 131 return data 132 133 134def SignApks(input_tf_zip, output_tf_zip, apk_key_map, key_passwords): 135 maxsize = max([len(os.path.basename(i.filename)) 136 for i in input_tf_zip.infolist() 137 if i.filename.endswith('.apk')]) 138 139 for info in input_tf_zip.infolist(): 140 data = input_tf_zip.read(info.filename) 141 out_info = copy.copy(info) 142 if info.filename.endswith(".apk"): 143 name = os.path.basename(info.filename) 144 key = apk_key_map[name] 145 if key not in common.SPECIAL_CERT_STRINGS: 146 print " signing: %-*s (%s)" % (maxsize, name, key) 147 signed_data = SignApk(data, key, key_passwords[key]) 148 output_tf_zip.writestr(out_info, signed_data) 149 else: 150 # an APK we're not supposed to sign. 151 print "NOT signing: %s" % (name,) 152 output_tf_zip.writestr(out_info, data) 153 elif info.filename in ("SYSTEM/build.prop", 154 "RECOVERY/RAMDISK/default.prop"): 155 print "rewriting %s:" % (info.filename,) 156 new_data = RewriteProps(data) 157 output_tf_zip.writestr(out_info, new_data) 158 else: 159 # a non-APK file; copy it verbatim 160 output_tf_zip.writestr(out_info, data) 161 162 163def EditTags(tags): 164 """Given a string containing comma-separated tags, apply the edits 165 specified in OPTIONS.tag_changes and return the updated string.""" 166 tags = set(tags.split(",")) 167 for ch in OPTIONS.tag_changes: 168 if ch[0] == "-": 169 tags.discard(ch[1:]) 170 elif ch[0] == "+": 171 tags.add(ch[1:]) 172 return ",".join(sorted(tags)) 173 174 175def RewriteProps(data): 176 output = [] 177 for line in data.split("\n"): 178 line = line.strip() 179 original_line = line 180 if line and line[0] != '#': 181 key, value = line.split("=", 1) 182 if key == "ro.build.fingerprint": 183 pieces = value.split("/") 184 pieces[-1] = EditTags(pieces[-1]) 185 value = "/".join(pieces) 186 elif key == "ro.build.description": 187 pieces = value.split(" ") 188 assert len(pieces) == 5 189 pieces[-1] = EditTags(pieces[-1]) 190 value = " ".join(pieces) 191 elif key == "ro.build.tags": 192 value = EditTags(value) 193 line = key + "=" + value 194 if line != original_line: 195 print " replace: ", original_line 196 print " with: ", line 197 output.append(line) 198 return "\n".join(output) + "\n" 199 200 201def ReplaceOtaKeys(input_tf_zip, output_tf_zip): 202 try: 203 keylist = input_tf_zip.read("META/otakeys.txt").split() 204 except KeyError: 205 raise ExternalError("can't read META/otakeys.txt from input") 206 207 misc_info = common.LoadInfoDict(input_tf_zip) 208 209 extra_recovery_keys = misc_info.get("extra_recovery_keys", None) 210 if extra_recovery_keys: 211 extra_recovery_keys = [OPTIONS.key_map.get(k, k) + ".x509.pem" 212 for k in extra_recovery_keys.split()] 213 if extra_recovery_keys: 214 print "extra recovery-only key(s): " + ", ".join(extra_recovery_keys) 215 else: 216 extra_recovery_keys = [] 217 218 mapped_keys = [] 219 for k in keylist: 220 m = re.match(r"^(.*)\.x509\.pem$", k) 221 if not m: 222 raise ExternalError("can't parse \"%s\" from META/otakeys.txt" % (k,)) 223 k = m.group(1) 224 mapped_keys.append(OPTIONS.key_map.get(k, k) + ".x509.pem") 225 226 if mapped_keys: 227 print "using:\n ", "\n ".join(mapped_keys) 228 print "for OTA package verification" 229 else: 230 mapped_keys.append( 231 OPTIONS.key_map.get("build/target/product/security/testkey", 232 "build/target/product/security/testkey") 233 + ".x509.pem") 234 print "META/otakeys.txt has no keys; using", mapped_keys[0] 235 236 # recovery uses a version of the key that has been slightly 237 # predigested (by DumpPublicKey.java) and put in res/keys. 238 # extra_recovery_keys are used only in recovery. 239 240 p = common.Run(["java", "-jar", 241 os.path.join(OPTIONS.search_path, "framework", "dumpkey.jar")] 242 + mapped_keys + extra_recovery_keys, 243 stdout=subprocess.PIPE) 244 data, _ = p.communicate() 245 if p.returncode != 0: 246 raise ExternalError("failed to run dumpkeys") 247 common.ZipWriteStr(output_tf_zip, "RECOVERY/RAMDISK/res/keys", data) 248 249 # SystemUpdateActivity uses the x509.pem version of the keys, but 250 # put into a zipfile system/etc/security/otacerts.zip. 251 # We DO NOT include the extra_recovery_keys (if any) here. 252 253 tempfile = cStringIO.StringIO() 254 certs_zip = zipfile.ZipFile(tempfile, "w") 255 for k in mapped_keys: 256 certs_zip.write(k) 257 certs_zip.close() 258 common.ZipWriteStr(output_tf_zip, "SYSTEM/etc/security/otacerts.zip", 259 tempfile.getvalue()) 260 261 262def main(argv): 263 264 def option_handler(o, a): 265 if o in ("-e", "--extra_apks"): 266 names, key = a.split("=") 267 names = names.split(",") 268 for n in names: 269 OPTIONS.extra_apks[n] = key 270 elif o in ("-d", "--default_key_mappings"): 271 OPTIONS.key_map.update({ 272 "build/target/product/security/testkey": "%s/releasekey" % (a,), 273 "build/target/product/security/media": "%s/media" % (a,), 274 "build/target/product/security/shared": "%s/shared" % (a,), 275 "build/target/product/security/platform": "%s/platform" % (a,), 276 }) 277 elif o in ("-k", "--key_mapping"): 278 s, d = a.split("=") 279 OPTIONS.key_map[s] = d 280 elif o in ("-o", "--replace_ota_keys"): 281 OPTIONS.replace_ota_keys = True 282 elif o in ("-t", "--tag_changes"): 283 new = [] 284 for i in a.split(","): 285 i = i.strip() 286 if not i or i[0] not in "-+": 287 raise ValueError("Bad tag change '%s'" % (i,)) 288 new.append(i[0] + i[1:].strip()) 289 OPTIONS.tag_changes = tuple(new) 290 else: 291 return False 292 return True 293 294 args = common.ParseOptions(argv, __doc__, 295 extra_opts="e:d:k:ot:", 296 extra_long_opts=["extra_apks=", 297 "default_key_mappings=", 298 "key_mapping=", 299 "replace_ota_keys", 300 "tag_changes="], 301 extra_option_handler=option_handler) 302 303 if len(args) != 2: 304 common.Usage(__doc__) 305 sys.exit(1) 306 307 input_zip = zipfile.ZipFile(args[0], "r") 308 output_zip = zipfile.ZipFile(args[1], "w") 309 310 apk_key_map = GetApkCerts(input_zip) 311 CheckAllApksSigned(input_zip, apk_key_map) 312 313 key_passwords = common.GetKeyPasswords(set(apk_key_map.values())) 314 SignApks(input_zip, output_zip, apk_key_map, key_passwords) 315 316 if OPTIONS.replace_ota_keys: 317 ReplaceOtaKeys(input_zip, output_zip) 318 319 input_zip.close() 320 output_zip.close() 321 322 print "done." 323 324 325if __name__ == '__main__': 326 try: 327 main(sys.argv[1:]) 328 except common.ExternalError, e: 329 print 330 print " ERROR: %s" % (e,) 331 print 332 sys.exit(1) 333