From 3548eba76a04254a32fb16c3a39192aba8e4d187 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 8 Mar 2018 22:03:43 -0500 Subject: [PATCH] Add optional automated signing Change-Id: If38730428255a0de3939dfe1a0526b03ac948113 --- core/Makefile | 41 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/core/Makefile b/core/Makefile index b3f719a4f..b48328394 100644 --- a/core/Makefile +++ b/core/Makefile @@ -520,6 +520,10 @@ $(call dist-for-goals,droidcore,$(SOONG_TO_CONVERT)) # exist with the suffixes ".x509.pem" and ".pk8". DEFAULT_KEY_CERT_PAIR := $(DEFAULT_SYSTEM_DEV_CERTIFICATE) +ifneq ($(SIGNING_KEY_DIR),) + KEY_CERT_DIR := $(SIGNING_KEY_DIR) + DEFAULT_KEY_CERT_PAIR := $(SIGNING_KEY_DIR)/releasekey +endif # Rules that need to be present for the all targets, even # if they don't do anything. @@ -1220,6 +1224,16 @@ endif # substitute other keys for this one. OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem +ifneq ($(SIGNING_KEY_DIR),) + OTA_PUBLIC_KEYS := $(SIGNING_KEY_DIR)/releasekey.x509.pem + PRODUCT_EXTRA_RECOVERY_KEYS += $(SIGNING_KEY_DIR)/extra +else + ifneq ($(OTA_PACKAGE_SIGNING_KEY),) + OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem + PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE) + endif +endif + # Generate a file containing the keys that will be read by the # recovery binary. RECOVERY_INSTALL_OTA_KEYS := \ @@ -2316,6 +2330,13 @@ $(BUILT_TARGET_FILES_PACKAGE): intermediates := $(intermediates) $(BUILT_TARGET_FILES_PACKAGE): \ zip_root := $(intermediates)/$(name) +SIGNED_TARGET_FILES_PACKAGE := $(intermediates)/signed-$(name).zip +MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(BUILT_TARGET_FILES_PACKAGE) + +ifneq ($(SIGNING_KEY_DIR),) + MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(SIGNED_TARGET_FILES_PACKAGE) +endif + # $(1): Directory to copy # $(2): Location to copy it to # The "ls -A" is to prevent "acp s/* d" from failing if s is empty. @@ -2774,6 +2795,12 @@ else OTA_SCRIPT_OVERRIDE_DEVICE := $(TARGET_OTA_ASSERT_DEVICE) endif +ifeq ($(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT),) + SIGN_TARGET_SCRIPT := ./build/tools/releasetools/sign_target_files_apks +else + SIGN_TARGET_SCRIPT := $(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT) +endif + ifeq ($(WITH_GMS),true) $(INTERNAL_OTA_PACKAGE_TARGET): backuptool := false else @@ -2784,8 +2811,16 @@ else endif endif -$(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) \ - build/tools/releasetools/ota_from_target_files +$(SIGNED_TARGET_FILES_PACKAGE): $(BUILT_TARGET_FILES_PACKAGE) build/tools/releasetools/ota_from_target_files + @echo "$(SIGN_TARGET_SCRIPT)" > $(PRODUCT_OUT)/sign_script_path + @echo -e ${CL_YLW}"Sign target files:"${CL_RST}" $@" + $(hide) $(SIGN_TARGET_SCRIPT) \ + -d $(KEY_CERT_DIR) \ + -o \ + $(BUILT_TARGET_FILES_PACKAGE) \ + $(SIGNED_TARGET_FILES_PACKAGE) + +$(INTERNAL_OTA_PACKAGE_TARGET): $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) build/tools/releasetools/ota_from_target_files @echo "Package OTA: $@" $(hide) PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATH MKBOOTIMG=$(MKBOOTIMG) \ ./build/tools/releasetools/ota_from_target_files -v \ @@ -2795,7 +2830,7 @@ $(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE) \ -k $(KEY_CERT_PAIR) \ --backup=$(backuptool) \ $(if $(OEM_OTA_CONFIG), -o $(OEM_OTA_CONFIG)) \ - $(BUILT_TARGET_FILES_PACKAGE) $@ + $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) $@ .PHONY: otapackage otapackage: $(INTERNAL_OTA_PACKAGE_TARGET) -- 2.16.2