From 6b6a130924ba6d881d2db44d6382ab96fcb061d9 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Tue, 3 Apr 2018 12:32:43 -0400
Subject: [PATCH] Add optional automated signing

Change-Id: I2a7efac25b3e48d3edcadcb9a57e9a7dbc7dfac0
---
 core/Makefile | 43 +++++++++++++++++++++++++++++++++++++------
 1 file changed, 37 insertions(+), 6 deletions(-)

diff --git a/core/Makefile b/core/Makefile
index 3fb424733..207088b93 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -416,6 +416,11 @@ ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
     DEFAULT_KEY_CERT_PAIR := $(OTA_PACKAGE_SIGNING_KEY)
 endif
 
+ifneq ($(SIGNING_KEY_DIR),)
+    KEY_CERT_DIR := $(SIGNING_KEY_DIR)
+    DEFAULT_KEY_CERT_PAIR := $(SIGNING_KEY_DIR)/releasekey
+endif
+
 # Rules that need to be present for the all targets, even
 # if they don't do anything.
 .PHONY: systemimage
@@ -1033,11 +1038,15 @@ endif
 # substitute other keys for this one.
 OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
 
-ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
-    OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem
-    PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
+ifneq ($(SIGNING_KEY_DIR),)
+    OTA_PUBLIC_KEYS := $(SIGNING_KEY_DIR)/releasekey.x509.pem
+    PRODUCT_EXTRA_RECOVERY_KEYS += $(SIGNING_KEY_DIR)/extra
+else
+    ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
+	OTA_PUBLIC_KEYS := $(OTA_PACKAGE_SIGNING_KEY).x509.pem
+	PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
+    endif
 endif
-
 # Generate a file containing the keys that will be read by the
 # recovery binary.
 RECOVERY_INSTALL_OTA_KEYS := \
@@ -1823,6 +1832,13 @@ $(BUILT_TARGET_FILES_PACKAGE): intermediates := $(intermediates)
 $(BUILT_TARGET_FILES_PACKAGE): \
 		zip_root := $(intermediates)/$(name)
 
+SIGNED_TARGET_FILES_PACKAGE := $(intermediates)/signed-$(name).zip
+MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(BUILT_TARGET_FILES_PACKAGE)
+
+ifneq ($(SIGNING_KEY_DIR),)
+  MAYBE_SIGNED_TARGET_FILES_PACKAGE := $(SIGNED_TARGET_FILES_PACKAGE)
+endif
+
 # $(1): Directory to copy
 # $(2): Location to copy it to
 # The "ls -A" is to prevent "acp s/* d" from failing if s is empty.
@@ -2190,6 +2206,12 @@ else
     OTA_FROM_TARGET_SCRIPT := $(TARGET_RELEASETOOL_OTA_FROM_TARGET_SCRIPT)
 endif
 
+ifeq ($(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT),)
+    SIGN_TARGET_SCRIPT := ./build/tools/releasetools/sign_target_files_apks
+else
+    SIGN_TARGET_SCRIPT := $(TARGET_RELEASETOOL_SIGN_TARGET_SCRIPT)
+endif
+
 ifeq ($(WITH_GMS),true)
     $(INTERNAL_OTA_PACKAGE_TARGET): backuptool := false
 else
@@ -2210,7 +2232,16 @@ ifneq ($(BLOCK_BASED_OTA),false)
     $(INTERNAL_OTA_PACKAGE_TARGET): block_based := --block
 endif
 
-$(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE)
+$(SIGNED_TARGET_FILES_PACKAGE): $(BUILT_TARGET_FILES_PACKAGE)
+	@echo "$(SIGN_TARGET_SCRIPT)" > $(PRODUCT_OUT)/sign_script_path
+	@echo -e ${CL_YLW}"Sign target files:"${CL_RST}" $@"
+	$(hide) $(SIGN_TARGET_SCRIPT) \
+	   -d $(KEY_CERT_DIR) \
+	   -o \
+	   $(BUILT_TARGET_FILES_PACKAGE) \
+	   $(SIGNED_TARGET_FILES_PACKAGE)
+
+$(INTERNAL_OTA_PACKAGE_TARGET): $(MAYBE_SIGNED_TARGET_FILES_PACKAGE)
 	@echo "$(OTA_FROM_TARGET_SCRIPT)" > $(PRODUCT_OUT)/ota_script_path
 	@echo "Package OTA: $@"
 	$(hide) PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATH MKBOOTIMG=$(MKBOOTIMG) \
@@ -2220,7 +2251,7 @@ $(INTERNAL_OTA_PACKAGE_TARGET): $(BUILT_TARGET_FILES_PACKAGE)
 	   -k $(KEY_CERT_PAIR) \
 	   --backup=$(backuptool) \
 	   $(if $(OEM_OTA_CONFIG), -o $(OEM_OTA_CONFIG)) \
-	   $(BUILT_TARGET_FILES_PACKAGE) $@
+	   $(MAYBE_SIGNED_TARGET_FILES_PACKAGE) $@
 
 CM_TARGET_PACKAGE := $(PRODUCT_OUT)/lineage-$(LINEAGE_VERSION).zip
 
-- 
2.16.3