scripts/image_signing/lib/sign_android_lib.sh - mirrors/cros/chromiumos/platform/vboot_reference - Git at Google

 #!/bin/bash

 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 . "$(dirname "$0")/common.sh"

 #######################################
 # Return name according to the current signing debug key. The name is used to
 # select key files.
 # Globals:
 #   None
 # Arguments:
 #   sha1: signature of the APK.
 #   keyset: "cheets" or "aosp" build?
 # Outputs:
 #   Writes the name of the key to stdout.
 # Returns:
 #   0 on success, non-zero on error.
 #######################################
 android_choose_key() {
   local sha1="$1"
   local keyset="$2"

   if [[ "${keyset}" != "aosp" && "${keyset}" != "cheets" ]]; then
     error "Unknown Android build keyset '${keyset}'."
     return 1
   fi

   # Fingerprints below are generated by:
   # 'cheets' keyset:
   # $ keytool -file vendor/google/certs/cheetskeys/$NAME.x509.pem -printcert \
   #     | grep SHA1:
   # 'aosp' keyset:
   # $ keytool -file build/target/product/security/$NAME.x509.pem -printcert \
   #     | grep SHA1:
   declare -A platform_sha=(
     ['cheets']='AA:04:E0:5F:82:9C:7E:D1:B9:F8:FC:99:6C:5A:54:43:83:D9:F5:BC'
     ['aosp']='27:19:6E:38:6B:87:5E:76:AD:F7:00:E7:EA:84:E4:C6:EE:E3:3D:FA'
   )
   declare -A media_sha=(
     ['cheets']='D4:C4:2D:E0:B9:1B:15:72:FA:7D:A7:21:E0:A6:09:94:B4:4C:B5:AE'
     ['aosp']='B7:9D:F4:A8:2E:90:B5:7E:A7:65:25:AB:70:37:AB:23:8A:42:F5:D3'
   )
   declare -A shared_sha=(
     ['cheets']='38:B6:2C:E1:75:98:E3:E1:1C:CC:F6:6B:83:BB:97:0E:2D:40:6C:AE'
     ['aosp']='5B:36:8C:FF:2D:A2:68:69:96:BC:95:EA:C1:90:EA:A4:F5:63:0F:E5'
   )
   declare -A release_sha=(
     ['cheets']='EC:63:36:20:23:B7:CB:66:18:70:D3:39:3C:A9:AE:7E:EF:A9:32:42'
     ['aosp']='61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81'
   )

   case "${sha1}" in
     "${platform_sha["${keyset}"]}")
       echo "platform"
       ;;
     "${media_sha["${keyset}"]}")
       echo "media"
       ;;
     "${shared_sha["${keyset}"]}")
       echo "shared"
       ;;
     "${release_sha["${keyset}"]}")
       # The release_sha[] fingerprint is from devkey. Translate to releasekey.
       echo "releasekey"
       ;;
     *)
       # Not a framework apk.  Do not re-sign.
       echo ""
       ;;
   esac
   return 0
 }

 #######################################
 # Extract 'ro.build.flavor' property from build property file.
 # Globals:
 #   None
 # Arguments:
 #   build_prop_file: path to build property file.
 # Outputs:
 #   Writes the value of the property to stdout.
 # Returns:
 #   0 on success, non-zero on error.
 #######################################
 android_get_build_flavor_prop() {
   local build_prop_file="$1"
   local flavor_prop=""

   if ! flavor_prop=$(grep -a "^ro\.build\.flavor=" "${build_prop_file}"); then
     return 1
   fi
   flavor_prop=$(echo "${flavor_prop}" | cut -d "=" -f2)
   echo "${flavor_prop}"
   return 0
 }

 #######################################
 # Pick the expected keyset ('cheets', 'aosp') depending on the build flavor.
 # Globals:
 #   None
 # Arguments:
 #   flavor_prop: the value of the build flavor property.
 # Outputs:
 #   Writes the name of the keyset to stdout.
 # Returns:
 #   0 on success, non-zero on error.
 #######################################
 android_choose_signing_keyset() {
   local flavor_prop="$1"

   # Property ro.build.flavor follows those patterns:
   # - cheets builds:
   #   ro.build.flavor=cheets_${arch}-user(debug)
   # - SDK builds:
   #   ro.build.flavor=sdk_google_cheets_${arch}-user(debug) # For N
   #   ro.build.flavor=sdk_cheets_${arch}-user(debug) # For P
   # - AOSP builds:
   #   ro.build.flavor=aosp_cheets_${arch}-user(debug)
   # "cheets" and "SDK" builds both use the same signing keys, cheetskeys. "AOSP"
   # builds use the public AOSP signing keys.
   if [[ "${flavor_prop}" == aosp_cheets_* ]]; then
     keyset="aosp"
   elif [[ "${flavor_prop}" == cheets_* ||
     "${flavor_prop}" == sdk_cheets_* ||
     "${flavor_prop}" == sdk_google_cheets_* ]]; then
     keyset="cheets"
   else
     return 1
   fi
   echo "${keyset}"
   return 0
 }
	#!/bin/bash

	# Copyright 2018 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	. "$(dirname "$0")/common.sh"

	#######################################
	# Return name according to the current signing debug key. The name is used to
	# select key files.
	# Globals:
	# None
	# Arguments:
	# sha1: signature of the APK.
	# keyset: "cheets" or "aosp" build?
	# Outputs:
	# Writes the name of the key to stdout.
	# Returns:
	# 0 on success, non-zero on error.
	#######################################
	android_choose_key() {
	local sha1="$1"
	local keyset="$2"

	if [[ "${keyset}" != "aosp" && "${keyset}" != "cheets" ]]; then
	error "Unknown Android build keyset '${keyset}'."
	return 1
	fi

	# Fingerprints below are generated by:
	# 'cheets' keyset:
	# $ keytool -file vendor/google/certs/cheetskeys/$NAME.x509.pem -printcert \
	# \| grep SHA1:
	# 'aosp' keyset:
	# $ keytool -file build/target/product/security/$NAME.x509.pem -printcert \
	# \| grep SHA1:
	declare -A platform_sha=(
	['cheets']='AA:04:E0:5F:82:9C:7E:D1:B9:F8:FC:99:6C:5A:54:43:83:D9:F5:BC'
	['aosp']='27:19:6E:38:6B:87:5E:76:AD:F7:00:E7:EA:84:E4:C6:EE:E3:3D:FA'
	)
	declare -A media_sha=(
	['cheets']='D4:C4:2D:E0:B9:1B:15:72:FA:7D:A7:21:E0:A6:09:94:B4:4C:B5:AE'
	['aosp']='B7:9D:F4:A8:2E:90:B5:7E:A7:65:25:AB:70:37:AB:23:8A:42:F5:D3'
	)
	declare -A shared_sha=(
	['cheets']='38:B6:2C:E1:75:98:E3:E1:1C:CC:F6:6B:83:BB:97:0E:2D:40:6C:AE'
	['aosp']='5B:36:8C:FF:2D:A2:68:69:96:BC:95:EA:C1:90:EA:A4:F5:63:0F:E5'
	)
	declare -A release_sha=(
	['cheets']='EC:63:36:20:23:B7:CB:66:18:70:D3:39:3C:A9:AE:7E:EF:A9:32:42'
	['aosp']='61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81'
	)

	case "${sha1}" in
	"${platform_sha["${keyset}"]}")
	echo "platform"
	;;
	"${media_sha["${keyset}"]}")
	echo "media"
	;;
	"${shared_sha["${keyset}"]}")
	echo "shared"
	;;
	"${release_sha["${keyset}"]}")
	# The release_sha[] fingerprint is from devkey. Translate to releasekey.
	echo "releasekey"
	;;
	*)
	# Not a framework apk. Do not re-sign.
	echo ""
	;;
	esac
	return 0
	}

	#######################################
	# Extract 'ro.build.flavor' property from build property file.
	# Globals:
	# None
	# Arguments:
	# build_prop_file: path to build property file.
	# Outputs:
	# Writes the value of the property to stdout.
	# Returns:
	# 0 on success, non-zero on error.
	#######################################
	android_get_build_flavor_prop() {
	local build_prop_file="$1"
	local flavor_prop=""

	if ! flavor_prop=$(grep -a "^ro\.build\.flavor=" "${build_prop_file}"); then
	return 1
	fi
	flavor_prop=$(echo "${flavor_prop}" \| cut -d "=" -f2)
	echo "${flavor_prop}"
	return 0
	}

	#######################################
	# Pick the expected keyset ('cheets', 'aosp') depending on the build flavor.
	# Globals:
	# None
	# Arguments:
	# flavor_prop: the value of the build flavor property.
	# Outputs:
	# Writes the name of the keyset to stdout.
	# Returns:
	# 0 on success, non-zero on error.
	#######################################
	android_choose_signing_keyset() {
	local flavor_prop="$1"

	# Property ro.build.flavor follows those patterns:
	# - cheets builds:
	# ro.build.flavor=cheets_${arch}-user(debug)
	# - SDK builds:
	# ro.build.flavor=sdk_google_cheets_${arch}-user(debug) # For N
	# ro.build.flavor=sdk_cheets_${arch}-user(debug) # For P
	# - AOSP builds:
	# ro.build.flavor=aosp_cheets_${arch}-user(debug)
	# "cheets" and "SDK" builds both use the same signing keys, cheetskeys. "AOSP"
	# builds use the public AOSP signing keys.
	if [[ "${flavor_prop}" == aosp_cheets_* ]]; then
	keyset="aosp"
	elif [[ "${flavor_prop}" == cheets_* \|\|
	"${flavor_prop}" == sdk_cheets_* \|\|
	"${flavor_prop}" == sdk_google_cheets_* ]]; then
	keyset="cheets"
	else
	return 1
	fi
	echo "${keyset}"
	return 0
	}