image_signing: Fix detection of build flavor
The original "ro.product.name" of the Android image is modified by the
Chrome OS build process to change it to the CrOS device name instead,
which breaks the detection of the build flavor.
Instead, we now rely on the "ro.build.flavor" property which is not
modified.
If the build flavor is either cheets_* or sdk_google_cheets_*, we expect
the keys to be the cheets keys. AOSP keys are used for aosp_cheets_*
build flavors.
BUG=b:72947583
TEST=run against caroline image, scripts detects 'cheets' build flavor
TEST=run against novato-arc64 image (SDK), script detects 'cheets' build
flavor
TEST=run against newbie image (AOSP), script detects 'aosp' build flavor
TEST=run against invalid build property 'paosp_cheets_...', script
aborts as expected
BRANCH=None
Change-Id: I662436b256b59238b00c7374120f315b538fcd75
Reviewed-on: https://chromium-review.googlesource.com/911905
Commit-Ready: Nicolas Norvez <norvez@chromium.org>
Tested-by: Nicolas Norvez <norvez@chromium.org>
Reviewed-by: Victor Hsieh <victorhsieh@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh
index 3bd6168..a205b5a 100755
--- a/scripts/image_signing/sign_android_image.sh
+++ b/scripts/image_signing/sign_android_image.sh
@@ -35,18 +35,18 @@
# select key files.
choose_key() {
local sha1="$1"
- local flavor="$2"
+ local keyset="$2"
- if [[ "${flavor}" != "aosp" && "${flavor}" != "cheets" ]]; then
- error "Unknown Android build flavor '${flavor}'"
+ if [[ "${keyset}" != "aosp" && "${keyset}" != "cheets" ]]; then
+ error "Unknown Android build keyset '${keyset}'"
return 1
fi
# Fingerprints below are generated by:
- # 'cheets' flavor:
+ # 'cheets' keyset:
# $ keytool -file vendor/google/certs/cheetskeys/$NAME.x509.pem -printcert \
# | grep SHA1:
- # 'aosp' flavor:
+ # 'aosp' keyset:
# $ keytool -file build/target/product/security/$NAME.x509.pem -printcert \
# | grep SHA1:
declare -A platform_sha=(
@@ -67,16 +67,16 @@
)
case "${sha1}" in
- "${platform_sha["${flavor}"]}")
+ "${platform_sha["${keyset}"]}")
echo "platform"
;;
- "${media_sha["${flavor}"]}")
+ "${media_sha["${keyset}"]}")
echo "media"
;;
- "${shared_sha["${flavor}"]}")
+ "${shared_sha["${keyset}"]}")
echo "shared"
;;
- "${release_sha["${flavor}"]}")
+ "${release_sha["${keyset}"]}")
# The release_sha[] fingerprint is from devkey. Translate to releasekey.
echo "releasekey"
;;
@@ -94,14 +94,31 @@
sign_framework_apks() {
local system_mnt="$1"
local key_dir="$2"
- local product=""
- local build_flavor=""
+ local flavor_prop=""
+ local keyset=""
- product=$(grep -a "^ro\.product\.name=" "${system_mnt}/system/build.prop" | \
- cut -d "=" -f2)
- build_flavor=$(echo "${product}" | cut -d "_" -f1)
- info "Found product name '${product}'."
- info "Detected build flavor '${build_flavor}'."
+ # Property ro.build.flavor follows those patterns:
+ # - cheets builds:
+ # ro.build.flavor=cheets_${arch}-user(debug)
+ # - SDK builds:
+ # ro.build.flavor=sdk_google_cheets_${arch}-user(debug)
+ # - AOSP builds:
+ # ro.build.flavor=aosp_cheets_${arch}-user(debug)
+ # "cheets" and "SDK" builds both use the same signing keys, cheetskeys. "AOSP"
+ # builds use the public AOSP signing keys.
+ flavor_prop=$(grep -a "^ro\.build\.flavor=" \
+ "${system_mnt}/system/build.prop" | cut -d "=" -f2)
+
+ info "Found build flavor property '${flavor_prop}'."
+ if [[ "${flavor_prop}" == aosp_cheets_* ]]; then
+ keyset="aosp"
+ elif [[ "${flavor_prop}" == cheets_* ||
+ "${flavor_prop}" == sdk_google_cheets_* ]]; then
+ keyset="cheets"
+ else
+ die "Unknown build flavor property '${flavor_prop}'."
+ fi
+ info "Expecting signing keyset '${keyset}'."
info "Start signing framework apks"
@@ -120,9 +137,9 @@
sha1=$(unzip -p "${apk}" META-INF/CERT.RSA | \
keytool -printcert | awk '/^\s*SHA1:/ {print $2}')
- if ! keyname=$(choose_key "${sha1}" "${build_flavor}"); then
+ if ! keyname=$(choose_key "${sha1}" "${keyset}"); then
die "Failed to choose signing key for APK '${apk}' (SHA1 '${sha1}') in \
-build flavor '${build_flavor}'."
+build flavor '${flavor_prop}'."
fi
if [[ -z "${keyname}" ]]; then
continue
