Merge "Don't generate hashtree when signing bundled APEXes."

1 files changed, 14 insertions, 8 deletions

diff --git a/tools/releasetools/apex_utils.py b/tools/releasetools/apex_utils.py
index 18ad8cec0d..ee3c463650 100644
--- a/tools/releasetools/apex_utils.py
+++ b/tools/releasetools/apex_utils.py
@@ -42,7 +42,7 @@ class ApexSigningError(Exception):
 
 
 def SignApexPayload(avbtool, payload_file, payload_key_path, payload_key_name,
-                    algorithm, salt, signing_args=None):
+                    algorithm, salt, no_hashtree, signing_args=None):
   """Signs a given payload_file with the payload key."""
   # Add the new footer. Old footer, if any, will be replaced by avbtool.
   cmd = [avbtool, 'add_hashtree_footer',
@@ -52,6 +52,8 @@ def SignApexPayload(avbtool, payload_file, payload_key_path, payload_key_name,
          '--prop', 'apex.key:{}'.format(payload_key_name),
          '--image', payload_file,
          '--salt', salt]
+  if no_hashtree:
+    cmd.append('--no_hashtree')
   if signing_args:
     cmd.extend(shlex.split(signing_args))
 
@@ -64,13 +66,15 @@ def SignApexPayload(avbtool, payload_file, payload_key_path, payload_key_name,
 
   # Verify the signed payload image with specified public key.
   logger.info('Verifying %s', payload_file)
-  VerifyApexPayload(avbtool, payload_file, payload_key_path)
+  VerifyApexPayload(avbtool, payload_file, payload_key_path, no_hashtree)
 
 
-def VerifyApexPayload(avbtool, payload_file, payload_key):
+def VerifyApexPayload(avbtool, payload_file, payload_key, no_hashtree=False):
   """Verifies the APEX payload signature with the given key."""
   cmd = [avbtool, 'verify_image', '--image', payload_file,
          '--key', payload_key]
+  if no_hashtree:
+    cmd.append('--accept_zeroed_hashtree')
   try:
     common.RunAndCheckOutput(cmd)
   except common.ExternalError as e:
@@ -91,7 +95,7 @@ def ParseApexPayloadInfo(avbtool, payload_path):
 
   Returns:
     A dict that contains payload property-value pairs. The dict should at least
-    contain Algorithm, Salt and apex.key.
+    contain Algorithm, Salt, Tree Size and apex.key.
   """
   if not os.path.exists(payload_path):
     raise ApexInfoError('Failed to find image: {}'.format(payload_path))
@@ -104,11 +108,11 @@ def ParseApexPayloadInfo(avbtool, payload_path):
         'Failed to get APEX payload info for {}:\n{}'.format(
             payload_path, e))
 
-  # Extract the Algorithm / Salt / Prop info from payload (i.e. an image signed
-  # with avbtool). For example,
+  # Extract the Algorithm / Salt / Prop info / Tree size from payload (i.e. an
+  # image signed with avbtool). For example,
   # Algorithm:                SHA256_RSA4096
   PAYLOAD_INFO_PATTERN = (
-      r'^\s*(?P<key>Algorithm|Salt|Prop)\:\s*(?P<value>.*?)$')
+      r'^\s*(?P<key>Algorithm|Salt|Prop|Tree Size)\:\s*(?P<value>.*?)$')
   payload_info_matcher = re.compile(PAYLOAD_INFO_PATTERN)
 
   payload_info = {}
@@ -151,7 +155,7 @@ def ParseApexPayloadInfo(avbtool, payload_path):
 
 
 def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
-             codename_to_api_level_map, signing_args=None):
+             codename_to_api_level_map, no_hashtree, signing_args=None):
   """Signs the current APEX with the given payload/container keys.
 
   Args:
@@ -160,6 +164,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
     container_key: The path to container signing key (w/o extension).
     container_pw: The matching password of the container_key, or None.
     codename_to_api_level_map: A dict that maps from codename to API level.
+    no_hashtree: Don't include hashtree in the signed APEX.
     signing_args: Additional args to be passed to the payload signer.
 
   Returns:
@@ -187,6 +192,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
       payload_info['apex.key'],
       payload_info['Algorithm'],
       payload_info['Salt'],
+      no_hashtree,
       signing_args)
 
   # 1b. Update the embedded payload public key.