Support container password for apex signing

Some partners need the ability to sign apexes with passwords enabled. Test: th Bug: 206007131 Change-Id: I6abb0775031a4c6bf8aaae679f5c7ad8f4cffe46
OctopusROM · Jun 21, 2023 · 6f8e878 · 6f8e878
1 parent e1df7f3
commit 6f8e878
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 5 deletions.
diff --git a/tools/releasetools/apex_utils.py b/tools/releasetools/apex_utils.py
@@ -498,7 +498,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
           apex_file,
           payload_key=payload_key,
           container_key=container_key,
-          container_pw=None,
+          container_pw=container_pw,
           codename_to_api_level_map=codename_to_api_level_map,
           no_hashtree=no_hashtree,
           apk_keys=apk_keys,
@@ -510,7 +510,7 @@ def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
           apex_file,
           payload_key=payload_key,
           container_key=container_key,
-          container_pw=None,
+          container_pw=container_pw,
           codename_to_api_level_map=codename_to_api_level_map,
           no_hashtree=no_hashtree,
           apk_keys=apk_keys,

diff --git a/tools/releasetools/sign_apex.py b/tools/releasetools/sign_apex.py
@@ -42,10 +42,14 @@
 
   --sign_tool <sign_tool>
       Optional flag that specifies a custom signing tool for the contents of the apex.
+
+  --container_pw <name1=passwd,name2=passwd>
+      A mapping of key_name to password
 """
 
 import logging
 import shutil
+import re
 import sys
 
 import apex_utils
@@ -55,7 +59,7 @@
 
 
 def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
-                 apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None):
+                 apk_keys=None, signing_args=None, codename_to_api_level_map=None, sign_tool=None, container_pw=None):
   """Signs the given apex file."""
   with open(apex_file, 'rb') as input_fp:
     apex_data = input_fp.read()
@@ -65,7 +69,7 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
       apex_data,
       payload_key=payload_key,
       container_key=container_key,
-      container_pw=None,
+      container_pw=container_pw,
       codename_to_api_level_map=codename_to_api_level_map,
       no_hashtree=no_hashtree,
       apk_keys=apk_keys,
@@ -106,6 +110,15 @@ def option_handler(o, a):
         options['extra_apks'].update({n: key})
     elif o == '--sign_tool':
       options['sign_tool'] = a
+    elif o == '--container_pw':
+      passwords = {}
+      pairs = a.split()
+      for pair in pairs:
+        if "=" not in pair:
+          continue
+        tokens = pair.split("=", maxsplit=1)
+        passwords[tokens[0].strip()] = tokens[1].strip()
+      options['container_pw'] = passwords
     else:
       return False
     return True
@@ -121,6 +134,7 @@ def option_handler(o, a):
           'payload_key=',
           'extra_apks=',
           'sign_tool=',
+          'container_pw=',
       ],
       extra_option_handler=option_handler)
 
@@ -141,7 +155,9 @@ def option_handler(o, a):
       signing_args=options.get('payload_extra_args'),
       codename_to_api_level_map=options.get(
           'codename_to_api_level_map', {}),
-      sign_tool=options.get('sign_tool', None))
+      sign_tool=options.get('sign_tool', None),
+      container_pw=options.get('container_pw'),
+  )
   shutil.copyfile(signed_apex, args[1])
   logger.info("done.")