aboutsummaryrefslogtreecommitdiffstats
path: root/sign-build
blob: 3c5dfd7ff50cf2751d201b4432f198ab94c0373d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
#!/bin/sh
#
# Copyright (C) 2016 Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
# resigns your images with your keys and also generates keys for you
# puts everything in out/dist
# most information taken from here:
# https://source.android.com/devices/tech/ota/sign_builds.html

# final check if recovery has the right key:
# java -jar out/host/linux-x86/framework/dumpkey.jar vendor/replicant-security/releasekey.x509.pem
# in recovery: adb shell cat /res/keys
# both outputs should match
# also /system/etc/security/otacerts.zip should only contain your release key

set -e

DEVICE=$1
BASEDIR=$(pwd)
KEY_DIR=$BASEDIR/vendor/replicant-security

if [ -z ${OUT_DIR_COMMON_BASE+x} ]
then
    OUT_DIR=$BASEDIR/"out"
else
    OUT_DIR=$OUT_DIR_COMMON_BASE/${PWD##*/}
fi

TARGET_DIR=$OUT_DIR/target/product/$DEVICE
TARGET_FILES=$TARGET_DIR/obj/PACKAGING/target_files_intermediates/replicant_${DEVICE}-target_files-${BUILD_NUMBER}.zip

DIST_OUT_DIR=$OUT_DIR/"dist"/$DEVICE
RELEASE=replicant-6.0

read_var() {
    local prompt="$1"
    local var="$2"
    # Store current value of variable as default.
    eval "local default=\"\$$var\""

    read -p "$prompt: [$default] " "$var"
    # Set default value if empty.
    eval "test -n \"\$$var\"" ||
    eval "$var='$default'"
}

generate_keys () {
    local KEY_C="NA"
    local KEY_ST="unknown"
    local KEY_L="unknown"
    local KEY_O="unknown"
    local KEY_OU="unknown"
    local KEY_CN="unknown"
    local KEY_EA="unknown"
    local SUBJECT

    echo "No keys present. Generating them now."
    echo
    echo "You are about to be asked to enter information that will be incorporated"
    echo "into your certificate requests."
    echo "What you are about to enter is what is called a Distinguished Name or a DN."
    echo "There are quite a few fields but you can leave some blank."
    echo "For some fields there will be a default value."

    read_var "Country Name (2 letter code)" KEY_C
    read_var "State or Province Name (full name)" KEY_ST
    read_var "Locality Name (e.g. city)" KEY_L
    read_var "Organization Name (e.g. company)" KEY_O
    read_var "Organizational Unit Name (e.g. section)" KEY_OU
    read_var "Common Name (e.g. your name)" KEY_CN
    read_var "Email Address" KEY_EA
    SUBJECT="/C=$KEY_C/ST=$KEY_ST/L=$KEY_L/O=$KEY_O/OU=$KEY_OU/CN=$KEY_CN/emailAddress=$KEY_EA"

    # Ensure that all keys and certificates are deleted in case of an error during creation,
    # i.e. either all certificates are in place or none.
    trap 'rm -rf "$KEY_DIR"' EXIT INT
    mkdir "$KEY_DIR"
    for x in releasekey platform shared media; do
        ./development/tools/make_key "$KEY_DIR/$x" "$SUBJECT" || true
        # The return value of 'make_key' cannot be trusted.  Check on our own
        # if key and certificate has been created successfully.
        test -r "$KEY_DIR/$x.x509.pem"
    done
    trap - EXIT INT
}

if [ "$DEVICE" = "" ]
then
    echo "Usage: $0 [DEVICE]"
    exit 1
fi

if ! [ -d "$TARGET_DIR" ]
then
    echo "The build directory for $DEVICE does not exist."
    exit 1
fi

if ! [ -f $TARGET_FILES ]
then
    echo "No files to sign. Make sure the build for $DEVICE completed successfully."
    exit 1
fi

if ! [ -d "$KEY_DIR" ]
then
    generate_keys
fi

mkdir -p $DIST_OUT_DIR

# -o option replaces the test keys with the created ones
# -p makes sure the script finds signapk.jar
if [ "$DEVICE" = "i9100" ] || [ "$DEVICE" = "n7000" ]
then
    echo "Signing target APKs files ..."
    python $BASEDIR/device/samsung/galaxys2-common/releasetools/galaxys2_sign_target_files_apks \
	   -s device/samsung/galaxys2-common/releasetools/extensions/releasetools.py \
	   -o \
	   -p $OUT_DIR/host/linux-x86 \
	   -d $KEY_DIR \
	   $TARGET_FILES \
	   $DIST_OUT_DIR/signed-target_files-$DEVICE.zip

    echo "Signing target OTAs files ..."
    python $BASEDIR/build/tools/releasetools/ota_from_target_files \
	   -s device/samsung/galaxys2-common/releasetools/extensions/releasetools.py \
	   -k $KEY_DIR/releasekey \
	   -p $OUT_DIR/host/linux-x86 \
	   $DIST_OUT_DIR/signed-target_files-$DEVICE.zip \
	   $DIST_OUT_DIR/$RELEASE-$DEVICE.zip

else
    echo "Signing target APKs files ..."
    python $BASEDIR/build/tools/releasetools/sign_target_files_apks \
	   -o \
	   -p $OUT_DIR/host/linux-x86 \
	   -d $KEY_DIR \
	   $TARGET_FILES \
	   $DIST_OUT_DIR/signed-target_files-$DEVICE.zip

    echo "Signing target OTAs files ..."
    python $BASEDIR/build/tools/releasetools/ota_from_target_files \
	   -k $KEY_DIR/releasekey \
	   -p $OUT_DIR/host/linux-x86 \
	   $DIST_OUT_DIR/signed-target_files-$DEVICE.zip \
	   $DIST_OUT_DIR/$RELEASE-$DEVICE.zip
fi

echo "Signing target image files ..."
python $BASEDIR/build/tools/releasetools/img_from_target_files \
       -z \
       $DIST_OUT_DIR/signed-target_files-$DEVICE.zip \
       $DIST_OUT_DIR/signed-img-$DEVICE.zip

# get the recovery from the signed-img.zip
unzip -o -j $DIST_OUT_DIR/signed-img-$DEVICE.zip  recovery.img -d $DIST_OUT_DIR
mv $DIST_OUT_DIR/recovery.img $DIST_OUT_DIR/recovery-$DEVICE.img

echo
echo "Finished successfully. Install zip and recovery:"
echo "$DIST_OUT_DIR/$RELEASE-$DEVICE.zip"
echo "$DIST_OUT_DIR/recovery-$DEVICE.img"