check_keys.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

# SPDX-FileCopyrightText: 2024 The LineageOS Project
# SPDX-License-Identifier: Apache-2.0

import glob
import subprocess
import sys
from multiprocessing import Pool

from cryptography import x509

KNOWN_KEYS = [
    x509.load_pem_x509_certificate(open(f, "rb").read()).public_key()
    for f in glob.glob("*.x509.pem")
]


def check_public_key(path: str) -> None:
    certs = []
    stdout = subprocess.run(
        [
            "java",
            "-jar",
            "../../../prebuilts/sdk/tools/linux/lib/apksigner.jar",
            "verify",
            "--print-certs-pem",
            path,
        ],
        capture_output=True,
    ).stdout

    while begin := stdout.find(b"-----BEGIN CERTIFICATE-----"):
        end = stdout.find(b"-----END CERTIFICATE-----", begin)

        if end == -1:
            break

        certs.append(x509.load_pem_x509_certificate(stdout[begin : end + 25]))
        stdout = stdout[end + 25 :]

    if not any(x.public_key() in KNOWN_KEYS for x in certs):
        print(path, "is signed with an unknown key!")


def main():
    out = sys.argv[1]

    with Pool(8) as pool:
        pool.map(
            check_public_key,
            (
                glob.glob(f"{out}/obj/**/*.apk", recursive=True)
                + glob.glob(f"{out}/obj/**/*.apex", recursive=True)
                + glob.glob(f"{out}/obj/**/*.capex", recursive=True)
            ),
        )


if __name__ == "__main__":
    main()
evolution-priv_keys-template: Initial commit Change-Id: I74b9d102a0424652b674b118b25419d6d9280d9c Signed-off-by: AnierinB <anierin@evolution-x.org> 2024-06-27 14:47:13 +02:00			`#!/usr/bin/env python3`
			`# -- coding: utf-8 --`

			`# SPDX-FileCopyrightText: 2024 The LineageOS Project`
			`# SPDX-License-Identifier: Apache-2.0`

			`import glob`
			`import subprocess`
			`import sys`
			`from multiprocessing import Pool`

			`from cryptography import x509`

			`KNOWN_KEYS = [`
			`x509.load_pem_x509_certificate(open(f, "rb").read()).public_key()`
			`for f in glob.glob("*.x509.pem")`
			`]`


			`def check_public_key(path: str) -> None:`
			`certs = []`
			`stdout = subprocess.run(`
			`[`
			`"java",`
			`"-jar",`
			`"../../../prebuilts/sdk/tools/linux/lib/apksigner.jar",`
			`"verify",`
			`"--print-certs-pem",`
			`path,`
			`],`
			`capture_output=True,`
			`).stdout`

			`while begin := stdout.find(b"-----BEGIN CERTIFICATE-----"):`
			`end = stdout.find(b"-----END CERTIFICATE-----", begin)`

			`if end == -1:`
			`break`

			`certs.append(x509.load_pem_x509_certificate(stdout[begin : end + 25]))`
			`stdout = stdout[end + 25 :]`

			`if not any(x.public_key() in KNOWN_KEYS for x in certs):`
			`print(path, "is signed with an unknown key!")`


			`def main():`
			`out = sys.argv[1]`

			`with Pool(8) as pool:`
			`pool.map(`
			`check_public_key,`
			`(`
			`glob.glob(f"{out}/obj/*/.apk", recursive=True)`
			`+ glob.glob(f"{out}/obj/*/.apex", recursive=True)`
			`+ glob.glob(f"{out}/obj/*/.capex", recursive=True)`
			`),`
			`)`


			`if __name__ == "__main__":`
			`main()`