mirror of
https://github.com/Evolution-X/vendor_evolution-priv_keys-template
synced 2026-01-27 13:35:28 +00:00
evolution-priv_keys-template: Initial commit
Change-Id: I74b9d102a0424652b674b118b25419d6d9280d9c Signed-off-by: AnierinB <anierin@evolution-x.org>
This commit is contained in:
LuK1337
AnierinB
1
BUILD.bazel
Symbolic link
1
BUILD.bazel
Symbolic link
@@ -0,0 +1 @@
|
||||
../../../build/make/target/product/security/BUILD.bazel
|
||||
24
README.md
Normal file
24
README.md
Normal file
@@ -0,0 +1,24 @@
|
||||
# evolution-priv_keys-template
|
||||
|
||||
# Usage
|
||||
|
||||
```bash
|
||||
croot && git clone https://github.com/Evolution-X/vendor_evolution-priv_keys-template vendor/evolution-priv/keys
|
||||
```
|
||||
|
||||
```bash
|
||||
cd vendor/evolution-priv/keys
|
||||
```
|
||||
|
||||
```
|
||||
./keys.sh
|
||||
```
|
||||
|
||||
# Testing
|
||||
|
||||
Included `check_keys.py` script checks whether all apk/apex/capex files in the build out are signed with keys within its directory. Be aware that some targets are **expected** to be signed with vendor key, for example `com.android.apex.cts.shim.v1_prebuilt`.
|
||||
|
||||
```
|
||||
$ ./check_keys.py ~/evolution/out/target/product/lynx
|
||||
/home/ab/evolution/out/target/product/lynx/obj/ETC/com.android.apex.cts.shim.v1_prebuilt_intermediates/com.android.apex.cts.shim.apex is signed with an unknown key!
|
||||
```
|
||||
62
check_keys.py
Executable file
62
check_keys.py
Executable file
@@ -0,0 +1,62 @@
|
||||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# SPDX-FileCopyrightText: 2024 The LineageOS Project
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
import glob
|
||||
import subprocess
|
||||
import sys
|
||||
from multiprocessing import Pool
|
||||
|
||||
from cryptography import x509
|
||||
|
||||
KNOWN_KEYS = [
|
||||
x509.load_pem_x509_certificate(open(f, "rb").read()).public_key()
|
||||
for f in glob.glob("*.x509.pem")
|
||||
]
|
||||
|
||||
|
||||
def check_public_key(path: str) -> None:
|
||||
certs = []
|
||||
stdout = subprocess.run(
|
||||
[
|
||||
"java",
|
||||
"-jar",
|
||||
"../../../prebuilts/sdk/tools/linux/lib/apksigner.jar",
|
||||
"verify",
|
||||
"--print-certs-pem",
|
||||
path,
|
||||
],
|
||||
capture_output=True,
|
||||
).stdout
|
||||
|
||||
while begin := stdout.find(b"-----BEGIN CERTIFICATE-----"):
|
||||
end = stdout.find(b"-----END CERTIFICATE-----", begin)
|
||||
|
||||
if end == -1:
|
||||
break
|
||||
|
||||
certs.append(x509.load_pem_x509_certificate(stdout[begin : end + 25]))
|
||||
stdout = stdout[end + 25 :]
|
||||
|
||||
if not any(x.public_key() in KNOWN_KEYS for x in certs):
|
||||
print(path, "is signed with an unknown key!")
|
||||
|
||||
|
||||
def main():
|
||||
out = sys.argv[1]
|
||||
|
||||
with Pool(8) as pool:
|
||||
pool.map(
|
||||
check_public_key,
|
||||
(
|
||||
glob.glob(f"{out}/obj/**/*.apk", recursive=True)
|
||||
+ glob.glob(f"{out}/obj/**/*.apex", recursive=True)
|
||||
+ glob.glob(f"{out}/obj/**/*.capex", recursive=True)
|
||||
),
|
||||
)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
71
keys.mk
Normal file
71
keys.mk
Normal file
@@ -0,0 +1,71 @@
|
||||
# SPDX-FileCopyrightText: 2024 The LineageOS Project
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
PRODUCT_CERTIFICATE_OVERRIDES := \
|
||||
com.android.adbd:com.android.adbd.certificate.override \
|
||||
com.android.adservices:com.android.adservices.certificate.override \
|
||||
com.android.adservices.api:com.android.adservices.api.certificate.override \
|
||||
com.android.appsearch:com.android.appsearch.certificate.override \
|
||||
com.android.art:com.android.art.certificate.override \
|
||||
com.android.bluetooth:com.android.bluetooth.certificate.override \
|
||||
com.android.btservices:com.android.btservices.certificate.override \
|
||||
com.android.cellbroadcast:com.android.cellbroadcast.certificate.override \
|
||||
com.android.compos:com.android.compos.certificate.override \
|
||||
com.android.configinfrastructure:com.android.configinfrastructure.certificate.override \
|
||||
com.android.connectivity.resources:com.android.connectivity.resources.certificate.override \
|
||||
com.android.conscrypt:com.android.conscrypt.certificate.override \
|
||||
com.android.devicelock:com.android.devicelock.certificate.override \
|
||||
com.android.extservices:com.android.extservices.certificate.override \
|
||||
com.android.hardware.biometrics.face.virtual:com.android.hardware.biometrics.face.virtual.override \
|
||||
com.android.hardware.biometrics.fingerprint.virtual:com.android.hardware.biometrics.fingerprint.virtual.override \
|
||||
com.android.hardware.boot:com.android.hardware.boot.certificate.override \
|
||||
com.android.hardware.cas:com.android.hardware.cas.override \
|
||||
com.android.hardware.wifi:com.android.hardware.wifi.certificate.override \
|
||||
com.android.healthfitness:com.android.healthfitness.certificate.override \
|
||||
com.android.hotspot2.osulogin:com.android.hotspot2.osulogin.certificate.override \
|
||||
com.android.i18n:com.android.i18n.certificate.override \
|
||||
com.android.ipsec:com.android.ipsec.certificate.override \
|
||||
com.android.media:com.android.media.certificate.override \
|
||||
com.android.media.swcodec:com.android.media.swcodec.certificate.override \
|
||||
com.android.mediaprovider:com.android.mediaprovider.certificate.override \
|
||||
com.android.nearby.halfsheet:com.android.nearby.halfsheet.certificate.override \
|
||||
com.android.networkstack.tethering:com.android.networkstack.tethering.certificate.override \
|
||||
com.android.neuralnetworks:com.android.neuralnetworks.certificate.override \
|
||||
com.android.ondevicepersonalization:com.android.ondevicepersonalization.certificate.override \
|
||||
com.android.os.statsd:com.android.os.statsd.certificate.override \
|
||||
com.android.permission:com.android.permission.certificate.override \
|
||||
com.android.resolv:com.android.resolv.certificate.override \
|
||||
com.android.rkpd:com.android.rkpd.certificate.override \
|
||||
com.android.runtime:com.android.runtime.certificate.override \
|
||||
com.android.safetycenter.resources:com.android.safetycenter.resources.certificate.override \
|
||||
com.android.scheduling:com.android.scheduling.certificate.override \
|
||||
com.android.sdkext:com.android.sdkext.certificate.override \
|
||||
com.android.support.apexer:com.android.support.apexer.certificate.override \
|
||||
com.android.telephony:com.android.telephony.certificate.override \
|
||||
com.android.telephonymodules:com.android.telephonymodules.certificate.override \
|
||||
com.android.tethering:com.android.tethering.certificate.override \
|
||||
com.android.tzdata:com.android.tzdata.certificate.override \
|
||||
com.android.uwb:com.android.uwb.certificate.override \
|
||||
com.android.uwb.resources:com.android.uwb.resources.certificate.override \
|
||||
com.android.virt:com.android.virt.certificate.override \
|
||||
com.android.vndk.current:com.android.vndk.current.certificate.override \
|
||||
com.android.wifi:com.android.wifi.certificate.override \
|
||||
com.android.wifi.dialog:com.android.wifi.dialog.certificate.override \
|
||||
com.android.wifi.resources:com.android.wifi.resources.certificate.override \
|
||||
com.google.pixel.vibrator.hal:com.google.pixel.vibrator.hal.certificate.override \
|
||||
com.qorvo.uwb:com.qorvo.uwb.certificate.override
|
||||
|
||||
PRODUCT_CERTIFICATE_OVERRIDES += \
|
||||
AdServicesApk:com.android.adservices.api.certificate.override \
|
||||
FederatedCompute:com.android.federatedcompute.certificate.override \
|
||||
HealthConnectBackupRestore:com.android.health.connect.backuprestore.certificate.override \
|
||||
HealthConnectController:com.android.healthconnect.controller.certificate.override \
|
||||
OsuLogin:com.android.hotspot2.osulogin.certificate.override \
|
||||
SafetyCenterResources:com.android.safetycenter.resources.certificate.override \
|
||||
ServiceConnectivityResources:com.android.connectivity.resources.certificate.override \
|
||||
ServiceUwbResources:com.android.uwb.resources.certificate.override \
|
||||
ServiceWifiResources:com.android.wifi.resources.certificate.override \
|
||||
WifiDialog:com.android.wifi.dialog.certificate.override
|
||||
|
||||
PRODUCT_DEFAULT_DEV_CERTIFICATE := vendor/evolution-priv/keys/testkey
|
||||
PRODUCT_EXTRA_RECOVERY_KEYS :=
|
||||
24
keys.sh
Executable file
24
keys.sh
Executable file
@@ -0,0 +1,24 @@
|
||||
#!/bin/bash
|
||||
|
||||
# SPDX-FileCopyrightText: 2024 The LineageOS Project
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
# Generate Android.bp
|
||||
echo "// DO NOT EDIT THIS FILE MANUALLY" > Android.bp
|
||||
|
||||
for key in $(grep -o :\.\*override keys.mk | sort -u); do
|
||||
echo "" >> Android.bp
|
||||
echo "android_app_certificate {" >> Android.bp
|
||||
echo " name: \"${key:1}\"," >> Android.bp
|
||||
echo " certificate: \"${key:1}\"," >> Android.bp
|
||||
echo "}" >> Android.bp
|
||||
done
|
||||
|
||||
# Generate keys
|
||||
for key in ../../../build/make/target/product/security/*.pk8; do
|
||||
./make_key.sh $(basename $key .pk8)
|
||||
done
|
||||
|
||||
for key in $(grep -o :\.\*override keys.mk | sort -u); do
|
||||
./make_key.sh ${key:1} 4096
|
||||
done
|
||||
9
make_key.sh
Executable file
9
make_key.sh
Executable file
@@ -0,0 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
# SPDX-FileCopyrightText: 2024 The LineageOS Project
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
set -u
|
||||
bash <(sed "s/2048/${2:-2048}/;/Enter password/,+1d" ../../../development/tools/make_key) \
|
||||
$1 \
|
||||
'/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
|
||||
1
releasekey.pk8
Symbolic link
1
releasekey.pk8
Symbolic link
@@ -0,0 +1 @@
|
||||
testkey.pk8
|
||||
1
releasekey.x509.pem
Symbolic link
1
releasekey.x509.pem
Symbolic link
@@ -0,0 +1 @@
|
||||
testkey.x509.pem
|
||||
1
requirements.txt
Normal file
1
requirements.txt
Normal file
@@ -0,0 +1 @@
|
||||
cryptography
|
||||
Reference in New Issue
Block a user