mirror of
https://github.com/Evolution-X/vendor_evolution-priv_keys-template
synced 2026-01-27 15:31:05 +00:00
evolution-priv_keys-template: Initial commit
Change-Id: I74b9d102a0424652b674b118b25419d6d9280d9c Signed-off-by: AnierinB <anierin@evolution-x.org>
This commit is contained in:
LuK1337
AnierinB
1
BUILD.bazel
Symbolic link
1
BUILD.bazel
Symbolic link
@@ -0,0 +1 @@
|
|||||||
|
../../../build/make/target/product/security/BUILD.bazel
|
||||||
24
README.md
Normal file
24
README.md
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
# evolution-priv_keys-template
|
||||||
|
|
||||||
|
# Usage
|
||||||
|
|
||||||
|
```bash
|
||||||
|
croot && git clone https://github.com/Evolution-X/vendor_evolution-priv_keys-template vendor/evolution-priv/keys
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd vendor/evolution-priv/keys
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
./keys.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
# Testing
|
||||||
|
|
||||||
|
Included `check_keys.py` script checks whether all apk/apex/capex files in the build out are signed with keys within its directory. Be aware that some targets are **expected** to be signed with vendor key, for example `com.android.apex.cts.shim.v1_prebuilt`.
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ./check_keys.py ~/evolution/out/target/product/lynx
|
||||||
|
/home/ab/evolution/out/target/product/lynx/obj/ETC/com.android.apex.cts.shim.v1_prebuilt_intermediates/com.android.apex.cts.shim.apex is signed with an unknown key!
|
||||||
|
```
|
||||||
62
check_keys.py
Executable file
62
check_keys.py
Executable file
@@ -0,0 +1,62 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
|
||||||
|
# SPDX-FileCopyrightText: 2024 The LineageOS Project
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
import glob
|
||||||
|
import subprocess
|
||||||
|
import sys
|
||||||
|
from multiprocessing import Pool
|
||||||
|
|
||||||
|
from cryptography import x509
|
||||||
|
|
||||||
|
KNOWN_KEYS = [
|
||||||
|
x509.load_pem_x509_certificate(open(f, "rb").read()).public_key()
|
||||||
|
for f in glob.glob("*.x509.pem")
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def check_public_key(path: str) -> None:
|
||||||
|
certs = []
|
||||||
|
stdout = subprocess.run(
|
||||||
|
[
|
||||||
|
"java",
|
||||||
|
"-jar",
|
||||||
|
"../../../prebuilts/sdk/tools/linux/lib/apksigner.jar",
|
||||||
|
"verify",
|
||||||
|
"--print-certs-pem",
|
||||||
|
path,
|
||||||
|
],
|
||||||
|
capture_output=True,
|
||||||
|
).stdout
|
||||||
|
|
||||||
|
while begin := stdout.find(b"-----BEGIN CERTIFICATE-----"):
|
||||||
|
end = stdout.find(b"-----END CERTIFICATE-----", begin)
|
||||||
|
|
||||||
|
if end == -1:
|
||||||
|
break
|
||||||
|
|
||||||
|
certs.append(x509.load_pem_x509_certificate(stdout[begin : end + 25]))
|
||||||
|
stdout = stdout[end + 25 :]
|
||||||
|
|
||||||
|
if not any(x.public_key() in KNOWN_KEYS for x in certs):
|
||||||
|
print(path, "is signed with an unknown key!")
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
out = sys.argv[1]
|
||||||
|
|
||||||
|
with Pool(8) as pool:
|
||||||
|
pool.map(
|
||||||
|
check_public_key,
|
||||||
|
(
|
||||||
|
glob.glob(f"{out}/obj/**/*.apk", recursive=True)
|
||||||
|
+ glob.glob(f"{out}/obj/**/*.apex", recursive=True)
|
||||||
|
+ glob.glob(f"{out}/obj/**/*.capex", recursive=True)
|
||||||
|
),
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
71
keys.mk
Normal file
71
keys.mk
Normal file
@@ -0,0 +1,71 @@
|
|||||||
|
# SPDX-FileCopyrightText: 2024 The LineageOS Project
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
PRODUCT_CERTIFICATE_OVERRIDES := \
|
||||||
|
com.android.adbd:com.android.adbd.certificate.override \
|
||||||
|
com.android.adservices:com.android.adservices.certificate.override \
|
||||||
|
com.android.adservices.api:com.android.adservices.api.certificate.override \
|
||||||
|
com.android.appsearch:com.android.appsearch.certificate.override \
|
||||||
|
com.android.art:com.android.art.certificate.override \
|
||||||
|
com.android.bluetooth:com.android.bluetooth.certificate.override \
|
||||||
|
com.android.btservices:com.android.btservices.certificate.override \
|
||||||
|
com.android.cellbroadcast:com.android.cellbroadcast.certificate.override \
|
||||||
|
com.android.compos:com.android.compos.certificate.override \
|
||||||
|
com.android.configinfrastructure:com.android.configinfrastructure.certificate.override \
|
||||||
|
com.android.connectivity.resources:com.android.connectivity.resources.certificate.override \
|
||||||
|
com.android.conscrypt:com.android.conscrypt.certificate.override \
|
||||||
|
com.android.devicelock:com.android.devicelock.certificate.override \
|
||||||
|
com.android.extservices:com.android.extservices.certificate.override \
|
||||||
|
com.android.hardware.biometrics.face.virtual:com.android.hardware.biometrics.face.virtual.override \
|
||||||
|
com.android.hardware.biometrics.fingerprint.virtual:com.android.hardware.biometrics.fingerprint.virtual.override \
|
||||||
|
com.android.hardware.boot:com.android.hardware.boot.certificate.override \
|
||||||
|
com.android.hardware.cas:com.android.hardware.cas.override \
|
||||||
|
com.android.hardware.wifi:com.android.hardware.wifi.certificate.override \
|
||||||
|
com.android.healthfitness:com.android.healthfitness.certificate.override \
|
||||||
|
com.android.hotspot2.osulogin:com.android.hotspot2.osulogin.certificate.override \
|
||||||
|
com.android.i18n:com.android.i18n.certificate.override \
|
||||||
|
com.android.ipsec:com.android.ipsec.certificate.override \
|
||||||
|
com.android.media:com.android.media.certificate.override \
|
||||||
|
com.android.media.swcodec:com.android.media.swcodec.certificate.override \
|
||||||
|
com.android.mediaprovider:com.android.mediaprovider.certificate.override \
|
||||||
|
com.android.nearby.halfsheet:com.android.nearby.halfsheet.certificate.override \
|
||||||
|
com.android.networkstack.tethering:com.android.networkstack.tethering.certificate.override \
|
||||||
|
com.android.neuralnetworks:com.android.neuralnetworks.certificate.override \
|
||||||
|
com.android.ondevicepersonalization:com.android.ondevicepersonalization.certificate.override \
|
||||||
|
com.android.os.statsd:com.android.os.statsd.certificate.override \
|
||||||
|
com.android.permission:com.android.permission.certificate.override \
|
||||||
|
com.android.resolv:com.android.resolv.certificate.override \
|
||||||
|
com.android.rkpd:com.android.rkpd.certificate.override \
|
||||||
|
com.android.runtime:com.android.runtime.certificate.override \
|
||||||
|
com.android.safetycenter.resources:com.android.safetycenter.resources.certificate.override \
|
||||||
|
com.android.scheduling:com.android.scheduling.certificate.override \
|
||||||
|
com.android.sdkext:com.android.sdkext.certificate.override \
|
||||||
|
com.android.support.apexer:com.android.support.apexer.certificate.override \
|
||||||
|
com.android.telephony:com.android.telephony.certificate.override \
|
||||||
|
com.android.telephonymodules:com.android.telephonymodules.certificate.override \
|
||||||
|
com.android.tethering:com.android.tethering.certificate.override \
|
||||||
|
com.android.tzdata:com.android.tzdata.certificate.override \
|
||||||
|
com.android.uwb:com.android.uwb.certificate.override \
|
||||||
|
com.android.uwb.resources:com.android.uwb.resources.certificate.override \
|
||||||
|
com.android.virt:com.android.virt.certificate.override \
|
||||||
|
com.android.vndk.current:com.android.vndk.current.certificate.override \
|
||||||
|
com.android.wifi:com.android.wifi.certificate.override \
|
||||||
|
com.android.wifi.dialog:com.android.wifi.dialog.certificate.override \
|
||||||
|
com.android.wifi.resources:com.android.wifi.resources.certificate.override \
|
||||||
|
com.google.pixel.vibrator.hal:com.google.pixel.vibrator.hal.certificate.override \
|
||||||
|
com.qorvo.uwb:com.qorvo.uwb.certificate.override
|
||||||
|
|
||||||
|
PRODUCT_CERTIFICATE_OVERRIDES += \
|
||||||
|
AdServicesApk:com.android.adservices.api.certificate.override \
|
||||||
|
FederatedCompute:com.android.federatedcompute.certificate.override \
|
||||||
|
HealthConnectBackupRestore:com.android.health.connect.backuprestore.certificate.override \
|
||||||
|
HealthConnectController:com.android.healthconnect.controller.certificate.override \
|
||||||
|
OsuLogin:com.android.hotspot2.osulogin.certificate.override \
|
||||||
|
SafetyCenterResources:com.android.safetycenter.resources.certificate.override \
|
||||||
|
ServiceConnectivityResources:com.android.connectivity.resources.certificate.override \
|
||||||
|
ServiceUwbResources:com.android.uwb.resources.certificate.override \
|
||||||
|
ServiceWifiResources:com.android.wifi.resources.certificate.override \
|
||||||
|
WifiDialog:com.android.wifi.dialog.certificate.override
|
||||||
|
|
||||||
|
PRODUCT_DEFAULT_DEV_CERTIFICATE := vendor/evolution-priv/keys/testkey
|
||||||
|
PRODUCT_EXTRA_RECOVERY_KEYS :=
|
||||||
24
keys.sh
Executable file
24
keys.sh
Executable file
@@ -0,0 +1,24 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# SPDX-FileCopyrightText: 2024 The LineageOS Project
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
# Generate Android.bp
|
||||||
|
echo "// DO NOT EDIT THIS FILE MANUALLY" > Android.bp
|
||||||
|
|
||||||
|
for key in $(grep -o :\.\*override keys.mk | sort -u); do
|
||||||
|
echo "" >> Android.bp
|
||||||
|
echo "android_app_certificate {" >> Android.bp
|
||||||
|
echo " name: \"${key:1}\"," >> Android.bp
|
||||||
|
echo " certificate: \"${key:1}\"," >> Android.bp
|
||||||
|
echo "}" >> Android.bp
|
||||||
|
done
|
||||||
|
|
||||||
|
# Generate keys
|
||||||
|
for key in ../../../build/make/target/product/security/*.pk8; do
|
||||||
|
./make_key.sh $(basename $key .pk8)
|
||||||
|
done
|
||||||
|
|
||||||
|
for key in $(grep -o :\.\*override keys.mk | sort -u); do
|
||||||
|
./make_key.sh ${key:1} 4096
|
||||||
|
done
|
||||||
9
make_key.sh
Executable file
9
make_key.sh
Executable file
@@ -0,0 +1,9 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# SPDX-FileCopyrightText: 2024 The LineageOS Project
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
set -u
|
||||||
|
bash <(sed "s/2048/${2:-2048}/;/Enter password/,+1d" ../../../development/tools/make_key) \
|
||||||
|
$1 \
|
||||||
|
'/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
|
||||||
1
releasekey.pk8
Symbolic link
1
releasekey.pk8
Symbolic link
@@ -0,0 +1 @@
|
|||||||
|
testkey.pk8
|
||||||
1
releasekey.x509.pem
Symbolic link
1
releasekey.x509.pem
Symbolic link
@@ -0,0 +1 @@
|
|||||||
|
testkey.x509.pem
|
||||||
1
requirements.txt
Normal file
1
requirements.txt
Normal file
@@ -0,0 +1 @@
|
|||||||
|
cryptography
|
||||||
Reference in New Issue
Block a user