1*6777b538SAndroid Build Coastguard Worker# Copyright 2013 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker# Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker# found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker"""Signs and aligns an APK.""" 5*6777b538SAndroid Build Coastguard Worker 6*6777b538SAndroid Build Coastguard Workerimport argparse 7*6777b538SAndroid Build Coastguard Workerimport logging 8*6777b538SAndroid Build Coastguard Workerimport shutil 9*6777b538SAndroid Build Coastguard Workerimport subprocess 10*6777b538SAndroid Build Coastguard Workerimport sys 11*6777b538SAndroid Build Coastguard Workerimport tempfile 12*6777b538SAndroid Build Coastguard Worker 13*6777b538SAndroid Build Coastguard Workerfrom util import build_utils 14*6777b538SAndroid Build Coastguard Worker 15*6777b538SAndroid Build Coastguard Worker 16*6777b538SAndroid Build Coastguard Workerdef FinalizeApk(apksigner_path, 17*6777b538SAndroid Build Coastguard Worker zipalign_path, 18*6777b538SAndroid Build Coastguard Worker unsigned_apk_path, 19*6777b538SAndroid Build Coastguard Worker final_apk_path, 20*6777b538SAndroid Build Coastguard Worker key_path, 21*6777b538SAndroid Build Coastguard Worker key_passwd, 22*6777b538SAndroid Build Coastguard Worker key_name, 23*6777b538SAndroid Build Coastguard Worker min_sdk_version, 24*6777b538SAndroid Build Coastguard Worker warnings_as_errors=False): 25*6777b538SAndroid Build Coastguard Worker # Use a tempfile so that Ctrl-C does not leave the file with a fresh mtime 26*6777b538SAndroid Build Coastguard Worker # and a corrupted state. 27*6777b538SAndroid Build Coastguard Worker with tempfile.NamedTemporaryFile() as staging_file: 28*6777b538SAndroid Build Coastguard Worker if zipalign_path: 29*6777b538SAndroid Build Coastguard Worker # v2 signing requires that zipalign happen first. 30*6777b538SAndroid Build Coastguard Worker logging.debug('Running zipalign') 31*6777b538SAndroid Build Coastguard Worker zipalign_cmd = [ 32*6777b538SAndroid Build Coastguard Worker zipalign_path, '-p', '-f', '4', unsigned_apk_path, staging_file.name 33*6777b538SAndroid Build Coastguard Worker ] 34*6777b538SAndroid Build Coastguard Worker build_utils.CheckOutput(zipalign_cmd, 35*6777b538SAndroid Build Coastguard Worker print_stdout=True, 36*6777b538SAndroid Build Coastguard Worker fail_on_output=warnings_as_errors) 37*6777b538SAndroid Build Coastguard Worker signer_input_path = staging_file.name 38*6777b538SAndroid Build Coastguard Worker else: 39*6777b538SAndroid Build Coastguard Worker signer_input_path = unsigned_apk_path 40*6777b538SAndroid Build Coastguard Worker 41*6777b538SAndroid Build Coastguard Worker sign_cmd = build_utils.JavaCmd() + [ 42*6777b538SAndroid Build Coastguard Worker '-jar', 43*6777b538SAndroid Build Coastguard Worker apksigner_path, 44*6777b538SAndroid Build Coastguard Worker 'sign', 45*6777b538SAndroid Build Coastguard Worker '--in', 46*6777b538SAndroid Build Coastguard Worker signer_input_path, 47*6777b538SAndroid Build Coastguard Worker '--out', 48*6777b538SAndroid Build Coastguard Worker staging_file.name, 49*6777b538SAndroid Build Coastguard Worker '--ks', 50*6777b538SAndroid Build Coastguard Worker key_path, 51*6777b538SAndroid Build Coastguard Worker '--ks-key-alias', 52*6777b538SAndroid Build Coastguard Worker key_name, 53*6777b538SAndroid Build Coastguard Worker '--ks-pass', 54*6777b538SAndroid Build Coastguard Worker 'pass:' + key_passwd, 55*6777b538SAndroid Build Coastguard Worker ] 56*6777b538SAndroid Build Coastguard Worker # V3 signing adds security niceties, which are irrelevant for local builds. 57*6777b538SAndroid Build Coastguard Worker sign_cmd += ['--v3-signing-enabled', 'false'] 58*6777b538SAndroid Build Coastguard Worker 59*6777b538SAndroid Build Coastguard Worker if min_sdk_version >= 24: 60*6777b538SAndroid Build Coastguard Worker # Disable v1 signatures when v2 signing can be used (it's much faster). 61*6777b538SAndroid Build Coastguard Worker # By default, both v1 and v2 signing happen. 62*6777b538SAndroid Build Coastguard Worker sign_cmd += ['--v1-signing-enabled', 'false'] 63*6777b538SAndroid Build Coastguard Worker else: 64*6777b538SAndroid Build Coastguard Worker # Force SHA-1 (makes signing faster; insecure is fine for local builds). 65*6777b538SAndroid Build Coastguard Worker # Leave v2 signing enabled since it verifies faster on device when 66*6777b538SAndroid Build Coastguard Worker # supported. 67*6777b538SAndroid Build Coastguard Worker sign_cmd += ['--min-sdk-version', '1'] 68*6777b538SAndroid Build Coastguard Worker 69*6777b538SAndroid Build Coastguard Worker logging.debug('Signing apk') 70*6777b538SAndroid Build Coastguard Worker build_utils.CheckOutput(sign_cmd, 71*6777b538SAndroid Build Coastguard Worker print_stdout=True, 72*6777b538SAndroid Build Coastguard Worker fail_on_output=warnings_as_errors) 73*6777b538SAndroid Build Coastguard Worker shutil.move(staging_file.name, final_apk_path) 74*6777b538SAndroid Build Coastguard Worker # TODO(crbug.com/1174969): Remove this once Python2 is obsoleted. 75*6777b538SAndroid Build Coastguard Worker if sys.version_info.major == 2: 76*6777b538SAndroid Build Coastguard Worker staging_file.delete = False 77*6777b538SAndroid Build Coastguard Worker else: 78*6777b538SAndroid Build Coastguard Worker staging_file._closer.delete = False 79