Support replacing AVB signing keys.
sign_target_files_apks.py now supports signing targets using verified
boot 2.0 (aka AVB). It allows replacing AVB signing keys for both of
chained and non-chained partitions.
An example command line looks as follows.
$ ./build/tools/releasetools/sign_target_files_apks.py \
--avb_vbmeta_key external/avb/test/data/testkey_rsa2048.pem \
--avb_vbmeta_algorithm SHA256_RSA2048 \
--avb_vbmeta_extra_args \
"--signing_helper_with_files ./signing-helper.sh" \
--avb_system_key external/avb/test/data/testkey_rsa4096.pem \
--avb_system_algorithm SHA256_RSA4096 \
--avb_system_extra_args \
"--signing_helper_with_files ./signing-helper.sh" \
product-target_files.eng.zip signed-product-target_files.zip
To verify the signed images:
$ unzip signed-product-target_files.zip IMAGES/\*
$ avbtool verify_image --image IMAGES/vbmeta.img \
--expected_chain_partition system:1:testkey_rsa4096_pub.pem \
--key external/avb/test/data/testkey_rsa2048.pem
Bug: 38315721
Test: sign_target_files_apks.py on AVB-enabled target w/ and w/o chained
partitions respectively. Check the signing command lines; validate
the signed images with 'avbtool verify_image'.
Change-Id: Ia009555b16ddb6d8ba6a0858d5ca7d983bbab887
1 file changed