From 23c38114e52535818c8b4dcfe6c21d945fff29ca Mon Sep 17 00:00:00 2001 From: "Randall E. Barker" Date: Thu, 7 Nov 2019 11:33:28 -0800 Subject: [PATCH] Support v1 signing for Oculus Go APK --- .taskcluster.yml | 3 +- tools/taskcluster/sign_apk.py | 56 ++++++++++++++++++++++++++++------- 2 files changed, 47 insertions(+), 12 deletions(-) diff --git a/.taskcluster.yml b/.taskcluster.yml index a98744c11f..635d01715a 100644 --- a/.taskcluster.yml +++ b/.taskcluster.yml @@ -143,7 +143,8 @@ tasks: && cp tools/gradle/taskcluster.properties ./user.properties && ./gradlew --no-daemon --console=plain clean `python tools/taskcluster/build_targets.py ${event.release.tag_name}` && python tools/taskcluster/fetch_secret.py -s project/firefoxreality/fr/release-signing-token -o token -n token - && python tools/taskcluster/sign_apk.py -t token -r + && python tools/taskcluster/fetch_secret.py -s project/firefoxreality/fr/staging-signing-token -o v1token -n v1 + && python tools/taskcluster/sign_apk.py -t token -c v1token -r && python tools/taskcluster/archive_debug_apk.py && . tools/taskcluster/upload_symbols.sh artifacts: diff --git a/tools/taskcluster/sign_apk.py b/tools/taskcluster/sign_apk.py index 4af2747416..902dfd6f1f 100644 --- a/tools/taskcluster/sign_apk.py +++ b/tools/taskcluster/sign_apk.py @@ -11,20 +11,28 @@ import subprocess import sys +v1_platforms = { + 'oculusvr3dofstore', +} + def main(name, argv): token = '' + v1_token = '' sign_url = 'https://edge.stage.autograph.services.mozaws.net/sign' release = False - feature_name = "" + feature_name = '' try: - opts, args = getopt.getopt(argv,"hrt:f:") + opts, args = getopt.getopt(argv,"hrt:c:f:") except getopt.GetoptError: - print name + ' -t -r -f ' + print name + ' -t -c -r -f ' sys.exit(2) for opt, arg in opts: if opt == '-h': - print name + ' -t -r -f ' + print name + ' -t -c -r -f ' sys.exit() + elif opt in ("-c"): + with open(arg, 'r') as tokenfile: + v1_token = tokenfile.read().rstrip() elif opt in ("-t"): with open(arg, 'r') as tokenfile: token = tokenfile.read().rstrip() @@ -34,8 +42,11 @@ def main(name, argv): elif opt in ('-f'): feature_name = arg.replace('/','-') + '-' + if not release and v1_token != '': + print "Warning, v1 signing is only supported in production" build_output_path = './app/build/outputs/apk' + # Create folder for saving build artifacts artifacts_path = './builds' if not os.path.exists(artifacts_path): @@ -43,21 +54,44 @@ def main(name, argv): # Sign APKs for apk in glob.glob(build_output_path + "/*/*/*-unsigned.apk"): + print "=" * 80 + cred = token target = apk.replace('-unsigned', '-signed') + align = False + if not release: target = target.replace('-release-', '-staging-' + feature_name) + else: + for platform in v1_platforms: + if platform in target.lower(): + print "Using v1 signing on target:", target + cred = v1_token + align = True + print "Signing", apk print "Target ", target - print subprocess.check_output([ - "curl", - "-F", "input=@" + apk, - "-o", target, - "-H", "Authorization: " + token, - sign_url]) + cmd = ["curl", "-F", "input=@" + apk, "-o", target, "-H", "Authorization: " + cred, sign_url] + + try: + print subprocess.check_output(cmd) + except subprocess.CalledProcessError as err: + cmd = ' '.join(err.cmd).replace(cred, "XXX") + print "Signing apk failed:", cmd + print "Output:", err.output + sys.exit(err.returncode) + + if align: + split = os.path.splitext(target) + orig = target; + target = split[0] + "-aligned" + split[1] + print subprocess.check_output(["zipalign", "-f", "-v", "-p", "4", orig, target]) + print "Verifying", target - print subprocess.check_output(['apksigner', 'verify', target]) + print subprocess.check_output(['apksigner', 'verify', '--verbose', target]) print "Archiving", target os.rename(target, artifacts_path + "/" + os.path.basename(target)) + print "=" * 80 + print "Done Signing" if __name__ == "__main__": main(sys.argv[0], sys.argv[1:])