2016-01-04 16:33:20 +01:00
|
|
|
#!/usr/bin/env python3
|
2012-02-02 15:27:49 +01:00
|
|
|
#
|
|
|
|
# publish.py - part of the FDroid server tools
|
2013-10-31 16:37:39 +01:00
|
|
|
# Copyright (C) 2010-13, Ciaran Gultnieks, ciaran@ciarang.com
|
2014-01-28 14:07:19 +01:00
|
|
|
# Copyright (C) 2013-2014 Daniel Martí <mvdan@mvdan.cc>
|
2021-04-14 21:06:20 +02:00
|
|
|
# Copyright (C) 2021 Felix C. Stegerman <flx@obfusk.net>
|
2012-02-02 15:27:49 +01:00
|
|
|
#
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU Affero General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU Affero General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
import sys
|
|
|
|
import os
|
2017-07-15 22:15:30 +02:00
|
|
|
import re
|
2012-02-02 15:27:49 +01:00
|
|
|
import shutil
|
|
|
|
import glob
|
2016-01-04 18:36:47 +01:00
|
|
|
import hashlib
|
2015-09-04 11:37:05 +02:00
|
|
|
from argparse import ArgumentParser
|
2017-09-19 16:03:11 +02:00
|
|
|
from collections import OrderedDict
|
2014-01-27 17:08:54 +01:00
|
|
|
import logging
|
2017-09-13 17:33:57 +02:00
|
|
|
from gettext import ngettext
|
2017-09-19 16:03:11 +02:00
|
|
|
import json
|
2020-02-18 13:13:07 +01:00
|
|
|
import time
|
2017-09-19 16:03:11 +02:00
|
|
|
import zipfile
|
2012-02-02 15:27:49 +01:00
|
|
|
|
2017-09-13 18:03:57 +02:00
|
|
|
from . import _
|
2016-01-04 17:37:35 +01:00
|
|
|
from . import common
|
|
|
|
from . import metadata
|
2018-06-19 15:07:55 +02:00
|
|
|
from .common import FDroidPopen
|
2017-09-19 16:03:11 +02:00
|
|
|
from .exception import BuildException, FDroidException
|
2012-02-02 15:27:49 +01:00
|
|
|
|
2013-11-01 12:10:57 +01:00
|
|
|
config = None
|
|
|
|
options = None
|
2020-02-18 13:13:07 +01:00
|
|
|
start_timestamp = time.gmtime()
|
2013-10-31 16:37:39 +01:00
|
|
|
|
2014-05-02 05:39:33 +02:00
|
|
|
|
2017-06-08 12:52:11 +02:00
|
|
|
def publish_source_tarball(apkfilename, unsigned_dir, output_dir):
|
|
|
|
"""Move the source tarball into the output directory..."""
|
|
|
|
tarfilename = apkfilename[:-4] + '_src.tar.gz'
|
|
|
|
tarfile = os.path.join(unsigned_dir, tarfilename)
|
|
|
|
if os.path.exists(tarfile):
|
|
|
|
shutil.move(tarfile, os.path.join(output_dir, tarfilename))
|
|
|
|
logging.debug('...published %s', tarfilename)
|
|
|
|
else:
|
|
|
|
logging.debug('...no source tarball for %s', apkfilename)
|
|
|
|
|
|
|
|
|
2018-05-14 14:07:40 +02:00
|
|
|
def key_alias(appid):
|
2021-06-07 12:26:57 +02:00
|
|
|
"""No summary.
|
2021-06-07 12:49:16 +02:00
|
|
|
|
2021-06-07 12:26:57 +02:00
|
|
|
Get the alias which F-Droid uses to indentify the singing key
|
2017-09-19 16:03:11 +02:00
|
|
|
for this App in F-Droids keystore.
|
|
|
|
"""
|
|
|
|
if config and 'keyaliases' in config and appid in config['keyaliases']:
|
|
|
|
# For this particular app, the key alias is overridden...
|
|
|
|
keyalias = config['keyaliases'][appid]
|
|
|
|
if keyalias.startswith('@'):
|
2018-08-29 14:53:58 +02:00
|
|
|
m = hashlib.md5() # nosec just used to generate a keyalias
|
2017-09-19 16:03:11 +02:00
|
|
|
m.update(keyalias[1:].encode('utf-8'))
|
|
|
|
keyalias = m.hexdigest()[:8]
|
|
|
|
return keyalias
|
|
|
|
else:
|
2018-08-29 14:53:58 +02:00
|
|
|
m = hashlib.md5() # nosec just used to generate a keyalias
|
2017-09-19 16:03:11 +02:00
|
|
|
m.update(appid.encode('utf-8'))
|
|
|
|
return m.hexdigest()[:8]
|
|
|
|
|
|
|
|
|
|
|
|
def read_fingerprints_from_keystore():
|
2021-06-07 12:26:57 +02:00
|
|
|
"""Obtain a dictionary containing all singning-key fingerprints which are managed by F-Droid, grouped by appid."""
|
2021-06-28 18:57:49 +02:00
|
|
|
env_vars = {'LC_ALL': 'C.UTF-8', 'FDROID_KEY_STORE_PASS': config['keystorepass']}
|
|
|
|
cmd = [
|
|
|
|
config['keytool'],
|
|
|
|
'-list',
|
|
|
|
'-v',
|
|
|
|
'-keystore',
|
|
|
|
config['keystore'],
|
|
|
|
'-storepass:env',
|
|
|
|
'FDROID_KEY_STORE_PASS',
|
|
|
|
]
|
2020-08-14 15:44:34 +02:00
|
|
|
if config['keystore'] == 'NONE':
|
|
|
|
cmd += config['smartcardoptions']
|
|
|
|
p = FDroidPopen(cmd, envs=env_vars, output=False)
|
2017-09-19 16:03:11 +02:00
|
|
|
if p.returncode != 0:
|
2018-07-12 23:43:19 +02:00
|
|
|
raise FDroidException('could not read keystore {}'.format(config['keystore']))
|
2017-09-19 16:03:11 +02:00
|
|
|
|
2019-09-25 13:02:19 +02:00
|
|
|
realias = re.compile('Alias name: (?P<alias>.+)' + os.linesep)
|
|
|
|
resha256 = re.compile(r'\s+SHA256: (?P<sha256>[:0-9A-F]{95})' + os.linesep)
|
2017-09-19 16:03:11 +02:00
|
|
|
fps = {}
|
2019-09-25 13:02:19 +02:00
|
|
|
for block in p.output.split(('*' * 43) + os.linesep + '*' * 43):
|
2017-09-19 16:03:11 +02:00
|
|
|
s_alias = realias.search(block)
|
|
|
|
s_sha256 = resha256.search(block)
|
|
|
|
if s_alias and s_sha256:
|
|
|
|
sigfp = s_sha256.group('sha256').replace(':', '').lower()
|
|
|
|
fps[s_alias.group('alias')] = sigfp
|
|
|
|
return fps
|
|
|
|
|
|
|
|
|
|
|
|
def sign_sig_key_fingerprint_list(jar_file):
|
2021-06-07 12:26:57 +02:00
|
|
|
"""Sign the list of app-signing key fingerprints.
|
2021-06-07 12:49:16 +02:00
|
|
|
|
2021-06-07 12:26:57 +02:00
|
|
|
This is used primaryily by fdroid update to determine which APKs
|
2017-09-19 16:03:11 +02:00
|
|
|
where built and signed by F-Droid and which ones were
|
|
|
|
manually added by users.
|
|
|
|
"""
|
|
|
|
cmd = [config['jarsigner']]
|
|
|
|
cmd += '-keystore', config['keystore']
|
|
|
|
cmd += '-storepass:env', 'FDROID_KEY_STORE_PASS'
|
|
|
|
cmd += '-digestalg', 'SHA1'
|
|
|
|
cmd += '-sigalg', 'SHA1withRSA'
|
|
|
|
cmd += jar_file, config['repo_keyalias']
|
|
|
|
if config['keystore'] == 'NONE':
|
|
|
|
cmd += config['smartcardoptions']
|
|
|
|
else: # smardcards never use -keypass
|
|
|
|
cmd += '-keypass:env', 'FDROID_KEY_PASS'
|
2021-06-28 18:57:49 +02:00
|
|
|
env_vars = {
|
|
|
|
'FDROID_KEY_STORE_PASS': config['keystorepass'],
|
|
|
|
'FDROID_KEY_PASS': config.get('keypass', ""),
|
|
|
|
}
|
2017-09-19 16:03:11 +02:00
|
|
|
p = common.FDroidPopen(cmd, envs=env_vars)
|
|
|
|
if p.returncode != 0:
|
|
|
|
raise FDroidException("Failed to sign '{}'!".format(jar_file))
|
|
|
|
|
|
|
|
|
|
|
|
def store_stats_fdroid_signing_key_fingerprints(appids, indent=None):
|
|
|
|
"""Store list of all signing-key fingerprints for given appids to HD.
|
2021-06-07 12:49:16 +02:00
|
|
|
|
2017-09-19 16:03:11 +02:00
|
|
|
This list will later on be needed by fdroid update.
|
|
|
|
"""
|
|
|
|
if not os.path.exists('stats'):
|
|
|
|
os.makedirs('stats')
|
|
|
|
data = OrderedDict()
|
|
|
|
fps = read_fingerprints_from_keystore()
|
|
|
|
for appid in sorted(appids):
|
|
|
|
alias = key_alias(appid)
|
|
|
|
if alias in fps:
|
|
|
|
data[appid] = {'signer': fps[key_alias(appid)]}
|
|
|
|
|
|
|
|
jar_file = os.path.join('stats', 'publishsigkeys.jar')
|
|
|
|
with zipfile.ZipFile(jar_file, 'w', zipfile.ZIP_DEFLATED) as jar:
|
|
|
|
jar.writestr('publishsigkeys.json', json.dumps(data, indent=indent))
|
|
|
|
sign_sig_key_fingerprint_list(jar_file)
|
|
|
|
|
|
|
|
|
2020-08-24 16:33:53 +02:00
|
|
|
def status_update_json(generatedKeys, signedApks):
|
2021-06-07 12:26:57 +02:00
|
|
|
"""Output a JSON file with metadata about this run."""
|
2020-02-18 13:13:07 +01:00
|
|
|
logging.debug(_('Outputting JSON'))
|
|
|
|
output = common.setup_status_output(start_timestamp)
|
2021-03-19 15:44:43 +01:00
|
|
|
output['apksigner'] = shutil.which(config.get('apksigner', ''))
|
|
|
|
output['jarsigner'] = shutil.which(config.get('jarsigner', ''))
|
|
|
|
output['keytool'] = shutil.which(config.get('keytool', ''))
|
2020-02-18 13:13:07 +01:00
|
|
|
if generatedKeys:
|
|
|
|
output['generatedKeys'] = generatedKeys
|
|
|
|
if signedApks:
|
|
|
|
output['signedApks'] = signedApks
|
|
|
|
common.write_status_json(output)
|
|
|
|
|
|
|
|
|
2020-08-24 16:35:50 +02:00
|
|
|
def check_for_key_collisions(allapps):
|
2021-06-07 12:26:57 +02:00
|
|
|
"""Make sure there's no collision in keyaliases from apps.
|
|
|
|
|
2020-08-24 16:35:50 +02:00
|
|
|
It was suggested at
|
|
|
|
https://dev.guardianproject.info/projects/bazaar/wiki/FDroid_Audit
|
|
|
|
that a package could be crafted, such that it would use the same signing
|
|
|
|
key as an existing app. While it may be theoretically possible for such a
|
|
|
|
colliding package ID to be generated, it seems virtually impossible that
|
|
|
|
the colliding ID would be something that would be a) a valid package ID,
|
|
|
|
and b) a sane-looking ID that would make its way into the repo.
|
|
|
|
Nonetheless, to be sure, before publishing we check that there are no
|
2021-06-07 12:26:57 +02:00
|
|
|
collisions, and refuse to do any publishing if that's the case.
|
|
|
|
|
|
|
|
Parameters
|
|
|
|
----------
|
2021-06-07 12:49:16 +02:00
|
|
|
allapps
|
2021-06-07 12:26:57 +02:00
|
|
|
a dict of all apps to process
|
2021-06-07 12:49:16 +02:00
|
|
|
|
2021-06-07 12:26:57 +02:00
|
|
|
Returns
|
|
|
|
-------
|
|
|
|
a list of all aliases corresponding to allapps
|
2020-08-24 16:35:50 +02:00
|
|
|
"""
|
|
|
|
allaliases = []
|
|
|
|
for appid in allapps:
|
|
|
|
m = hashlib.md5() # nosec just used to generate a keyalias
|
|
|
|
m.update(appid.encode('utf-8'))
|
|
|
|
keyalias = m.hexdigest()[:8]
|
|
|
|
if keyalias in allaliases:
|
|
|
|
logging.error(_("There is a keyalias collision - publishing halted"))
|
|
|
|
sys.exit(1)
|
|
|
|
allaliases.append(keyalias)
|
|
|
|
return allaliases
|
|
|
|
|
|
|
|
|
2020-08-24 19:29:57 +02:00
|
|
|
def create_key_if_not_existing(keyalias):
|
2021-06-07 12:26:57 +02:00
|
|
|
"""Ensure a signing key with the given keyalias exists.
|
|
|
|
|
|
|
|
Returns
|
|
|
|
-------
|
|
|
|
boolean
|
|
|
|
True if a new key was created, False otherwise
|
2020-08-24 19:29:57 +02:00
|
|
|
"""
|
|
|
|
# See if we already have a key for this application, and
|
|
|
|
# if not generate one...
|
2021-06-28 18:57:49 +02:00
|
|
|
env_vars = {
|
|
|
|
'LC_ALL': 'C.UTF-8',
|
|
|
|
'FDROID_KEY_STORE_PASS': config['keystorepass'],
|
|
|
|
'FDROID_KEY_PASS': config.get('keypass', ""),
|
|
|
|
}
|
|
|
|
cmd = [
|
|
|
|
config['keytool'],
|
|
|
|
'-list',
|
|
|
|
'-alias',
|
|
|
|
keyalias,
|
|
|
|
'-keystore',
|
|
|
|
config['keystore'],
|
|
|
|
'-storepass:env',
|
|
|
|
'FDROID_KEY_STORE_PASS',
|
|
|
|
]
|
2020-08-24 19:29:57 +02:00
|
|
|
if config['keystore'] == 'NONE':
|
|
|
|
cmd += config['smartcardoptions']
|
|
|
|
p = FDroidPopen(cmd, envs=env_vars)
|
|
|
|
if p.returncode != 0:
|
|
|
|
logging.info("Key does not exist - generating...")
|
2021-06-28 18:57:49 +02:00
|
|
|
cmd = [
|
|
|
|
config['keytool'],
|
|
|
|
'-genkey',
|
|
|
|
'-keystore',
|
|
|
|
config['keystore'],
|
|
|
|
'-alias',
|
|
|
|
keyalias,
|
|
|
|
'-keyalg',
|
|
|
|
'RSA',
|
|
|
|
'-keysize',
|
|
|
|
'2048',
|
|
|
|
'-validity',
|
|
|
|
'10000',
|
|
|
|
'-storepass:env',
|
|
|
|
'FDROID_KEY_STORE_PASS',
|
|
|
|
'-dname',
|
|
|
|
config['keydname'],
|
|
|
|
]
|
2020-08-24 19:29:57 +02:00
|
|
|
if config['keystore'] == 'NONE':
|
|
|
|
cmd += config['smartcardoptions']
|
|
|
|
else:
|
|
|
|
cmd += '-keypass:env', 'FDROID_KEY_PASS'
|
|
|
|
p = FDroidPopen(cmd, envs=env_vars)
|
|
|
|
if p.returncode != 0:
|
|
|
|
raise BuildException("Failed to generate key", p.output)
|
|
|
|
return True
|
|
|
|
else:
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
2012-02-26 15:18:58 +01:00
|
|
|
def main():
|
2013-11-01 12:10:57 +01:00
|
|
|
global config, options
|
2012-02-26 15:18:58 +01:00
|
|
|
|
|
|
|
# Parse command line...
|
2021-06-28 18:57:49 +02:00
|
|
|
parser = ArgumentParser(
|
|
|
|
usage="%(prog)s [options] " "[APPID[:VERCODE] [APPID[:VERCODE] ...]]"
|
|
|
|
)
|
2015-09-12 08:42:50 +02:00
|
|
|
common.setup_global_opts(parser)
|
2021-06-28 18:57:49 +02:00
|
|
|
parser.add_argument(
|
|
|
|
"appid",
|
|
|
|
nargs='*',
|
|
|
|
help=_("application ID with optional versionCode in the form APPID[:VERCODE]"),
|
|
|
|
)
|
2016-09-12 12:55:48 +02:00
|
|
|
metadata.add_metadata_arguments(parser)
|
2015-09-04 11:37:05 +02:00
|
|
|
options = parser.parse_args()
|
2016-09-12 12:55:48 +02:00
|
|
|
metadata.warnings_action = options.W
|
2012-02-26 15:18:58 +01:00
|
|
|
|
2013-11-01 12:10:57 +01:00
|
|
|
config = common.read_config(options)
|
|
|
|
|
2016-02-11 20:43:55 +01:00
|
|
|
if not ('jarsigner' in config and 'keytool' in config):
|
2021-06-28 18:57:49 +02:00
|
|
|
logging.critical(
|
|
|
|
_('Java JDK not found! Install in standard location or set java_paths!')
|
|
|
|
)
|
2016-02-11 20:43:55 +01:00
|
|
|
sys.exit(1)
|
|
|
|
|
2017-10-16 18:11:57 +02:00
|
|
|
common.assert_config_keystore(config)
|
|
|
|
|
2012-02-26 15:18:58 +01:00
|
|
|
log_dir = 'logs'
|
|
|
|
if not os.path.isdir(log_dir):
|
2017-09-13 18:03:57 +02:00
|
|
|
logging.info(_("Creating log directory"))
|
2012-02-26 15:18:58 +01:00
|
|
|
os.makedirs(log_dir)
|
|
|
|
|
|
|
|
tmp_dir = 'tmp'
|
|
|
|
if not os.path.isdir(tmp_dir):
|
2017-09-13 18:03:57 +02:00
|
|
|
logging.info(_("Creating temporary directory"))
|
2012-02-26 15:18:58 +01:00
|
|
|
os.makedirs(tmp_dir)
|
|
|
|
|
|
|
|
output_dir = 'repo'
|
|
|
|
if not os.path.isdir(output_dir):
|
2017-09-13 18:03:57 +02:00
|
|
|
logging.info(_("Creating output directory"))
|
2012-02-26 15:18:58 +01:00
|
|
|
os.makedirs(output_dir)
|
|
|
|
|
|
|
|
unsigned_dir = 'unsigned'
|
|
|
|
if not os.path.isdir(unsigned_dir):
|
2017-09-13 18:03:57 +02:00
|
|
|
logging.warning(_("No unsigned directory - nothing to do"))
|
2014-04-04 16:37:18 +02:00
|
|
|
sys.exit(1)
|
2018-07-12 23:52:46 +02:00
|
|
|
binaries_dir = os.path.join(unsigned_dir, 'binaries')
|
2014-04-04 16:37:18 +02:00
|
|
|
|
2020-08-14 15:06:33 +02:00
|
|
|
if not config['keystore'] == "NONE" and not os.path.exists(config['keystore']):
|
2017-04-11 21:34:49 +02:00
|
|
|
logging.error("Config error - missing '{0}'".format(config['keystore']))
|
|
|
|
sys.exit(1)
|
2012-02-26 15:18:58 +01:00
|
|
|
|
2013-12-19 22:55:17 +01:00
|
|
|
allapps = metadata.read_metadata()
|
2015-09-04 11:37:05 +02:00
|
|
|
vercodes = common.read_pkg_args(options.appid, True)
|
2021-06-28 18:57:49 +02:00
|
|
|
common.get_metadata_files(vercodes) # only check appids
|
2020-02-18 13:13:07 +01:00
|
|
|
signed_apks = dict()
|
|
|
|
generated_keys = dict()
|
2020-08-24 16:35:50 +02:00
|
|
|
allaliases = check_for_key_collisions(allapps)
|
2021-06-28 18:57:49 +02:00
|
|
|
logging.info(
|
|
|
|
ngettext(
|
|
|
|
'{0} app, {1} key aliases', '{0} apps, {1} key aliases', len(allapps)
|
|
|
|
).format(len(allapps), len(allaliases))
|
|
|
|
)
|
2013-11-07 09:11:05 +01:00
|
|
|
|
2016-12-07 11:48:05 +01:00
|
|
|
# Process any APKs or ZIPs that are waiting to be signed...
|
2021-06-28 18:57:49 +02:00
|
|
|
for apkfile in sorted(
|
|
|
|
glob.glob(os.path.join(unsigned_dir, '*.apk'))
|
|
|
|
+ glob.glob(os.path.join(unsigned_dir, '*.zip'))
|
|
|
|
):
|
2012-02-26 15:18:58 +01:00
|
|
|
|
2016-12-07 11:48:05 +01:00
|
|
|
appid, vercode = common.publishednameinfo(apkfile)
|
2012-02-26 15:18:58 +01:00
|
|
|
apkfilename = os.path.basename(apkfile)
|
2013-12-19 22:55:17 +01:00
|
|
|
if vercodes and appid not in vercodes:
|
|
|
|
continue
|
|
|
|
if appid in vercodes and vercodes[appid]:
|
|
|
|
if vercode not in vercodes[appid]:
|
|
|
|
continue
|
2017-09-15 23:20:29 +02:00
|
|
|
logging.info(_("Processing {apkfilename}").format(apkfilename=apkfile))
|
2013-12-19 22:55:17 +01:00
|
|
|
|
2014-10-24 22:04:15 +02:00
|
|
|
# There ought to be valid metadata for this app, otherwise why are we
|
|
|
|
# trying to publish it?
|
2014-10-24 22:23:58 +02:00
|
|
|
if appid not in allapps:
|
2021-06-28 18:57:49 +02:00
|
|
|
logging.error(
|
|
|
|
"Unexpected {0} found in unsigned directory".format(apkfilename)
|
|
|
|
)
|
2014-10-24 22:04:15 +02:00
|
|
|
sys.exit(1)
|
|
|
|
app = allapps[appid]
|
|
|
|
|
2016-12-07 11:48:05 +01:00
|
|
|
if app.Binaries:
|
2014-10-24 22:04:15 +02:00
|
|
|
|
|
|
|
# It's an app where we build from source, and verify the apk
|
|
|
|
# contents against a developer's binary, and then publish their
|
|
|
|
# version if everything checks out.
|
2015-01-31 16:36:57 +01:00
|
|
|
# The binary should already have been retrieved during the build
|
|
|
|
# process.
|
2018-07-12 23:52:46 +02:00
|
|
|
|
2018-07-12 23:44:03 +02:00
|
|
|
srcapk = re.sub(r'\.apk$', '.binary.apk', apkfile)
|
2018-07-12 23:52:46 +02:00
|
|
|
srcapk = srcapk.replace(unsigned_dir, binaries_dir)
|
2014-10-24 22:04:15 +02:00
|
|
|
|
2018-07-12 23:52:46 +02:00
|
|
|
if not os.path.isfile(srcapk):
|
|
|
|
logging.error("...reference binary missing - publish skipped: "
|
|
|
|
"'{refpath}'".format(refpath=srcapk))
|
2017-06-08 12:52:11 +02:00
|
|
|
else:
|
2018-07-12 23:52:46 +02:00
|
|
|
# Compare our unsigned one with the downloaded one...
|
|
|
|
compare_result = common.verify_apks(srcapk, apkfile, tmp_dir)
|
|
|
|
if compare_result:
|
|
|
|
logging.error("...verification failed - publish skipped : "
|
|
|
|
"{result}".format(result=compare_result))
|
|
|
|
else:
|
|
|
|
# Success! So move the downloaded file to the repo, and remove
|
|
|
|
# our built version.
|
|
|
|
shutil.move(srcapk, os.path.join(output_dir, apkfilename))
|
|
|
|
os.remove(apkfile)
|
|
|
|
|
|
|
|
publish_source_tarball(apkfilename, unsigned_dir, output_dir)
|
|
|
|
logging.info('Published ' + apkfilename)
|
2014-10-24 22:04:15 +02:00
|
|
|
|
2016-12-07 11:48:05 +01:00
|
|
|
elif apkfile.endswith('.zip'):
|
|
|
|
|
|
|
|
# OTA ZIPs built by fdroid do not need to be signed by jarsigner,
|
|
|
|
# just to be moved into place in the repo
|
|
|
|
shutil.move(apkfile, os.path.join(output_dir, apkfilename))
|
2017-06-08 12:52:11 +02:00
|
|
|
publish_source_tarball(apkfilename, unsigned_dir, output_dir)
|
|
|
|
logging.info('Published ' + apkfilename)
|
2016-12-07 11:48:05 +01:00
|
|
|
|
2014-10-24 22:04:15 +02:00
|
|
|
else:
|
|
|
|
|
|
|
|
# It's a 'normal' app, i.e. we sign and publish it...
|
2017-06-13 18:12:45 +02:00
|
|
|
skipsigning = False
|
2014-10-24 22:04:15 +02:00
|
|
|
|
2017-09-14 16:23:04 +02:00
|
|
|
# First we handle signatures for this app from local metadata
|
|
|
|
signingfiles = common.metadata_find_developer_signing_files(appid, vercode)
|
|
|
|
if signingfiles:
|
|
|
|
# There's a signature of the app developer present in our
|
|
|
|
# metadata. This means we're going to prepare both a locally
|
|
|
|
# signed APK and a version signed with the developers key.
|
|
|
|
|
2021-03-26 12:00:01 +01:00
|
|
|
signature_file, _ignored, manifest, v2_files = signingfiles
|
2017-09-14 16:23:04 +02:00
|
|
|
|
2021-03-26 12:00:01 +01:00
|
|
|
with open(signature_file, 'rb') as f:
|
2021-06-28 18:57:49 +02:00
|
|
|
devfp = common.signer_fingerprint_short(
|
|
|
|
common.get_certificate(f.read())
|
|
|
|
)
|
2017-09-14 16:23:04 +02:00
|
|
|
devsigned = '{}_{}_{}.apk'.format(appid, vercode, devfp)
|
|
|
|
devsignedtmp = os.path.join(tmp_dir, devsigned)
|
|
|
|
|
2021-04-14 21:02:59 +02:00
|
|
|
common.apk_implant_signatures(apkfile, devsignedtmp, manifest=manifest)
|
2017-09-14 16:23:04 +02:00
|
|
|
if common.verify_apk_signature(devsignedtmp):
|
|
|
|
shutil.move(devsignedtmp, os.path.join(output_dir, devsigned))
|
|
|
|
else:
|
|
|
|
os.remove(devsignedtmp)
|
|
|
|
logging.error('...verification failed - skipping: %s', devsigned)
|
2017-06-13 18:12:45 +02:00
|
|
|
skipsigning = True
|
2017-09-14 16:23:04 +02:00
|
|
|
|
|
|
|
# Now we sign with the F-Droid key.
|
2017-06-13 18:12:45 +02:00
|
|
|
if not skipsigning:
|
2020-08-24 16:35:50 +02:00
|
|
|
keyalias = key_alias(appid)
|
2017-06-13 18:12:45 +02:00
|
|
|
logging.info("Key alias: " + keyalias)
|
|
|
|
|
2020-08-24 19:29:57 +02:00
|
|
|
if create_key_if_not_existing(keyalias):
|
2020-08-24 16:33:53 +02:00
|
|
|
generated_keys[appid] = keyalias
|
2017-06-13 18:12:45 +02:00
|
|
|
|
|
|
|
signed_apk_path = os.path.join(output_dir, apkfilename)
|
|
|
|
if os.path.exists(signed_apk_path):
|
|
|
|
raise BuildException("Refusing to sign '{0}' file exists in both "
|
|
|
|
"{1} and {2} folder.".format(apkfilename,
|
|
|
|
unsigned_dir,
|
|
|
|
output_dir))
|
|
|
|
|
2020-04-11 23:04:43 +02:00
|
|
|
# Sign and zipalign the application...
|
|
|
|
common.sign_apk(apkfile, signed_apk_path, keyalias)
|
2020-02-18 13:13:07 +01:00
|
|
|
if appid not in signed_apks:
|
|
|
|
signed_apks[appid] = []
|
2021-06-28 18:57:49 +02:00
|
|
|
signed_apks[appid].append({"keyalias": keyalias, "filename": apkfile})
|
2013-12-19 22:55:17 +01:00
|
|
|
|
2017-06-13 18:12:45 +02:00
|
|
|
publish_source_tarball(apkfilename, unsigned_dir, output_dir)
|
|
|
|
logging.info('Published ' + apkfilename)
|
2012-02-26 15:18:58 +01:00
|
|
|
|
2017-09-20 00:16:13 +02:00
|
|
|
store_stats_fdroid_signing_key_fingerprints(allapps.keys())
|
2020-08-24 16:33:53 +02:00
|
|
|
status_update_json(generated_keys, signed_apks)
|
2017-09-20 00:16:13 +02:00
|
|
|
logging.info('published list signing-key fingerprints')
|
|
|
|
|
2012-02-26 15:18:58 +01:00
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
main()
|