third_party/libwebrtc/build/android/gyp/finalize_apk.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

# Copyright 2013 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Signs and aligns an APK."""

import argparse
import logging
import shutil
import subprocess
import sys
import tempfile

from util import build_utils


def FinalizeApk(apksigner_path,
                zipalign_path,
                unsigned_apk_path,
                final_apk_path,
                key_path,
                key_passwd,
                key_name,
                min_sdk_version,
                warnings_as_errors=False):
  # Use a tempfile so that Ctrl-C does not leave the file with a fresh mtime
  # and a corrupted state.
  with tempfile.NamedTemporaryFile() as staging_file:
    if zipalign_path:
      # v2 signing requires that zipalign happen first.
      logging.debug('Running zipalign')
      zipalign_cmd = [
          zipalign_path, '-p', '-f', '4', unsigned_apk_path, staging_file.name
      ]
      build_utils.CheckOutput(zipalign_cmd,
                              print_stdout=True,
                              fail_on_output=warnings_as_errors)
      signer_input_path = staging_file.name
    else:
      signer_input_path = unsigned_apk_path

    sign_cmd = build_utils.JavaCmd(warnings_as_errors) + [
        '-jar',
        apksigner_path,
        'sign',
        '--in',
        signer_input_path,
        '--out',
        staging_file.name,
        '--ks',
        key_path,
        '--ks-key-alias',
        key_name,
        '--ks-pass',
        'pass:' + key_passwd,
    ]
    # V3 signing adds security niceties, which are irrelevant for local builds.
    sign_cmd += ['--v3-signing-enabled', 'false']

    if min_sdk_version >= 24:
      # Disable v1 signatures when v2 signing can be used (it's much faster).
      # By default, both v1 and v2 signing happen.
      sign_cmd += ['--v1-signing-enabled', 'false']
    else:
      # Force SHA-1 (makes signing faster; insecure is fine for local builds).
      # Leave v2 signing enabled since it verifies faster on device when
      # supported.
      sign_cmd += ['--min-sdk-version', '1']

    logging.debug('Signing apk')
    build_utils.CheckOutput(sign_cmd,
                            print_stdout=True,
                            fail_on_output=warnings_as_errors)
    shutil.move(staging_file.name, final_apk_path)
    # TODO(crbug.com/1174969): Remove this once Python2 is obsoleted.
    if sys.version_info.major == 2:
      staging_file.delete = False
    else:
      staging_file._closer.delete = False