[Replicant] [build] [PATCH v4] Recovery: Remove check for matching application signatures with their data

Denis 'GNUtoo' Carikli GNUtoo at cyberdimension.org
Thu Oct 8 15:19:41 UTC 2020


The applications built from Replicant are signed with a key that is
generated during the build procedure The issue is that the data of an
application becomes inaccessible to it if the application signature change.
This affects all the applications built during and signed during the build
of Replicant images, which includes all system applications.

This is why, during the installation of a new Replicant version, the
otasigcheck.sh is run: it verifies if the application signatures expected
by the applications data match the signatures of the new applications
that are part of the new Replicant image being installed.

Without this check, users installing a new Replicant minor version (like
Replicant 6.0 0004) and keeping the data from the previous minor version
(like Replicant 6.0 0003) with a key that change will make at least some
system applications like the launcher crash as they will not be able to
access their data.

If the check detects an incompatibility, on a Galaxy SIII (GT-I9300), we
end up the installation aborting and the following message being displayed
on the screen:
  detected filesystem ext4 for /dev/block/mmcblk0p12
  Can't install this package on top of incompatible data. Ples
  se try another package or run a factory test
  E:Failed to install /sideload/package.zip
  E:Please take note of all the above lines for reports.

This design has several issues:
- You cannot upgrade between Replicant minor versions if the keys signing
  applications shipped in the new version changed. This is really
  problematic as to upgrade, users need to delete all their application
  data and restart creating them from scratch which is very time consuming.
  With frequent updates that would becomes too much time consuming to do.
- It is also very fragile: if the data partition is encrypted,
  otasigcheck.sh cannot do the check, and the check is skipped completely,
  with the consequences explained before (the system applications end up
  not being able to access their data).

To fix that:
- This patch removes the call to otasigcheck.sh during the installation
  of new Replicant versions.
- otasigcheck.sh will be removed in the vendor_replicant repository
- A new script (key-migration.sh) will be added to the vendor_replicant
  repository. It will take care of migrating the applications data to
  the new keys during the first boot (so after the data partition will
  have been mounted).
- A python script generating this key-migration.sh script will be added
  to the vendor_replicant-scripts repository to enable users and developers
  to generate a key-migration.sh script with the keys they want. This
  should make downgrade easier as the key-migration.sh could also be run
  manually in the recovery and also make the migration to self-built images
  much easier.

Also, the otasigcheck.sh script has already been removed in LineageOS 17.1
by the following commit in vendor/lineage:
  commit 95621f3c73b94a87ca4528748535bb114ae1613f
  Author: Michael Bestas <mkbestas at lineageos.org>
  Date:   Sat Aug 4 17:46:35 2018 +0300

      Revert "ota: Validate any installed data's signature against our own"

      * otasigcheck doesn't work on encrypted devices and makes
        the zip installation fail since oreo.
      * The build part of this was never ported to oreo.

      This reverts commit aff5e54c4ef5fec7e67e830f83ee64424005d07c.

      Change-Id: I411f33c1db64844091c1692ef4706ae541925d4f

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo at cyberdimension.org>
---
 tools/releasetools/edify_generator.py       | 5 -----
 tools/releasetools/ota_from_target_files.py | 9 ---------
 2 files changed, 14 deletions(-)

diff --git a/tools/releasetools/edify_generator.py b/tools/releasetools/edify_generator.py
index 8ecc55127..b5a0cb085 100644
--- a/tools/releasetools/edify_generator.py
+++ b/tools/releasetools/edify_generator.py
@@ -150,11 +150,6 @@ class EdifyGenerator(object):
   def RunBackup(self, command):
     self.script.append(('run_program("/tmp/install/bin/backuptool.sh", "%s");' % command))
 
-  def ValidateSignatures(self, command):
-    self.script.append('package_extract_file("META-INF/org/replicant/releasekey", "/tmp/releasekey");')
-    # Exit code 124 == abort. run_program returns raw, so left-shift 8bit
-    self.script.append('run_program("/tmp/install/bin/otasigcheck.sh") != "31744" || abort("Can\'t install this package on top of incompatible data. Please try another package or run a factory reset");')
-
   def ShowProgress(self, frac, dur):
     """Update the progress bar, advancing it over 'frac' over the next
     'dur' seconds.  'dur' may be zero to advance it via SetProgress
diff --git a/tools/releasetools/ota_from_target_files.py b/tools/releasetools/ota_from_target_files.py
index dbc416648..925fe878f 100755
--- a/tools/releasetools/ota_from_target_files.py
+++ b/tools/releasetools/ota_from_target_files.py
@@ -637,15 +637,6 @@ else if get_stage("%(bcb_dev)s") == "3/3" then
   if HasVendorPartition(input_zip):
     system_progress -= 0.1
 
-  if not OPTIONS.wipe_user_data:
-    script.AppendExtra("if is_mounted(\"/data\") then")
-    script.ValidateSignatures("data")
-    script.AppendExtra("else")
-    script.Mount("/data")
-    script.ValidateSignatures("data")
-    script.Unmount("/data")
-    script.AppendExtra("endif;")
-
   if "selinux_fc" in OPTIONS.info_dict:
     WritePolicyConfig(OPTIONS.info_dict["selinux_fc"], output_zip)
 
-- 
2.28.0



More information about the Replicant mailing list