add signed data for files inside of build_tools.zip

Signed-off-by: lidanyang <lidanyang12@huawei.com>

create_signed_data.py

@@ -0,0 +1,57 @@
+import hashlib
+from build_pkcs7 import BLCOK_SIZE, sign_digest
+from log_exception import UPDATE_LOGGER
+from base64 import b64encode
+
+MAX_SIGN_FILE_NUM = 32
+
+def sign_func(sign_file, private_key_file):
+    """
+    sign one file with private key
+    :param sign_file: path of file ready to be signed
+    :param private_key_file: private key path, ex. rsa_private_key2048.pem
+    :return: base64 code of the signature
+    """
+    hash_sha256 = hashlib.sha256()
+    with open(sign_file, 'rb') as file:
+        while chunk := file.read(BLCOK_SIZE):
+            hash_sha256.update(chunk)
+    signature = sign_digest(hash_sha256.digest(), private_key_file)
+    return str(b64encode(signature).decode("ascii"))
+
+#
+# hash signed data format:
+#
+# name: build_tools/updater_binary
+# signed-data: xxxxxxx
+#
+# name: build_tools/updater_binary
+# signed-data: xxxxxxx
+#
+# ....
+#
+def generate_signed_data(file_lists, sign_func, private_key_file):
+    """
+    get hash signed data of file lists, hash signed data format:
+    name: build_tools/updater_binary
+    signed-data: xxxxxxx
+    
+    name: build_tools/updater_binary
+    signed-data: xxxxxxx
+    
+    ....
+    :param file_lists: path list of file ready to be signed, list item contains file_path and name_in_signed_data
+    :param sign_func: signature function, ex. sign_func
+    :param private_key_file: private key path, ex. rsa_private_key2048.pem
+    :return: hash signed data of the file_lists
+    """
+    if not sign_func:
+        UPDATE_LOGGER.print_log("please provide a sign function", log_type=UPDATE_LOGGER.ERROR_LOG)
+        return None
+
+    if len(file_lists) > MAX_SIGN_FILE_NUM:
+        UPDATE_LOGGER.print_log("signed file can't be more than %d" % MAX_SIGN_FILE_NUM,
+            log_type=UPDATE_LOGGER.ERROR_LOG)
+        return None
+    return "\n".join([ "name: {}\nsigned-data: {}\n".format(
+        name, sign_func(file, private_key_file)) for (file, name) in file_lists ])

update_package.py

@@ -43,6 +43,8 @@ from utils import SIGN_PACKAGE_EVENT
 from create_update_package import CreatePackage
 from create_update_package import SIGN_ALGO_RSA
 from create_update_package import SIGN_ALGO_PSS
+from create_signed_data import sign_func
+from create_signed_data import generate_signed_data
 
 IS_DEL = 0
 SIGNING_LENGTH_256 = 256
@@ -357,21 +359,26 @@ def create_build_tools_zip():
 
     file_obj = tempfile.NamedTemporaryFile(
         dir=OPTIONS_MANAGER.update_package, prefix="build_tools-")
+    files_to_sign = []
     zip_file = zipfile.ZipFile(file_obj.name, 'w', zipfile.ZIP_DEFLATED)
     # add opera_script to build_tools.zip
     for key, value in opera_script_dict.items():
         zip_file.write(key, value)
+        files_to_sign += [(key, "build_tools/" + value)]
 
     # add update_binary to build_tools.zip
     zip_file.write(update_exe_path, UPDATE_EXE_FILE_NAME)
+    files_to_sign += [(update_exe_path, "build_tools/" + UPDATE_EXE_FILE_NAME)]
 
     # add loadScript to build_tools.zip
     zip_file.write(total_script_file_obj.name, TOTAL_SCRIPT_FILE_NAME)
-
+    files_to_sign += [(total_script_file_obj.name, "build_tools/" + TOTAL_SCRIPT_FILE_NAME)]
     if OPTIONS_MANAGER.register_script_file_obj is not None:
         zip_file.write(register_script_file_obj.name, REGISTER_SCRIPT_FILE_NAME)
+        files_to_sign += [(register_script_file_obj.name, "build_tools/" + REGISTER_SCRIPT_FILE_NAME)]
+    signed_data = generate_signed_data(files_to_sign, sign_func, OPTIONS_MANAGER.private_key)
+    zip_file.writestr("hash_signed_data", signed_data)
     zip_file.close()
-
     return file_obj