#!/usr/bin/env python
#
# Copyright (C) 2008 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"""
Signs all the APK files in a target-files zipfile, producing a new
target-files zip.

Usage:  sign_target_files_apks [flags] input_target_files output_target_files

  -s  (--signapk_jar)  <path>
      Path of the signapks.jar file used to sign an individual APK
      file.

  -e  (--extra_apks)  <name,name,...=key>
      Add extra APK name/key pairs as though they appeared in
      apkcerts.txt (so mappings specified by -k and -d are applied).
      Keys specified in -e override any value for that app contained
      in the apkcerts.txt file.  Option may be repeated to give
      multiple extra packages.

  -k  (--key_mapping)  <src_key=dest_key>
      Add a mapping from the key name as specified in apkcerts.txt (the
      src_key) to the real key you wish to sign the package with
      (dest_key).  Option may be repeated to give multiple key
      mappings.

  -d  (--default_key_mappings)  <dir>
      Set up the following key mappings:

        build/target/product/security/testkey   ==>  $dir/releasekey
        build/target/product/security/media     ==>  $dir/media
        build/target/product/security/shared    ==>  $dir/shared
        build/target/product/security/platform  ==>  $dir/platform

      -d and -k options are added to the set of mappings in the order
      in which they appear on the command line.
"""

import sys

if sys.hexversion < 0x02040000:
  print >> sys.stderr, "Python 2.4 or newer is required."
  sys.exit(1)

import os
import re
import subprocess
import tempfile
import zipfile

import common

OPTIONS = common.OPTIONS

OPTIONS.extra_apks = {}
OPTIONS.key_map = {}


def GetApkCerts(tf_zip):
  certmap = {}
  for line in tf_zip.read("META/apkcerts.txt").split("\n"):
    line = line.strip()
    if not line: continue
    m = re.match(r'^name="(.*)"\s+certificate="(.*)\.x509\.pem"\s+'
                 r'private_key="\2\.pk8"$', line)
    if not m:
      raise SigningError("failed to parse line from apkcerts.txt:\n" + line)
    certmap[m.group(1)] = OPTIONS.key_map.get(m.group(2), m.group(2))
  for apk, cert in OPTIONS.extra_apks.iteritems():
    certmap[apk] = OPTIONS.key_map.get(cert, cert)
  return certmap


def SignApk(data, keyname, pw):
  unsigned = tempfile.NamedTemporaryFile()
  unsigned.write(data)
  unsigned.flush()

  signed = tempfile.NamedTemporaryFile()

  common.SignFile(unsigned.name, signed.name, keyname, pw, align=4)

  data = signed.read()
  unsigned.close()
  signed.close()

  return data


def SignApks(input_tf_zip, output_tf_zip):
  apk_key_map = GetApkCerts(input_tf_zip)

  key_passwords = common.GetKeyPasswords(set(apk_key_map.values()))

  maxsize = max([len(os.path.basename(i.filename))
                 for i in input_tf_zip.infolist()
                 if i.filename.endswith('.apk')])

  for info in input_tf_zip.infolist():
    data = input_tf_zip.read(info.filename)
    if info.filename.endswith(".apk"):
      name = os.path.basename(info.filename)
      key = apk_key_map.get(name, None)
      if key is not None:
        print "signing: %-*s (%s)" % (maxsize, name, key)
        signed_data = SignApk(data, key, key_passwords[key])
        output_tf_zip.writestr(info, signed_data)
      else:
        # an APK we're not supposed to sign.
        print "skipping: %s" % (name,)
        output_tf_zip.writestr(info, data)
    elif info.filename == "SYSTEM/build.prop":
      # Change build fingerprint to reflect the fact that apps are signed.
      m = re.search(r"ro\.build\.fingerprint=.*\b(test-keys)\b.*", data)
      if not m:
        print 'WARNING: ro.build.fingerprint does not contain "test-keys"'
      else:
        data = data[:m.start(1)] + "release-keys" + data[m.end(1):]
      m = re.search(r"ro\.build\.description=.*\b(test-keys)\b.*", data)
      if not m:
        print 'WARNING: ro.build.description does not contain "test-keys"'
      else:
        data = data[:m.start(1)] + "release-keys" + data[m.end(1):]
      output_tf_zip.writestr(info, data)
    else:
      # a non-APK file; copy it verbatim
      output_tf_zip.writestr(info, data)


def main(argv):

  def option_handler(o, a):
    if o in ("-s", "--signapk_jar"):
      OPTIONS.signapk_jar = a
    elif o in ("-e", "--extra_apks"):
      names, key = a.split("=")
      names = names.split(",")
      for n in names:
        OPTIONS.extra_apks[n] = key
    elif o in ("-d", "--default_key_mappings"):
      OPTIONS.key_map.update({
          "build/target/product/security/testkey": "%s/releasekey" % (a,),
          "build/target/product/security/media": "%s/media" % (a,),
          "build/target/product/security/shared": "%s/shared" % (a,),
          "build/target/product/security/platform": "%s/platform" % (a,),
          })
    elif o in ("-k", "--key_mapping"):
      s, d = a.split("=")
      OPTIONS.key_map[s] = d
    else:
      return False
    return True

  args = common.ParseOptions(argv, __doc__,
                             extra_opts="s:e:d:k:",
                             extra_long_opts=["signapk_jar=",
                                              "extra_apks=",
                                              "default_key_mappings=",
                                              "key_mapping="],
                             extra_option_handler=option_handler)

  if len(args) != 2:
    common.Usage(__doc__)
    sys.exit(1)

  input_zip = zipfile.ZipFile(args[0], "r")
  output_zip = zipfile.ZipFile(args[1], "w")

  SignApks(input_zip, output_zip)

  input_zip.close()
  output_zip.close()

  print "done."


if __name__ == '__main__':
  try:
    main(sys.argv[1:])
  except common.ExternalError, e:
    print
    print "   ERROR: %s" % (e,)
    print
    sys.exit(1)
