Generate new signing keys when missing

Dockerfile

@@ -79,9 +79,12 @@ ENV ANDROID_JACK_VM_ARGS "-Dfile.encoding=UTF-8 -XX:+TieredCompilation -Xmx4G"
 # Custom packages to be installed
 ENV CUSTOM_PACKAGES ''
 
-# Key path (from the root of the android source)
+# Sign the builds with the keys in $KEYS_DIR
 ENV SIGN_BUILDS false
 
+# When SIGN_BUILDS = true but no keys have been provided, generate a new set with this subject
+ENV KEYS_SUBJECT '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
+
 # Move the resulting zips to $ZIP_DIR/$codename instead of $ZIP_DIR/
 ENV ZIP_SUBDIR true
 

src/init.sh

@@ -32,6 +32,31 @@ fi
 git config --global user.name $USER_NAME
 git config --global user.email $USER_MAIL
 
+if [ "$SIGN_BUILDS" = true ]; then
+  if [ -z "$(ls -A "$KEYS_DIR")" ]; then
+    echo ">> [$(date)] SIGN_BUILDS = true but empty \$KEYS_DIR, generating new keys"
+    for c in releasekey platform shared media; do
+      echo ">> [$(date)]  Generating $c..."
+      /root/make_key "$KEYS_DIR/$c" "$KEYS_SUBJECT" <<< '' &> /dev/null
+    done
+  else
+    for c in releasekey platform shared media; do
+      for e in pk8 x509.pem; do
+        if [ ! -f "$KEYS_DIR/$c.$e" ]; then
+          echo ">> [$(date)] SIGN_BUILDS = true and not empty \$KEYS_DIR, but \"\$KEYS_DIR/$c.$e\" is missing"
+          exit 1
+        fi
+      done
+    done
+  fi
+
+  for c in cyngn{-priv,}-app testkey; do
+    for e in pk8 x509.pem; do
+      ln -s releasekey.$e "$KEYS_DIR/$c.$e" 2> /dev/null
+    done
+  done
+fi
+
 if [ "$CRONTAB_TIME" = "now" ]; then
   /root/build.sh
 else

src/make_key

@@ -0,0 +1,78 @@
+#!/bin/bash
+#
+# Copyright (C) 2009 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Generates a public/private key pair suitable for use in signing
+# android .apks and OTA update packages.
+
+if [ "$#" -lt 2 -o "$#" -gt 3 ]; then
+  cat <<EOF
+Usage: $0 <name> <subject> [<keytype>]
+
+Creates <name>.pk8 key and <name>.x509.pem cert.  Cert contains the
+given <subject>. A keytype of "rsa" or "ec" is accepted.
+EOF
+  exit 2
+fi
+
+if [[ -e $1.pk8 || -e $1.x509.pem ]]; then
+  echo "$1.pk8 and/or $1.x509.pem already exist; please delete them first"
+  echo "if you want to replace them."
+  exit 1
+fi
+
+# Use named pipes to connect get the raw RSA private key to the cert-
+# and .pk8-creating programs, to avoid having the private key ever
+# touch the disk.
+
+tmpdir=$(mktemp -d)
+trap 'rm -rf ${tmpdir}; echo; exit 1' EXIT INT QUIT
+
+one=${tmpdir}/one
+two=${tmpdir}/two
+mknod ${one} p
+mknod ${two} p
+chmod 0600 ${one} ${two}
+
+read -p "Enter password for '$1' (blank for none; password will be visible): " \
+  password
+
+if [ "${3}" = "rsa" -o "$#" -eq 2 ]; then
+  ( openssl genrsa -f4 2048 | tee ${one} > ${two} ) &
+  hash="-sha256"
+elif [ "${3}" = "ec" ]; then
+  ( openssl ecparam -name prime256v1 -genkey -noout | tee ${one} > ${two} ) &
+  hash="-sha256"
+else
+  echo "Only accepts RSA or EC keytypes."
+  exit 1
+fi
+
+openssl req -new -x509 ${hash} -key ${two} -out $1.x509.pem \
+  -days 10000 -subj "$2" &
+
+if [ "${password}" == "" ]; then
+  echo "creating ${1}.pk8 with no password"
+  openssl pkcs8 -in ${one} -topk8 -outform DER -out $1.pk8 -nocrypt
+else
+  echo "creating ${1}.pk8 with password [${password}]"
+  export password
+  openssl pkcs8 -in ${one} -topk8 -outform DER -out $1.pk8 \
+    -passout env:password
+  unset password
+fi
+
+wait
+wait