Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / development / 4c95917590d1a992b7fe8f6e703353fdf5a0bf3c^! / . / tools / make_key
commit4c95917590d1a992b7fe8f6e703353fdf5a0bf3c[log] [tgz]
authorDoug Zongker <dougz@android.com>Tue Dec 01 12:26:51 2009 -0800
committerDoug Zongker <dougz@android.com>Tue Dec 01 12:32:00 2009 -0800
tree06f7e37af6b717718202ed2dba99915b73fb205f
parent51cce58c45591fdf3d0cd59a92aeb18182eaeded [diff] [blame]
add one script to make release keys

This script can replace the copies of mkkey.sh sprinkled all over the
tree.  It prompts nicely for passwords, avoids writing the raw private
key to disk, and always generates certs that use sha1WithRSAEncryption.

diff --git a/tools/make_key b/tools/make_key
new file mode 100755
index 0000000..ac02d17
--- /dev/null
+++ b/tools/make_key

@@ -0,0 +1,67 @@
+#!/bin/bash
+#
+# Copyright (C) 2009 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Generates a public/private key pair suitable for use in signing
+# android .apks and OTA update packages.
+
+if [ "$#" -ne 2 ]; then
+  cat <<EOF
+Usage: $0 <name> <subject>
+
+Creates <name>.pk8 key and <name>.x509.pem cert.  Cert contains the
+given <subject>.
+EOF
+  exit 2
+fi
+
+if [[ -e $1.pk8 || -e $1.x509.pem ]]; then
+  echo "$1.pk8 and/or $1.x509.pem already exist; please delete them first"
+  echo "if you want to replace them."
+  exit 1
+fi
+
+# Use named pipes to connect get the raw RSA private key to the cert-
+# and .pk8-creating programs, to avoid having the private key ever
+# touch the disk.
+
+tmpdir=$(mktemp -d)
+trap 'rm -rf ${tmpdir}; echo; exit 1' EXIT INT QUIT
+
+one=${tmpdir}/one
+two=${tmpdir}/two
+mknod ${one} p
+mknod ${two} p
+chmod 0600 ${one} ${two}
+
+read -p "Enter password for '$1' (blank for none; password will be visible): " \
+  password
+
+( openssl genrsa -3 2048 | tee ${one} > ${two} ) &
+
+openssl req -new -x509 -sha1 -key ${two} -out $1.x509.pem \
+  -days 10000 -subj "$2" &
+
+if [ "${password}" == "" ]; then
+  echo "creating ${1}.pk8 with no password"
+  openssl pkcs8 -in ${one} -topk8 -outform DER -out $1.pk8 -nocrypt
+else
+  echo "creating ${1}.pk8 with password [${password}]"
+  echo $password | openssl pkcs8 -in ${one} -topk8 -outform DER -out $1.pk8 \
+    -passout stdin
+fi
+
+wait
+wait