From 1eca3f0ac1ac04fde7f99cfeae2301b8a25af718 Mon Sep 17 00:00:00 2001 From: Miikka Heikkinen Date: Thu, 25 Nov 2010 10:36:33 +0200 Subject: Only patch package content that is necessary for self-signing Automatic patching was modifying all package files in ways that only made sense for very limited set of projects. Some things were also no longer necessary due other developments, so dropped the dependency, embedded sis, and manufacturer check modifications. Also provided an option to do a self-signed compatibility check for the package instead of patching it automatically by specifying "-d" parameter in QT_SIS_OPTIONS env variable or createpackage command line, depending on how package is made. Task-number: QTBUG-15561 Reviewed-by: axis --- bin/createpackage.pl | 14 +- bin/patch_capabilities.pl | 215 +++++++++++++++------------- doc/src/platforms/symbian-introduction.qdoc | 1 + 3 files changed, 125 insertions(+), 105 deletions(-) diff --git a/bin/createpackage.pl b/bin/createpackage.pl index 522d1fb..6b83585 100755 --- a/bin/createpackage.pl +++ b/bin/createpackage.pl @@ -82,6 +82,8 @@ Where supported options are as follows: [-s|stub] = Generates stub sis for ROM. [-n|sisname ] = Specifies the final sis name. [-g|gcce-is-armv5] = Convert gcce platform to armv5. + [-d|dont-patch] = Skip automatic patching of capabilities and pkg file if default certificate + is used. Instead non-self-signable capabilities just cause warnings. Where parameters are as follows: templatepkg = Name of .pkg file template target = Either debug or release @@ -127,6 +129,7 @@ my $stub = ""; my $signed_sis_name = ""; my $onlyUnsigned = ""; my $convertGcce = ""; +my $dontPatchCaps = ""; unless (GetOptions('i|install' => \$install, 'p|preprocess' => \$preprocessonly, @@ -135,7 +138,8 @@ unless (GetOptions('i|install' => \$install, 'o|only-unsigned' => \$onlyUnsigned, 's|stub' => \$stub, 'n|sisname=s' => \$signed_sis_name, - 'g|gcce-is-armv5' => \$convertGcce,)) { + 'g|gcce-is-armv5' => \$convertGcce, + 'd|dont-patch' => \$dontPatchCaps,)) { Usage(); } @@ -343,9 +347,13 @@ if($stub) { && !@certificates && $templatepkg !~ m/_installer\.pkg$/i && !$onlyUnsigned) { - print("Auto-patching capabilities for self signed package.\n"); my $patch_capabilities = File::Spec->catfile(dirname($0), "patch_capabilities"); - system ("$patch_capabilities $pkgoutput") and die ("ERROR: Automatic patching failed"); + if ($dontPatchCaps) { + system ("$patch_capabilities -c $pkgoutput") and print ("Warning: Package check for self-signing viability failed. Installing the package on a device will most likely fail!\n\n"); + } else { + print("Auto-patching self-signed package.\n"); + system ("$patch_capabilities $pkgoutput") and die ("ERROR: Automatic patching failed"); + } } # Create SIS. diff --git a/bin/patch_capabilities.pl b/bin/patch_capabilities.pl index 994d493..df71339 100755 --- a/bin/patch_capabilities.pl +++ b/bin/patch_capabilities.pl @@ -63,8 +63,11 @@ sub Usage() { print(" symbian-sbsv2 platform, 'target-platform' is REQUIRED. ***\n\n"); print(" *** NOTE2: When patching gcce binaries built with symbian-sbsv2 toolchain,\n"); print(" armv5 must be specified as platform.\n"); - print("\nUsage: patch_capabilities.pl pkg_filename [target-platform [capability list]]\n"); + print("\nUsage: patch_capabilities.pl [-c] pkg_filename [target-platform [capability list]]\n"); print("\nE.g. patch_capabilities.pl myapp_template.pkg release-armv5 \"All -TCB\"\n"); + print("\nThe parameter -c can be used to just check if package is compatible with self-signing\n"); + print("without actually doing any patching.\n"); + print("Explicit capability list cannot be used with -c parameter.\n"); exit(); } @@ -86,6 +89,14 @@ if (@ARGV) { # Parse the first given script argument as a ".pkg" file name. my $pkgFileName = shift(@ARGV); + my $justCheck = ""; + my $msgPrefix = "Patching:"; + + if ($pkgFileName eq "-c") { + $pkgFileName = shift(@ARGV); + $justCheck = true; + $msgPrefix = "Warning:"; + } # These variables will only be set for template .pkg files. my $target; @@ -123,15 +134,22 @@ if (@ARGV) if (($pkgFileName =~ m|\.pkg$|i) && -r($pkgFileName)) { print ("\n"); - print ("Patching package file and relevant binaries...\n"); + if ($justCheck) { + print ("Checking"); + } else { + print ("Patching"); + } + print (" package file and relevant binaries...\n"); - # If there are more arguments given, parse them as capabilities. - if (@ARGV) - { - @capabilitiesSpecified = (); - while (@ARGV) + if (!$justCheck) { + # If there are more arguments given, parse them as capabilities. + if (@ARGV) { - push (@capabilitiesSpecified, pop(@ARGV)); + @capabilitiesSpecified = (); + while (@ARGV) + { + push (@capabilitiesSpecified, pop(@ARGV)); + } } } @@ -139,11 +157,15 @@ if (@ARGV) my @binaries = (); my $tempPkgFileName = $pkgFileName."_@@TEMP@@"; - unlink($tempPkgFileName); - open (NEW_PKG, ">>".$tempPkgFileName); + + if (!$justCheck) { + unlink($tempPkgFileName); + open (NEW_PKG, ">>".$tempPkgFileName); + } open (PKG, "<".$pkgFileName); - my $manufacturerElseBlock = 0; + my $checkFailed = ""; + my $somethingPatched = ""; # Parse each line. while () @@ -155,66 +177,19 @@ if (@ARGV) if ($line =~ m/^\#.*\((0x[0-7][0-9a-fA-F]*)\).*$/) { my $oldUID = $1; - my $newUID = $oldUID; - $newUID =~ s/0x./0xE/i; - $newLine =~ s/$oldUID/$newUID/; - print ("Patching: UID $oldUID is not compatible with self-signing! Changed to: $newUID.\n"); - } - - # Patch embedded sis name and UID if UID is in protected range - if ($line =~ m/^@\"*(.*\.sis).*\((0x[0-7][0-9a-fA-F]*)\).*$/) - { - my $oldSisName = $1; - my $oldUID = $2; - my $newUID = $oldUID; - $newUID =~ s/0x./0xE/i; - $newLine =~ s/$oldUID/$newUID/; - print ("Patching: Embedded sis $oldSisName UID $oldUID changed to: $newUID.\n"); - - if ($oldSisName !~ m/^.*_selfsigned.sis$/i) - { - my $newSisName = $oldSisName; - $newSisName =~ s/\.sis$/_selfsigned\.sis/i; - $newLine =~ s/$oldSisName/$newSisName/i; - print ("Patching: Embedded sis $oldSisName name changed to: $newSisName.\n"); + print ("$msgPrefix UID $oldUID is not compatible with self-signing!\n"); + + if ($justCheck) { + $checkFailed = true; + } else { + my $newUID = $oldUID; + $newUID =~ s/0x./0xE/i; + $newLine =~ s/$oldUID/$newUID/; + print ("$msgPrefix Package UID changed to: $newUID.\n"); + $somethingPatched = true; } } - # Remove dependencies to known problem packages (i.e. packages that are likely to be patched, too) - # to reduce unnecessary error messages. - if ($line =~ m/^\((0x2002af5f)\).*\{.*\}$/) - { - $newLine = "\n"; - print ("Patching: Removed dependency to sqlite3.sis ($1) to avoid installation issues in case sqlite3.sis is also patched.\n"); - } - if ($line =~ m/^\((0x2001E61C)\).*\{.*\}$/) - { - $newLine = "\n"; - print ("Patching: Removed dependency to qt.sis ($1) to avoid installation issues in case qt.sis is also patched.\n"); - } - - # Remove manufacturer ifdef - if ($line =~ m/^.*\(MANUFACTURER\)\=\(.*\).*$/) - { - $newLine = "\n"; - print ("Patching: Removed manufacturer check as it is usually not desirable in self-signed packages.\n"); - } - - if ($line =~ m/^ELSEIF.*MANUFACTURER$/) - { - $manufacturerElseBlock = 1; - } - - if ($manufacturerElseBlock eq 1) - { - $newLine = "\n"; - } - - if ($line =~ m/^ENDIF.*MANUFACTURER$/) - { - $manufacturerElseBlock = 0; - } - # If the line specifies a file, parse the source and destination locations. if ($line =~ m|^ *\"([^\"]+)\"\s*\-\s*\"([^\"]+)\"|) { @@ -231,16 +206,20 @@ if (@ARGV) $sourcePath =~ s/\$\(TARGET\)/$target/gm; } - # Change the source file name (but only if not already patched) - my $patchedSourcePath = $sourcePath; - if ($patchedSourcePath !~ m/_patched_caps/) - { - $newLine =~ s/(^.*)(\.dll|\.exe)(.*)(\.dll|\.exe)/$1_patched_caps$2$3$4/i; - $patchedSourcePath =~ s/(^.*)(\.dll|\.exe)/$1_patched_caps$2/i; - - copy($sourcePath, $patchedSourcePath) or die "$sourcePath cannot be copied for patching."; + if ($justCheck) { + push (@binaries, $sourcePath); + } else { + # Change the source file name (but only if not already patched) + my $patchedSourcePath = $sourcePath; + if ($patchedSourcePath !~ m/_patched_caps/) + { + $newLine =~ s/(^.*)(\.dll|\.exe)(.*)(\.dll|\.exe)/$1_patched_caps$2$3$4/i; + $patchedSourcePath =~ s/(^.*)(\.dll|\.exe)/$1_patched_caps$2/i; + + copy($sourcePath, $patchedSourcePath) or die "$sourcePath cannot be copied for patching."; + } + push (@binaries, $patchedSourcePath); } - push (@binaries, $patchedSourcePath); } } @@ -250,11 +229,12 @@ if (@ARGV) } close (PKG); - close (NEW_PKG); - - unlink($pkgFileName); - rename($tempPkgFileName, $pkgFileName); + if (!$justCheck) { + close (NEW_PKG); + unlink($pkgFileName); + rename($tempPkgFileName, $pkgFileName); + } print ("\n"); my $baseCommandToExecute = "elftran -vid 0x0 -capability \"%s\" "; @@ -265,18 +245,18 @@ if (@ARGV) # Create the command line for setting the capabilities. my ($binaryVolume, $binaryDirs, $binaryBaseName) = File::Spec->splitpath($binaryPath); my $commandToExecute = $baseCommandToExecute; - my $executeNeeded = 0; + my $executeNeeded = ""; if (@capabilitiesSpecified) { $commandToExecute = sprintf($baseCommandToExecute, join(" ", @capabilitiesSpecified)); - $executeNeeded = 1; + $executeNeeded = true; my $capString = join(" ", @capabilitiesSpecified); - print ("Patching: Patching the the Vendor ID to 0 and the capabilities used to: \"$capString\" in \"$binaryBaseName\".\n"); + print ("$msgPrefix Patching the the Vendor ID to 0 and the capabilities used to: \"$capString\" in \"$binaryBaseName\".\n"); } else { # Test which capabilities are present and then restrict them to the allowed set. # This avoid raising the capabilities of apps that already have none. my $dllCaps; - open($dllCaps, "elftran -dump s $binaryPath |") or die ("Could not execute elftran"); + open($dllCaps, "elftran -dump s $binaryPath |") or die ("ERROR: Could not execute elftran"); my $capsFound = 0; my $originalVid; my @capabilitiesToSet; @@ -288,8 +268,8 @@ if (@ARGV) if ($binaryBaseName =~ /\.exe$/) { # Installer refuses to install protected executables in a self signed package, so abort if one is detected. # We can't simply just patch the executable SID, as any registration resources executable uses will be linked to it via SID. - print ("Patching: Executable with SID in the protected range (0x$exeSid) detected: \"$binaryBaseName\". A self-signed sis with protected executables is not supported.\n"); - exit(1); + print ("$msgPrefix Executable with SID in the protected range (0x$exeSid) detected: \"$binaryBaseName\". A self-signed sis with protected executables is not supported.\n\n"); + $checkFailed = true; } } if (/^Vendor ID: ([0-9a-fA-F]*)$/) { @@ -302,7 +282,7 @@ if (@ARGV) if ($capabilitiesToAllow =~ /$_/) { push(@capabilitiesToSet, $_); if (Location =~ /$_/i) { - print ("Patching: Warning - \"Location\" capability detected for binary: \"$binaryBaseName\". This capability is not self-signable for S60 3rd edition feature pack 1 devices, so installing this package on those devices will most likely not work.\n"); + print ("$msgPrefix \"Location\" capability detected for binary: \"$binaryBaseName\". This capability is not self-signable for S60 3rd edition feature pack 1 devices, so installing this package on those devices will most likely not work.\n\n"); } } else { push(@capabilitiesToDrop, $_); @@ -311,22 +291,32 @@ if (@ARGV) } close($dllCaps); if ($originalVid !~ "00000000") { - print ("Patching: Vendor ID (0x$originalVid) incompatible with self-signed packages, setting it to zero for \"$binaryBaseName\".\n"); - $executeNeeded = 1; + print ("$msgPrefix Non-zero vendor ID (0x$originalVid) is incompatible with self-signed packages in \"$binaryBaseName\""); + if ($justCheck) { + print (".\n\n"); + $checkFailed = true; + } else { + print (", setting it to zero.\n\n"); + $executeNeeded = true; + } } if ($#capabilitiesToDrop) { my $capsToDropStr = join("\", \"", @capabilitiesToDrop); $capsToDropStr =~ s/\", \"$//; - if ($binaryBaseName =~ /\.exe$/) { - # While libraries often have capabilities they do not themselves need just to enable them to be loaded by wider variety of processes, - # executables are more likely to need every capability they have been assigned or they won't function correctly. - print ("Patching: Executable with capabilities incompatible with self-signing detected: \"$binaryBaseName\". (Incompatible capabilities: \"$capsToDropStr\".) Reducing capabilities is only supported for libraries.\n"); - print ("Patching: Please use a proper developer certificate for signing this package.\n"); - exit(1); + if ($justCheck) { + print ("$msgPrefix The following capabilities used in \"$binaryBaseName\" are not compatible with a self-signed package: \"$capsToDropStr\".\n\n"); + $checkFailed = true; } else { - print ("Patching: The following capabilities used in \"$binaryBaseName\" are not compatible with a self-signed package and will be removed: \"$capsToDropStr\".\n"); - $executeNeeded = 1; + if ($binaryBaseName =~ /\.exe$/) { + # While libraries often have capabilities they do not themselves need just to enable them to be loaded by wider variety of processes, + # executables are more likely to need every capability they have been assigned or they won't function correctly. + print ("$msgPrefix Executable with capabilities incompatible with self-signing detected: \"$binaryBaseName\". (Incompatible capabilities: \"$capsToDropStr\".) Reducing capabilities is only supported for libraries.\n"); + $checkFailed = true; + } else { + print ("$msgPrefix The following capabilities used in \"$binaryBaseName\" are not compatible with a self-signed package and will be removed: \"$capsToDropStr\".\n"); + $executeNeeded = true; + } } } $commandToExecute = sprintf($baseCommandToExecute, join(" ", @capabilitiesToSet)); @@ -337,16 +327,37 @@ if (@ARGV) # Actually execute the elftran command to set the capabilities. print ("\n"); system ("$commandToExecute > $nullDevice"); + $somethingPatched = true; } ## Create another command line to check that the set capabilities are correct. #$commandToExecute = "elftran -dump s ".$binaryPath; } + if ($checkFailed) { + print ("\n"); + if ($justCheck) { + print ("$msgPrefix The package is not compatible with self-signing.\n"); + } else { + print ("$msgPrefix Unable to patch the package for self-singing.\n"); + } + print ("Use a proper developer certificate for signing this package.\n\n"); + exit(1); + } + + if ($justCheck) { + print ("Package is compatible with self-signing.\n"); + } else { + if ($somethingPatched) { + print ("NOTE: A patched package may not work as expected due to reduced capabilities and other modifications,\n"); + print (" so it should not be used for any kind of Symbian signing or distribution!\n"); + print (" Use a proper certificate to avoid the need to patch the package.\n"); + } else { + print ("No patching was required!\n"); + } + } print ("\n"); - print ("NOTE: A patched package may not work as expected due to reduced capabilities and other modifications,\n"); - print (" so it should not be used for any kind of Symbian signing or distribution!\n"); - print (" Use a proper certificate to avoid the need to patch the package.\n"); - print ("\n"); + } else { + Usage(); } } else diff --git a/doc/src/platforms/symbian-introduction.qdoc b/doc/src/platforms/symbian-introduction.qdoc index 7bc5303..9da94c4 100644 --- a/doc/src/platforms/symbian-introduction.qdoc +++ b/doc/src/platforms/symbian-introduction.qdoc @@ -222,6 +222,7 @@ \row \o -s \o Generates stub sis for ROM. \row \o -n \o Specifies the final sis name. \row \o -g \o Treat gcce platform as armv5. + \row \o -d \o Skip automatic patching of the package when default certificate is used. \endtable Execute the \c{createpackage.pl} script without any -- cgit v0.12