Re: I can't verify signature in selinux_bundle.zip.

Mon, 23 Jun 2014 03:46:35 -0700

Your buildsebundle invocation doesn't specify a version argument (-v) but the intent being broadcast specifies a version of 2. The version number will default to 1 if not specified when using buildsebundle and thus a mismatch is created and the signature could be failing because of this. The calculated signature includes both the version number and previous hash. I would try to either include "-v 2" with the buildsebundle invocation or use -e "VERSION" "1" with your intent.
In addition, which branch are you using? Just to be clear, our seandroid, seandroid-4.4.4 and seandroid-4.4.3 branches all require the mac_permissions.xml, selinux_version and service_contexts files to also be included with the builsebundle command. Our seandroid-4.4.2 requires the addition of just the mac_permissions.xml and selinux_version files. Given that your buildsebundle invocation didn't die with a missing file error I suppose you're probably using our seandroid-4.4 or earlier... 


On 06/23/2014 02:59 AM, 심현용 wrote:

Dear All.

Hi, I'm developer in Korea.
I have some question about policy update.

I make selinux_bundle bellow method.

./buildsebundle -k testkey.pk8 -- file_contexts \ property_contexts 
sepolicy seapp_contexts


--> selinux_bundle.zip

and I unzip this file (update_bundle, update_bundle_metadata),
adb push update_bundle /data/

And then, I send intent through Linux-shell.
am broadcast -a android.intent.action.UPDATE_SEPOLICY -e "CONTENT_PA

TH" "/data/update_bundle" -e "VERSION" "2" -e "REQUIRED_HASH" "NONE" 
-e "SIGNATU
RE" 
"bDirLKLzf3GTppBnwiYxqyN4QS6+RrlxGJz1hi+TRsbT0RORsVo4nvSmVkPkvyPpPjr3kPSQ02T

W5wsPCW9ORQ8HQBm2AGzGMRTG4rRprjPeuDQTQUnTuRlOrvwTWwmMzxvj6/x4h1mKQklsXQceFl3UP8V
Ply5QCSuXnoxDkxkHWi+NLRz8P25wmWwzSVQLLSiT3O7yUnkW0VC5GUqUQlvxdekkN2u7VISdC+rRaDL
Vahib050IT0wtJuG+30WD9fZSj9627PDc+syFd6HDBd9WToFyAqQ6pnapjpWdzGUd2eLRT8CLrtUADt1
z//RG2Z/HrtJZe9kfz9EPbTuU7w=="

(signature is written in update_bundle_metadata)


But I can't verify signature at engineVerify(..) in 
ConfigUpdateInstallReciver.java

  *else*  *if*  (!verifySignature  
<http://opengrok.lge.com:8080/source/xref/msm8974_kk_release_la20/android/frameworks/base/services/java/com/android/server/updates/ConfigUpdateInstallReceiver.java#verifySignature>(altContent
  <http://opengrok.lge.com:8080/source/s?defs=altContent&project=msm8974_kk_release_la20>,altVersion  
<http://opengrok.lge.com:8080/source/s?defs=altVersion&project=msm8974_kk_release_la20>,altRequiredHash  
<http://opengrok.lge.com:8080/source/s?defs=altRequiredHash&project=msm8974_kk_release_la20>,altSig  
<http://opengrok.lge.com:8080/source/s?defs=altSig&project=msm8974_kk_release_la20>,
97  
<http://opengrok.lge.com:8080/source/xref/msm8974_kk_release_la20/android/frameworks/base/services/java/com/android/server/updates/ConfigUpdateInstallReceiver.java#97>
                                cert  
<http://opengrok.lge.com:8080/source/xref/msm8974_kk_release_la20/android/frameworks/base/services/java/com/android/server/updates/ConfigUpdateInstallReceiver.java#cert>))
 {
98  
<http://opengrok.lge.com:8080/source/xref/msm8974_kk_release_la20/android/frameworks/base/services/java/com/android/server/updates/ConfigUpdateInstallReceiver.java#98>
                         EventLog  
<http://opengrok.lge.com:8080/source/s?defs=EventLog&project=msm8974_kk_release_la20>.writeEvent  
<http://opengrok.lge.com:8080/source/s?defs=writeEvent&project=msm8974_kk_release_la20>(EventLogTags  
<http://opengrok.lge.com:8080/source/s?defs=EventLogTags&project=msm8974_kk_release_la20>.CONFIG_INSTALL_FAILED  
<http://opengrok.lge.com:8080/source/s?defs=CONFIG_INSTALL_FAILED&project=msm8974_kk_release_la20>,
99  
<http://opengrok.lge.com:8080/source/xref/msm8974_kk_release_la20/android/frameworks/base/services/java/com/android/server/updates/ConfigUpdateInstallReceiver.java#99>
                                             "Signature did not verify");
in detail, NativeCrypto.java EVP_VerifyFinal will return 0,
this means that
|EVP_VerifyFinal()|  returns 1 for a correct signature, 0 for failure and -1 if 
some other error occurred.


Why selinux_bundle.zip's signature isn't correct?

Please help me.

Thanks.


_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to 
[email protected].



_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to 
[email protected].





















					Reply via email to