Fix Makefile targets for keystore management
Closed this issue · 0 comments
Error 1
After build a keystore, compress and encrypt it, it is suggested to clean up the uncompressed files with make org=orgname keyclean. The developer may still working in the creation of the keystore and realize that something was miss-configured and try to recreate it again. In that case, it will execute the same command, e.g. make org=test keygen, but because a keystore already exists , the Java keytool command fails with the following error that gives no clue about the real issue:
Verifing the following executables are in the $PATH: java keytool openssl ...
keytool -genkey -storepass 2b236d7be00e2a0a -v -keystore test.keystore -alias medicmobile -keyalg RSA -keysize 2048 -validity 9125
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2117)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:1807)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:1687)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:924)
at java.base/sun.security.tools.keytool.Main.run(Main.java:409)
at java.base/sun.security.tools.keytool.Main.main(Main.java:402)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 8 more
make: *** [Makefile:170: test.keystore] Error 1
So for this case we need to execute the clean-up first, or fail the execution letting the user know that it needs to delete the keystore created first, and can do it with make org=test keyclean. The last is better in case the user does not realize that is going to overwrite an existing keystore, although the compressed and encrypted version is not deleted in the process.
Error 2 (related)
If the user indeed drops first keystore with make org=xxx keyclean, another error happens after trying to create the same keystore:
Error: Unable to export or encrypt the private key
java.nio.file.FileAlreadyExistsException: test2_private_key.pepk
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:94)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219)
at java.base/java.nio.file.Files.newByteChannel(Files.java:371)
at java.base/java.nio.file.Files.createFile(Files.java:648)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.ExportEncryptedPrivateKeyTool.writeToZipFile(ExportEncryptedPrivateKeyTool.java:225)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.ExportEncryptedPrivateKeyTool.run(ExportEncryptedPrivateKeyTool.java:176)
at com.google.wireless.android.vending.developer.signing.tools.extern.export.ExportEncryptedPrivateKeyTool.main(ExportEncryptedPrivateKeyTool.java:130)
make: *** [Makefile:178: test2_private_key.pepk] Error 1
This happens because the keyclean target does not delete the ORGNAME_private_key.pepk file , so the fix is to include this file in the keyclean target.
Nice to Have
This is a good opportunity to also add some "shell" tests in CI, so we don't have to test step by step this workflow each time a change is made. Ideally the tests could be executed in a Linux VM and a MacOS VM as well.