Store the base64 release key in the OTA zips

This can be directly grepped in pre-existing package.xml tables
to make sure we're not trying to update to a differently signed
build

Change-Id: I7528a8e7c484ea9209cd665b9263328ae834586a

2 files changed, 10 insertions, 1 deletions

diff --git a/tools/releasetools/ota_from_target_files b/tools/releasetools/ota_from_target_files
index 1662a1a..3201587 100755
--- a/tools/releasetools/ota_from_target_files
+++ b/tools/releasetools/ota_from_target_files
@@ -696,6 +696,8 @@ endif;
   script.AddToZip(input_zip, output_zip, input_path=OPTIONS.updater_binary)
   WriteMetadata(metadata, output_zip)
 
+  common.ZipWriteStr(output_zip, "META-INF/org/cyanogenmod/releasekey",
+                     ""+input_zip.read("META/releasekey.txt"))
 
 def WritePolicyConfig(file_name, output_zip):
   common.ZipWrite(output_zip, file_name, os.path.basename(file_name))
@@ -1506,7 +1508,6 @@ endif;
 
   WriteMetadata(metadata, output_zip)
 
-
 def main(argv):
 
   def option_handler(o, a):
diff --git a/tools/releasetools/sign_target_files_apks b/tools/releasetools/sign_target_files_apks
index af16761..479a282 100755
--- a/tools/releasetools/sign_target_files_apks
+++ b/tools/releasetools/sign_target_files_apks
@@ -379,6 +379,14 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
   common.ZipWriteStr(output_tf_zip, "RECOVERY/RAMDISK/res/keys",
                      new_recovery_keys)
 
+  # Save the base64 key representation in the update for key-change
+  # validations
+  p = common.Run(["python", "build/tools/getb64key.py", mapped_keys[0]],
+                 stdout=subprocess.PIPE)
+  data, _ = p.communicate()
+  if p.returncode == 0:
+    common.ZipWriteStr(output_tf_zip, "META/releasekey.txt", data)
+
   # SystemUpdateActivity uses the x509.pem version of the keys, but
   # put into a zipfile system/etc/security/otacerts.zip.
   # We DO NOT include the extra_recovery_keys (if any) here.