Harden release scripts: fix metadata parsing, passphrase scoping, and path safety by thomasbuilds · Pull Request #110 · GrapheneOS/script

thomasbuilds · 2026-05-09T06:26:40Z

Fix generate-metadata OTA metadata parsing
- Replace unbounded split("=") with partition("="), which handles build fingerprints and other values that contain =.
- Use post-build-incremental directly instead of indexing into post-build; add required-field validation for post-build-incremental, post-timestamp, and pre-device.
Add strict shell failure handling to generate-keys
- Enables errexit, nounset, and pipefail.
- Quotes path and array expansions in the key generation loop.
Avoid exporting key passphrases broadly
- decrypt-keys and encrypt-keys scope passphrase variables to the specific openssl invocations that need them via env "password=..." openssl ...; also fix cd $1 → cd "$1" and array/filename quoting in the key loops.
- generate-release.sh and generate-delta.sh strip inherited passphrase export state, pass it only to decrypt-keys, then unset it.
- generate-releases.sh and generate-deltas.sh no longer export the passphrase for their whole shell process.
Quote release output paths in generate-release.sh
- Quotes $RELEASE_OUT in rm -rf, mkdir, unzip -d, and cd.
- Quotes $TARGET_FILES_INPUT when extracting OTA/android-info.txt.
Remove unused AVB_PKMD assignment from generate-release.sh

thomasbuilds added 5 commits May 9, 2026 08:18

generate-metadata: parse metadata robustly

af8e5e0

generate-keys: enable strict shell error handling

c348d1e

scripts: avoid exporting key passphrases broadly

3aa36ec

generate-release: quote release output paths

ed0a32b

generate-release: remove unused AVB_PKMD variable

9144f91

thomasbuilds force-pushed the 16-qpr2 branch from 709ca6a to 9144f91 Compare May 9, 2026 14:09

Provide feedback