Support is added to inject a public key (from config.xml) into TWRP
against which the flashable ZIP is verified. The public key is provided
through /cache and thus deemed secure from non-system/root app
manipulation. In contrast to the flashable ZIPs themselves which are
located on the internal storage, where every app can manipulate the
files. Even though the MD5 of the files is provided by the delta JSON
and verified before rebooting to recovery, there is a tiny exploitable
window there for a malicious app to manipulate or switch out ZIP files
and have its own content flashed.
If (reconstructed) ZIP signing is enabled, and injecting the public key
is enabled, "secure mode" becomes available (with user override). In
addition to verifying the update's cryptographic signature in recovery,
this mode disables the flashing of additional ZIPs from the
FlashAfterUpdate subfolder (as their origin cannot be verified in
recovery and any app can manipulate these files), and also fully
disables what little CWM compatibility there was (as we cannot do the
verification check through CWM)
Various warnings and popups have also been added to inform the user of
each situation as it occurs.
Apparently I forgot to do this with the initial commit. All files now
have the correct newlines, have been run through the AOSP code formatter
(making several things a uglier in the process) and have the correct
import order. This is very painful commit patch-wise, but it needs to be
done.
Jorrit Jongma