Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b2c4bb7e authored Dec 17, 2018 by Jeongik Cha

Dump and enforce certificate for apks

Dump the list of APKs that aren't located at system partition and signed
with system certificate.
And when enforcement option is enabled, it makes build error if there is
the apk that satisfies the condition above.

Bug: 74699609

Test: m -j
Test: m out/target/product/$(get_build_var TARGET_DEVICE)/certificate_violation_modules.txt

Change-Id: I23c41f2665dd97abac3e77d1c82d81ff91b894eb

parent 8d95a144

core/app_certificate_validate.mk

0 → 100644

+12 −0

Original line number	Diff line number	Diff line

		ifeq (true,$(filter true, \
		$(LOCAL_PRODUCT_MODULE) $(LOCAL_PRODUCT_SERVICES_MODULE) \
		$(LOCAL_VENDOR_MODULE) $(LOCAL_PROPRIETARY_MODULE)))
		ifneq (,$(filter $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))%,$(LOCAL_CERTIFICATE)))
		CERTIFICATE_VIOLATION_MODULES += $(LOCAL_MODULE)
		ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT))
		$(if $(filter $(LOCAL_MODULE),$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST)),,\
		$(call pretty-error,The module in product partition cannot be signed with certificate in system.))
		endif
		endif
		endif
		No newline at end of file

core/definitions.mk

+3 −0

Original line number	Diff line number	Diff line
		@@ -77,6 +77,9 @@ ALL_FINDBUGS_FILES:=
		# GPL module license files
		ALL_GPL_MODULE_LICENSE_FILES:=

		# Packages with certificate violation
		CERTIFICATE_VIOLATION_MODULES :=

		# Target and host installed module's dependencies on shared libraries.
		# They are list of "<module_name>:<installed_file>:lib1,lib2...".
		TARGET_DEPENDENCIES_ON_SHARED_LIBRARIES :=

core/main.mk

+7 −0

Original line number	Diff line number	Diff line
		@@ -1096,6 +1096,13 @@ ifdef FULL_BUILD
		$(TARGET_OUT_SYSTEM_OTHER)/%.vdex \
		$(TARGET_OUT_SYSTEM_OTHER)/%.art
		endif

		CERTIFICATE_VIOLATION_MODULES_FILENAME := $(PRODUCT_OUT)/certificate_violation_modules.txt
		$(CERTIFICATE_VIOLATION_MODULES_FILENAME):
		rm -f $@
		$(foreach m,$(sort $(CERTIFICATE_VIOLATION_MODULES)), echo $(m) >> $@;)
		$(call dist-for-goals,droidcore,$(CERTIFICATE_VIOLATION_MODULES_FILENAME))

		all_offending_files :=
		$(foreach makefile,$(ARTIFACT_PATH_REQUIREMENT_PRODUCTS),\
		$(eval requirements := $(PRODUCTS.$(makefile).ARTIFACT_PATH_REQUIREMENTS)) \

core/package_internal.mk

+1 −0

Original line number	Diff line number	Diff line
		@@ -535,6 +535,7 @@ endif
		ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./)
		LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE)
		endif
		include $(BUILD_SYSTEM)/app_certificate_validate.mk
		private_key := $(LOCAL_CERTIFICATE).pk8
		certificate := $(LOCAL_CERTIFICATE).x509.pem
		additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8)

core/prebuilt_internal.mk

+2 −0

Original line number	Diff line number	Diff line
		@@ -306,6 +306,8 @@ else
		$(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
		endif

		include $(BUILD_SYSTEM)/app_certificate_validate.mk

		# Disable dex-preopt of prebuilts to save space, if requested.
		ifndef LOCAL_DEX_PREOPT
		ifeq ($(DONT_DEXPREOPT_PREBUILTS),true)