Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e2348338 authored by Jaewoong Jung's avatar Jaewoong Jung
Browse files

Add signing certificate lineage file support.

Also add multi-cert support to prebuilt apps so that they can benefit
from the new lineage feature.

Test: m GoogleServicesFramework w/ modified build rules
Test: m PrebuiltGmsCore w/ modified build rules
Test: apksigner lineage -v --print-certs -in <built_module_path>
Fixes: 152897457
Change-Id: If7d5d4bd308629c8340231520214c76c8a568a65
parent 96c9e6ed
Loading
Loading
Loading
Loading
+7 −0
Original line number Original line Diff line number Diff line
@@ -163,6 +163,13 @@ else
  $(built_module) : $(LOCAL_CERTIFICATE).pk8 $(LOCAL_CERTIFICATE).x509.pem
  $(built_module) : $(LOCAL_CERTIFICATE).pk8 $(LOCAL_CERTIFICATE).x509.pem
  $(built_module) : PRIVATE_PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8
  $(built_module) : PRIVATE_PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8
  $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
  $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem

  additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8)
  $(built_module): $(additional_certificates)
  $(built_module): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates)

  $(built_module): $(LOCAL_CERTIFICATE_LINEAGE)
  $(built_module): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE)
endif
endif


include $(BUILD_SYSTEM)/app_certificate_validate.mk
include $(BUILD_SYSTEM)/app_certificate_validate.mk
+1 −0
Original line number Original line Diff line number Diff line
@@ -152,6 +152,7 @@ LOCAL_JAVA_RESOURCE_FILES:=
LOCAL_JETIFIER_ENABLED:=
LOCAL_JETIFIER_ENABLED:=
LOCAL_JNI_SHARED_LIBRARIES:=
LOCAL_JNI_SHARED_LIBRARIES:=
LOCAL_JNI_SHARED_LIBRARIES_ABI:=
LOCAL_JNI_SHARED_LIBRARIES_ABI:=
LOCAL_CERTIFICATE_LINEAGE:=
LOCAL_LDFLAGS:=
LOCAL_LDFLAGS:=
LOCAL_LDLIBS:=
LOCAL_LDLIBS:=
LOCAL_LOGTAGS_FILES:=
LOCAL_LOGTAGS_FILES:=
+1 −0
Original line number Original line Diff line number Diff line
@@ -2285,6 +2285,7 @@ endef
define sign-package-arg
define sign-package-arg
$(hide) mv $(1) $(1).unsigned
$(hide) mv $(1) $(1).unsigned
$(hide) $(JAVA) -Djava.library.path=$$(dirname $(SIGNAPK_JNI_LIBRARY_PATH)) -jar $(SIGNAPK_JAR) \
$(hide) $(JAVA) -Djava.library.path=$$(dirname $(SIGNAPK_JNI_LIBRARY_PATH)) -jar $(SIGNAPK_JAR) \
    $(if $(strip $(PRIVATE_CERTIFICATE_LINEAGE)), --lineage $(PRIVATE_CERTIFICATE_LINEAGE)) \
    $(PRIVATE_CERTIFICATE) $(PRIVATE_PRIVATE_KEY) \
    $(PRIVATE_CERTIFICATE) $(PRIVATE_PRIVATE_KEY) \
    $(PRIVATE_ADDITIONAL_CERTIFICATES) $(1).unsigned $(1).signed
    $(PRIVATE_ADDITIONAL_CERTIFICATES) $(1).unsigned $(1).signed
$(hide) mv $(1).signed $(1)
$(hide) mv $(1).signed $(1)
+3 −0
Original line number Original line Diff line number Diff line
@@ -465,6 +465,9 @@ PACKAGES.$(LOCAL_PACKAGE_NAME).CERTIFICATE := $(certificate)
$(LOCAL_BUILT_MODULE): $(additional_certificates)
$(LOCAL_BUILT_MODULE): $(additional_certificates)
$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates)
$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates)


$(LOCAL_BUILT_MODULE): $(LOCAL_CERTIFICATE_LINEAGE)
$(LOCAL_BUILT_MODULE): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE)

# Set a actual_partition_tag (calculated in base_rules.mk) for the package.
# Set a actual_partition_tag (calculated in base_rules.mk) for the package.
PACKAGES.$(LOCAL_PACKAGE_NAME).PARTITION := $(actual_partition_tag)
PACKAGES.$(LOCAL_PACKAGE_NAME).PARTITION := $(actual_partition_tag)


+12 −0
Original line number Original line Diff line number Diff line
@@ -36,6 +36,7 @@ import org.conscrypt.OpenSSLProvider;


import com.android.apksig.ApkSignerEngine;
import com.android.apksig.ApkSignerEngine;
import com.android.apksig.DefaultApkSignerEngine;
import com.android.apksig.DefaultApkSignerEngine;
import com.android.apksig.SigningCertificateLineage;
import com.android.apksig.Hints;
import com.android.apksig.Hints;
import com.android.apksig.apk.ApkUtils;
import com.android.apksig.apk.ApkUtils;
import com.android.apksig.apk.MinSdkVersionException;
import com.android.apksig.apk.MinSdkVersionException;
@@ -1046,6 +1047,7 @@ class SignApk {
        Integer minSdkVersionOverride = null;
        Integer minSdkVersionOverride = null;
        boolean signUsingApkSignatureSchemeV2 = true;
        boolean signUsingApkSignatureSchemeV2 = true;
        boolean signUsingApkSignatureSchemeV4 = false;
        boolean signUsingApkSignatureSchemeV4 = false;
        SigningCertificateLineage certLineage = null;


        int argstart = 0;
        int argstart = 0;
        while (argstart < args.length && args[argstart].startsWith("-")) {
        while (argstart < args.length && args[argstart].startsWith("-")) {
@@ -1076,6 +1078,15 @@ class SignApk {
            } else if ("--enable-v4".equals(args[argstart])) {
            } else if ("--enable-v4".equals(args[argstart])) {
                signUsingApkSignatureSchemeV4 = true;
                signUsingApkSignatureSchemeV4 = true;
                ++argstart;
                ++argstart;
            } else if ("--lineage".equals(args[argstart])) {
                File lineageFile = new File(args[++argstart]);
                try {
                    certLineage = SigningCertificateLineage.readFromFile(lineageFile);
                } catch (Exception e) {
                    throw new IllegalArgumentException(
                            "Error reading lineage file: " + e.getMessage());
                }
                ++argstart;
            } else {
            } else {
                usage();
                usage();
            }
            }
@@ -1166,6 +1177,7 @@ class SignApk {
                                .setV2SigningEnabled(signUsingApkSignatureSchemeV2)
                                .setV2SigningEnabled(signUsingApkSignatureSchemeV2)
                                .setOtherSignersSignaturesPreserved(false)
                                .setOtherSignersSignaturesPreserved(false)
                                .setCreatedBy("1.0 (Android SignApk)")
                                .setCreatedBy("1.0 (Android SignApk)")
                                .setSigningCertificateLineage(certLineage)
                                .build()) {
                                .build()) {
                    // We don't preserve the input APK's APK Signing Block (which contains v2
                    // We don't preserve the input APK's APK Signing Block (which contains v2
                    // signatures)
                    // signatures)