Merge "Add signing certificate lineage file support." (e57fb1a3) · Commits · e / os / android_build

core/app_prebuilt_internal.mk

+7 −0

Original line number	Diff line number	Diff line
		@@ -163,6 +163,13 @@ else
		$(built_module) : $(LOCAL_CERTIFICATE).pk8 $(LOCAL_CERTIFICATE).x509.pem
		$(built_module) : PRIVATE_PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8
		$(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem

		additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8)
		$(built_module): $(additional_certificates)
		$(built_module): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates)

		$(built_module): $(LOCAL_CERTIFICATE_LINEAGE)
		$(built_module): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE)
		endif

		include $(BUILD_SYSTEM)/app_certificate_validate.mk

+1 −0

Original line number	Diff line number	Diff line
		@@ -152,6 +152,7 @@ LOCAL_JAVA_RESOURCE_FILES:=
		LOCAL_JETIFIER_ENABLED:=
		LOCAL_JNI_SHARED_LIBRARIES:=
		LOCAL_JNI_SHARED_LIBRARIES_ABI:=
		LOCAL_CERTIFICATE_LINEAGE:=
		LOCAL_LDFLAGS:=
		LOCAL_LDLIBS:=
		LOCAL_LOGTAGS_FILES:=

+1 −0

Original line number	Diff line number	Diff line
		@@ -2285,6 +2285,7 @@ endef
		define sign-package-arg
		$(hide) mv $(1) $(1).unsigned
		$(hide) $(JAVA) -Djava.library.path=$$(dirname $(SIGNAPK_JNI_LIBRARY_PATH)) -jar $(SIGNAPK_JAR) \
		$(if $(strip $(PRIVATE_CERTIFICATE_LINEAGE)), --lineage $(PRIVATE_CERTIFICATE_LINEAGE)) \
		$(PRIVATE_CERTIFICATE) $(PRIVATE_PRIVATE_KEY) \
		$(PRIVATE_ADDITIONAL_CERTIFICATES) $(1).unsigned $(1).signed
		$(hide) mv $(1).signed $(1)

+3 −0

Original line number	Diff line number	Diff line
		@@ -471,6 +471,9 @@ PACKAGES.$(LOCAL_PACKAGE_NAME).CERTIFICATE := $(certificate)
		$(LOCAL_BUILT_MODULE): $(additional_certificates)
		$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates)

		$(LOCAL_BUILT_MODULE): $(LOCAL_CERTIFICATE_LINEAGE)
		$(LOCAL_BUILT_MODULE): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE)

		# Set a actual_partition_tag (calculated in base_rules.mk) for the package.
		PACKAGES.$(LOCAL_PACKAGE_NAME).PARTITION := $(actual_partition_tag)

+12 −0

Original line number	Diff line number	Diff line
		@@ -36,6 +36,7 @@ import org.conscrypt.OpenSSLProvider;

		import com.android.apksig.ApkSignerEngine;
		import com.android.apksig.DefaultApkSignerEngine;
		import com.android.apksig.SigningCertificateLineage;
		import com.android.apksig.Hints;
		import com.android.apksig.apk.ApkUtils;
		import com.android.apksig.apk.MinSdkVersionException;
		@@ -1042,6 +1043,7 @@ class SignApk {
		int alignment = 4;
		Integer minSdkVersionOverride = null;
		boolean signUsingApkSignatureSchemeV2 = true;
		SigningCertificateLineage certLineage = null;

		int argstart = 0;
		while (argstart < args.length && args[argstart].startsWith("-")) {
		@@ -1069,6 +1071,15 @@ class SignApk {
		} else if ("--disable-v2".equals(args[argstart])) {
		signUsingApkSignatureSchemeV2 = false;
		++argstart;
		} else if ("--lineage".equals(args[argstart])) {
		File lineageFile = new File(args[++argstart]);
		try {
		certLineage = SigningCertificateLineage.readFromFile(lineageFile);
		} catch (Exception e) {
		throw new IllegalArgumentException(
		"Error reading lineage file: " + e.getMessage());
		}
		++argstart;
		} else {
		usage();
		}
		@@ -1149,6 +1160,7 @@ class SignApk {
		.setV2SigningEnabled(signUsingApkSignatureSchemeV2)
		.setOtherSignersSignaturesPreserved(false)
		.setCreatedBy("1.0 (Android SignApk)")
		.setSigningCertificateLineage(certLineage)
		.build()) {
		// We don't preserve the input APK's APK Signing Block (which contains v2
		// signatures)