Check system certificate violation for product apks (c9464144) · Commits · e / os / android_build_soong

android/config.go

+8 −0

Original line number	Diff line number	Diff line
		@@ -950,6 +950,14 @@ func (c *config) FlattenApex() bool {
		return Bool(c.productVariables.FlattenApex)
		}

		func (c *config) EnforceSystemCertificate() bool {
		return Bool(c.productVariables.EnforceSystemCertificate)
		}

		func (c *config) EnforceSystemCertificateWhitelist() []string {
		return c.productVariables.EnforceSystemCertificateWhitelist
		}

		func stringSlice(s *[]string) []string {
		if s != nil {
		return *s

+3 −0

Original line number	Diff line number	Diff line
		@@ -263,6 +263,9 @@ type productVariables struct {
		DexpreoptGlobalConfig *string `json:",omitempty"`

		ManifestPackageNameOverrides []string `json:",omitempty"`

		EnforceSystemCertificate *bool `json:",omitempty"`
		EnforceSystemCertificateWhitelist []string `json:",omitempty"`
		}

		func boolPtr(v bool) *bool {

+14 −0

Original line number	Diff line number	Diff line
		@@ -263,6 +263,20 @@ func (a *AndroidApp) generateAndroidBuildActions(ctx android.ModuleContext) {

		packageFile := android.PathForModuleOut(ctx, "package.apk")
		CreateAppPackage(ctx, packageFile, a.exportPackage, jniJarFile, dexJarFile, certificates)

		if !a.Module.Platform() {
		certPath := a.certificate.Pem.String()
		systemCertPath := ctx.Config().DefaultAppCertificateDir(ctx).String()
		if strings.HasPrefix(certPath, systemCertPath) {
		enforceSystemCert := ctx.Config().EnforceSystemCertificate()
		whitelist := ctx.Config().EnforceSystemCertificateWhitelist()

		if enforceSystemCert && !inList(a.Module.Name(), whitelist) {
		ctx.PropertyErrorf("certificate", "The module in product partition cannot be signed with certificate in system.")
		}
		}
		}

		a.outputFile = packageFile

		bundleFile := android.PathForModuleOut(ctx, "base.zip")