Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b71e3989 authored by Michael Groover's avatar Michael Groover
Browse files

Relax minimum signature scheme version for apps on system partition 

Android 11 requires a minimum V2 APK signature for apps targeting SDK
version 30+; however some apps on a system partition can only be signed
with the V1 signature scheme. This commit relaxes the minimum signature
scheme version to allow for these apps on a system partition.

Bug: 158728035
Test: atest PackageManagerTest
Test: atest PackageManagerTests
Test: atest PkgInstallSignatureVerificationTest
Change-Id: I1a95fd6894cc937e00ad1ac54d1846b51b48e9cd
parent a2746525

core/java/android/content/pm/PackageParser.java

+4 −2
Original line number Diff line number Diff line
@@ -1374,9 +1374,11 @@ public class PackageParser { 
        }

        SigningDetails verified;

        if (skipVerify) {

            // systemDir APKs are already trusted, save time by not verifying

            // systemDir APKs are already trusted, save time by not verifying; since the signature

            // is not verified and some system apps can have their V2+ signatures stripped allow

            // pulling the certs from the jar signature.

            verified = ApkSignatureVerifier.unsafeGetCertsWithoutVerification(

                        apkPath, minSignatureScheme);

                        apkPath, SigningDetails.SignatureSchemeVersion.JAR);

        } else {

            verified = ApkSignatureVerifier.verify(apkPath, minSignatureScheme);

        }

core/java/android/content/pm/parsing/ParsingPackageUtils.java

+4 −2
Original line number Diff line number Diff line
@@ -2748,9 +2748,11 @@ public class ParsingPackageUtils { 
        SigningDetails verified;

        try {

            if (skipVerify) {

                // systemDir APKs are already trusted, save time by not verifying

                // systemDir APKs are already trusted, save time by not verifying; since the

                // signature is not verified and some system apps can have their V2+ signatures

                // stripped allow pulling the certs from the jar signature.

                verified = ApkSignatureVerifier.unsafeGetCertsWithoutVerification(

                        baseCodePath, minSignatureScheme);

                        baseCodePath, SigningDetails.SignatureSchemeVersion.JAR);

            } else {

                verified = ApkSignatureVerifier.verify(baseCodePath, minSignatureScheme);

            }

services/core/java/com/android/server/pm/PackageManagerService.java

+11 −9
Original line number Diff line number Diff line
@@ -12144,8 +12144,9 @@ public class PackageManagerService extends IPackageManager.Stub 
                }

            }













            // Ensure the package is signed with at least the minimum signature scheme version













            // required for its target SDK.













            // If the package is not on a system partition ensure it is signed with at least the













            // minimum signature scheme version required for its target SDK.













            if ((parseFlags & PackageParser.PARSE_IS_SYSTEM_DIR) == 0) {















                int minSignatureSchemeVersion =















                        ApkSignatureVerifier.getMinimumSignatureSchemeVersionForTargetSdk(















                                pkg.getTargetSdkVersion());









@@ -12156,6 +12157,7 @@ public class PackageManagerService extends IPackageManager.Stub













                }















            }















        }













    }





























    @GuardedBy("mLock")















    private boolean addBuiltInSharedLibraryLocked(String path, String name) {