Remove changing uids/timestamps from zip/jar files
Pass -X to zip so that Unix UID/GID and extra timestamps aren't
saved into the zip files.
Add a new option to zipalign, -t, to replace all timestamps with static
timestamps (2008 Jan 1 00:00:00). Use this for all non-APK zip files.
APK zip timestamps are set based on the certificate date in SignApk.
Bug: 24201956
Change-Id: Ifb619fc499ba9d99fc624f2acd5f8de36d78ef8e
diff --git a/core/Makefile b/core/Makefile
index d94318d..4f219be 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -666,12 +666,18 @@
#
# This rule adds to ALL_DEFAULT_INSTALLED_MODULES, so it needs to come
# before the rules that use that variable to build the image.
-ALL_DEFAULT_INSTALLED_MODULES += $(TARGET_OUT_ETC)/security/otacerts.zip
-$(TARGET_OUT_ETC)/security/otacerts.zip: KEY_CERT_PAIR := $(DEFAULT_KEY_CERT_PAIR)
-$(TARGET_OUT_ETC)/security/otacerts.zip: $(addsuffix .x509.pem,$(DEFAULT_KEY_CERT_PAIR))
+OTACERTS_ZIP_BUILT := $(call intermediates-dir-for,PACKAGING,otacerts)/otacerts.zip
+OTACERTS_ZIP := $(TARGET_OUT_ETC)/security/otacerts.zip
+ALL_DEFAULT_INSTALLED_MODULES += $(OTACERTS_ZIP)
+
+$(OTACERTS_ZIP_BUILT): KEY_CERT_PAIR := $(DEFAULT_KEY_CERT_PAIR)
+$(OTACERTS_ZIP_BUILT): $(addsuffix .x509.pem,$(DEFAULT_KEY_CERT_PAIR)) | $(ZIPALIGN)
$(hide) rm -f $@
$(hide) mkdir -p $(dir $@)
- $(hide) zip -qj $@ $<
+ $(hide) zip -qjX $@ $<
+ $(remove-timestamps-from-package)
+
+$(eval $(call copy-one-file,$(OTACERTS_ZIP_BUILT),$(OTACERTS_ZIP)))
.PHONY: otacerts
otacerts: $(TARGET_OUT_ETC)/security/otacerts.zip
@@ -928,9 +934,13 @@
$(call build-recoveryimage-target, $@)
ifneq ($(BOARD_USES_FULL_RECOVERY_IMAGE),true)
-$(RECOVERY_RESOURCE_ZIP): $(INSTALLED_RECOVERYIMAGE_TARGET)
+RECOVERY_RESOURCE_ZIP_BUILT := $(call intermediates-dir-for,PACKAGING,recovery_resource)/recovery_resource.zip
+$(RECOVERY_RESOURCE_ZIP_BUILT): $(INSTALLED_RECOVERYIMAGE_TARGET) | $(ZIPALIGN)
$(hide) mkdir -p $(dir $@)
- $(hide) find $(TARGET_RECOVERY_ROOT_OUT)/res -type f | sort | zip -0qrj $@ -@
+ $(hide) find $(TARGET_RECOVERY_ROOT_OUT)/res -type f | sort | zip -0qrjX $@ -@
+ $(remove-timestamps-from-package)
+
+$(eval $(call copy-one-file,$(RECOVERY_RESOURCE_ZIP_BUILT),$(RECOVERY_RESOURCE_ZIP)))
endif
.PHONY: recoveryimage-nodeps
@@ -1121,19 +1131,19 @@
$(INSTALLED_PLATFORM_ZIP) : $(INTERNAL_SYSTEMIMAGE_FILES)
$(call pretty,"Platform zip package: $(INSTALLED_PLATFORM_ZIP)")
$(hide) rm -f $@
- $(hide) cd $(dir $@) && zip -qry $(notdir $@) \
+ $(hide) cd $(dir $@) && zip -qryX $(notdir $@) \
$(TARGET_COPY_OUT_SYSTEM) \
$(patsubst $(PRODUCT_OUT)/%, %, $(TARGET_OUT_NOTICE_FILES)) \
$(addprefix symbols/,$(PDK_SYMBOL_FILES_LIST))
ifdef BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE
- $(hide) cd $(dir $@) && zip -qry $(notdir $@) \
+ $(hide) cd $(dir $@) && zip -qryX $(notdir $@) \
$(TARGET_COPY_OUT_VENDOR)
endif
ifneq ($(PDK_PLATFORM_JAVA_ZIP_CONTENTS),)
- $(hide) cd $(OUT_DIR) && zip -qry $(patsubst $(OUT_DIR)/%,%,$@) $(PDK_PLATFORM_JAVA_ZIP_CONTENTS)
+ $(hide) cd $(OUT_DIR) && zip -qryX $(patsubst $(OUT_DIR)/%,%,$@) $(PDK_PLATFORM_JAVA_ZIP_CONTENTS)
endif
ifneq ($(PDK_PLATFORM_ZIP_PRODUCT_BINARIES),)
- $(hide) zip -qry $@ $(PDK_PLATFORM_ZIP_PRODUCT_BINARIES)
+ $(hide) zip -qryX $@ $(PDK_PLATFORM_ZIP_PRODUCT_BINARIES)
endif
.PHONY: platform
@@ -1402,9 +1412,9 @@
$(hide) $(ACP) -p system/extras/verity/build_verity_metadata.py $(zip_root)/system/extras/verity/
$(hide) $(ACP) -r -d -p build/tools/releasetools/* $(zip_root)/releasetools
$(hide) rm -rf $@ $(zip_root)/releasetools/*.pyc
- $(hide) (cd $(zip_root) && zip -qry $(abspath $@) *)
- $(hide) zip -qry $(abspath $@) build/target/product/security/
- $(hide) find device vendor -name \*.pk8 -o -name \*.x509.pem -o -name oem.prop | xargs zip -qry $(abspath $@)>/dev/null || true
+ $(hide) (cd $(zip_root) && zip -qryX $(abspath $@) *)
+ $(hide) zip -qryX $(abspath $@) build/target/product/security/
+ $(hide) find device vendor -name \*.pk8 -o -name \*.x509.pem -o -name oem.prop | xargs zip -qryX $(abspath $@)>/dev/null || true
.PHONY: otatools-package
otatools-package: $(BUILT_OTATOOLS_PACKAGE)
@@ -1626,7 +1636,7 @@
$(hide) $(ACP) -r $(TARGET_OUT_BREAKPAD) $(zip_root)/BREAKPAD
endif
@# Zip everything up, preserving symlinks
- $(hide) (cd $(zip_root) && zip -qry ../$(notdir $@) .)
+ $(hide) (cd $(zip_root) && zip -qryX ../$(notdir $@) .)
@# Run fs_config on all the system, vendor, boot ramdisk,
@# and recovery ramdisk files in the zip, and save the output
$(hide) zipinfo -1 $@ | awk 'BEGIN { FS="SYSTEM/" } /^SYSTEM\// {print "system/" $$2}' | $(HOST_OUT_EXECUTABLES)/fs_config -C -D $(TARGET_OUT) -S $(SELINUX_FC) > $(zip_root)/META/filesystem_config.txt
@@ -1639,7 +1649,7 @@
ifneq ($(INSTALLED_RECOVERYIMAGE_TARGET),)
$(hide) zipinfo -1 $@ | awk 'BEGIN { FS="RECOVERY/RAMDISK/" } /^RECOVERY\/RAMDISK\// {print $$2}' | $(HOST_OUT_EXECUTABLES)/fs_config -C -D $(TARGET_OUT) -S $(SELINUX_FC) > $(zip_root)/META/recovery_filesystem_config.txt
endif
- $(hide) (cd $(zip_root) && zip -q ../$(notdir $@) META/*filesystem_config.txt)
+ $(hide) (cd $(zip_root) && zip -qX ../$(notdir $@) META/*filesystem_config.txt)
$(hide) PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATH MKBOOTIMG=$(MKBOOTIMG) \
./build/tools/releasetools/add_img_to_target_files -v -p $(HOST_OUT) $@
@@ -1719,7 +1729,7 @@
@echo "Package symbols: $@"
$(hide) rm -rf $@
$(hide) mkdir -p $(dir $@) $(TARGET_OUT_UNSTRIPPED)
- $(hide) zip -qr $@ $(TARGET_OUT_UNSTRIPPED)
+ $(hide) zip -qrX $@ $(TARGET_OUT_UNSTRIPPED)
# -----------------------------------------------------------------
# A zip of the Android Apps. Not keeping full path so that we don't
@@ -1736,7 +1746,7 @@
@echo "Package apps: $@"
$(hide) rm -rf $@
$(hide) mkdir -p $(dir $@)
- $(hide) zip -qj $@ $(TARGET_OUT_APPS)/*/*.apk $(TARGET_OUT_APPS_PRIVILEGED)/*/*.apk
+ $(hide) zip -qjX $@ $(TARGET_OUT_APPS)/*/*.apk $(TARGET_OUT_APPS_PRIVILEGED)/*/*.apk
#------------------------------------------------------------------
@@ -1749,7 +1759,7 @@
$(EMMA_META_ZIP) :
@echo "Collecting Emma coverage meta files."
$(hide) find $(TARGET_COMMON_OUT_ROOT) $(HOST_COMMON_OUT_ROOT) -name "coverage.em" | \
- zip -@ -q $@
+ zip -@ -qX $@
endif # EMMA_INSTRUMENT=true
@@ -1765,7 +1775,7 @@
$(hide) dict_files=`find $(TARGET_OUT_COMMON_INTERMEDIATES)/APPS -name proguard_dictionary`; \
if [ -n "$$dict_files" ]; then \
unobfuscated_jars=$${dict_files//proguard_dictionary/classes.jar}; \
- zip -q $@ $$dict_files $$unobfuscated_jars; \
+ zip -qX $@ $$dict_files $$unobfuscated_jars; \
else \
touch $(dir $@)/zipdummy; \
(cd $(dir $@) && zip -q $(notdir $@) zipdummy); \
@@ -1796,7 +1806,7 @@
$(INTERNAL_EMULATOR_PACKAGE_TARGET): $(INTERNAL_EMULATOR_PACKAGE_FILES)
@echo "Package: $@"
- $(hide) zip -qj $@ $(INTERNAL_EMULATOR_PACKAGE_FILES)
+ $(hide) zip -qjX $@ $(INTERNAL_EMULATOR_PACKAGE_FILES)
endif
# -----------------------------------------------------------------
@@ -1931,7 +1941,7 @@
HOST_OUT_EXECUTABLES=$(HOST_OUT_EXECUTABLES) HOST_OS=$(HOST_OS) \
development/build/tools/sdk_clean.sh $(PRIVATE_DIR) && \
chmod -R ug+rwX $(PRIVATE_DIR) && \
- cd $(dir $@) && zip -rq $(notdir $@) $(PRIVATE_NAME) \
+ cd $(dir $@) && zip -rqX $(notdir $@) $(PRIVATE_NAME) \
) || ( rm -rf $(PRIVATE_DIR) $@ && exit 44 )
diff --git a/core/definitions.mk b/core/definitions.mk
index ecc7253..b450394 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -2094,13 +2094,13 @@
$(foreach abi,$(PRIVATE_JNI_SHARED_LIBRARIES_ABI),\
$(call _add-jni-shared-libs-to-package-per-abi,$(abi),\
$(patsubst $(abi):%,%,$(filter $(abi):%,$(PRIVATE_JNI_SHARED_LIBRARIES)))))
-$(hide) (cd $(dir $@) && zip -qr $(JNI_COMPRESS_FLAGS) $(notdir $@) lib)
+$(hide) (cd $(dir $@) && zip -qrX $(JNI_COMPRESS_FLAGS) $(notdir $@) lib)
$(hide) rm -rf $(dir $@)lib
endef
#TODO: update the manifest to point to the dex file
define add-dex-to-package
-$(hide) zip -qj $@ $(dir $(PRIVATE_DEX_FILE))classes*.dex
+$(hide) zip -qjX $@ $(dir $(PRIVATE_DEX_FILE))classes*.dex
endef
# Add java resources added by the current module.
@@ -2147,6 +2147,17 @@
$(hide) mv $@.aligned $@
endef
+# Remove dynamic timestamps from packages
+#
+define remove-timestamps-from-package
+$(hide) mv $@ $@.timed
+$(hide) $(ZIPALIGN) \
+ -f -t \
+ 1 \
+ $@.timed $@.untimed
+$(hide) mv $@.untimed $@
+endef
+
# Uncompress shared libraries embedded in an apk.
#
define uncompress-shared-libs
@@ -2154,7 +2165,7 @@
rm -rf $(dir $@)uncompressedlibs && mkdir $(dir $@)uncompressedlibs; \
unzip $@ $(PRIVATE_EMBEDDED_JNI_LIBS) -d $(dir $@)uncompressedlibs && \
zip -d $@ 'lib/*.so' && \
- ( cd $(dir $@)uncompressedlibs && zip -D -r -0 ../$(notdir $@) lib ) && \
+ ( cd $(dir $@)uncompressedlibs && zip -D -r -X -0 ../$(notdir $@) lib ) && \
rm -rf $(dir $@)uncompressedlibs; \
fi
endef
diff --git a/core/droiddoc.mk b/core/droiddoc.mk
index cc2a915..74f7d8b 100644
--- a/core/droiddoc.mk
+++ b/core/droiddoc.mk
@@ -241,7 +241,7 @@
@echo Package docs: $@
@rm -f $@
@mkdir -p $(dir $@)
- $(hide) ( F=$$(pwd)/$@ ; cd $(PRIVATE_DOCS_DIR) && zip -rq $$F * )
+ $(hide) ( F=$$(pwd)/$@ ; cd $(PRIVATE_DOCS_DIR) && zip -rqX $$F * )
$(LOCAL_MODULE)-docs.zip : $(out_zip)
diff --git a/core/java_library.mk b/core/java_library.mk
index 5a2d19b..0ce7dfe 100644
--- a/core/java_library.mk
+++ b/core/java_library.mk
@@ -81,7 +81,7 @@
$(common_javalib.jar): PRIVATE_DEX_FILE := $(built_dex)
$(common_javalib.jar): PRIVATE_SOURCE_ARCHIVE := $(full_classes_jarjar_jar)
$(common_javalib.jar): PRIVATE_DONT_DELETE_JAR_DIRS := $(LOCAL_DONT_DELETE_JAR_DIRS)
-$(common_javalib.jar) : $(built_dex) $(java_resource_sources)
+$(common_javalib.jar) : $(built_dex) $(java_resource_sources) | $(ZIPALIGN)
@echo "target Jar: $(PRIVATE_MODULE) ($@)"
ifdef LOCAL_JACK_ENABLED
$(create-empty-package)
@@ -92,6 +92,7 @@
ifdef LOCAL_JACK_ENABLED
$(add-carried-jack-resources)
endif
+ $(remove-timestamps-from-package)
ifdef LOCAL_DEX_PREOPT
ifneq ($(dexpreopt_boot_jar_module),) # boot jar
diff --git a/core/tasks/cts.mk b/core/tasks/cts.mk
index 56a7f6f..38f1301 100644
--- a/core/tasks/cts.mk
+++ b/core/tasks/cts.mk
@@ -387,7 +387,7 @@
$(INTERNAL_CTS_TARGET): TMP_DIR := $(cts_dir)/temp
$(INTERNAL_CTS_TARGET): $(cts_dir)/all_cts_files_stamp $(DEFAULT_TEST_PLAN)
$(hide) echo "Package CTS: $@"
- $(hide) cd $(dir $@) && zip -rq $(notdir $@) $(PRIVATE_NAME)
+ $(hide) cd $(dir $@) && zip -rqX $(notdir $@) $(PRIVATE_NAME)
.PHONY: cts
cts: $(INTERNAL_CTS_TARGET) adb
diff --git a/core/tasks/sdk-addon.mk b/core/tasks/sdk-addon.mk
index 5ac9b7d..362b229 100644
--- a/core/tasks/sdk-addon.mk
+++ b/core/tasks/sdk-addon.mk
@@ -111,13 +111,13 @@
$(ACP) -r $$d $(PRIVATE_STAGING_DIR)/docs ;\
done
$(hide) mkdir -p $(dir $@)
- $(hide) ( F=$$(pwd)/$@ ; cd $(PRIVATE_STAGING_DIR)/.. && zip -rq $$F $(notdir $(PRIVATE_STAGING_DIR)) )
+ $(hide) ( F=$$(pwd)/$@ ; cd $(PRIVATE_STAGING_DIR)/.. && zip -rqX $$F $(notdir $(PRIVATE_STAGING_DIR)) )
$(full_target_img): PRIVATE_STAGING_DIR := $(call append-path,$(staging),$(addon_dir_img))/images/$(TARGET_CPU_ABI)
$(full_target_img): $(full_target) $(addon_img_source_prop)
@echo Packaging SDK Addon System-Image: $@
$(hide) mkdir -p $(dir $@)
- $(hide) ( F=$$(pwd)/$@ ; cd $(PRIVATE_STAGING_DIR)/.. && zip -rq $$F $(notdir $(PRIVATE_STAGING_DIR)) )
+ $(hide) ( F=$$(pwd)/$@ ; cd $(PRIVATE_STAGING_DIR)/.. && zip -rqX $$F $(notdir $(PRIVATE_STAGING_DIR)) )
.PHONY: sdk_addon
diff --git a/core/tasks/tools/package-modules.mk b/core/tasks/tools/package-modules.mk
index a70e644..24a7608 100644
--- a/core/tasks/tools/package-modules.mk
+++ b/core/tasks/tools/package-modules.mk
@@ -59,4 +59,4 @@
$(call copy-tests-in-batch,$(wordlist 1201,9999,$(PRIVATE_COPY_PAIRS)))
$(hide) $(foreach f, $(PRIVATE_PICKUP_FILES),\
cp -RfL $(f) $(dir $@);)
- $(hide) cd $(dir $@) && zip -rq $(notdir $@) *
+ $(hide) cd $(dir $@) && zip -rqX $(notdir $@) *