Add signing certificate lineage file support.
Also add multi-cert support to prebuilt apps so that they can benefit
from the new lineage feature.
(This is a cherry-pick change.)
Test: m GoogleServicesFramework w/ modified build rules
Test: m PrebuiltGmsCore w/ modified build rules
Test: apksigner lineage -v --print-certs -in <built_module_path>
Fixes: 152897457
Change-Id: If7d5d4bd308629c8340231520214c76c8a568a65
Merged-In: If7d5d4bd308629c8340231520214c76c8a568a65
diff --git a/core/app_prebuilt_internal.mk b/core/app_prebuilt_internal.mk
index 05d9001..61e13e9 100644
--- a/core/app_prebuilt_internal.mk
+++ b/core/app_prebuilt_internal.mk
@@ -163,6 +163,13 @@
$(built_module) : $(LOCAL_CERTIFICATE).pk8 $(LOCAL_CERTIFICATE).x509.pem
$(built_module) : PRIVATE_PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8
$(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
+
+ additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8)
+ $(built_module): $(additional_certificates)
+ $(built_module): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates)
+
+ $(built_module): $(LOCAL_CERTIFICATE_LINEAGE)
+ $(built_module): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE)
endif
include $(BUILD_SYSTEM)/app_certificate_validate.mk
diff --git a/core/clear_vars.mk b/core/clear_vars.mk
index e27d91c..3d481df 100644
--- a/core/clear_vars.mk
+++ b/core/clear_vars.mk
@@ -152,6 +152,7 @@
LOCAL_JETIFIER_ENABLED:=
LOCAL_JNI_SHARED_LIBRARIES:=
LOCAL_JNI_SHARED_LIBRARIES_ABI:=
+LOCAL_CERTIFICATE_LINEAGE:=
LOCAL_LDFLAGS:=
LOCAL_LDLIBS:=
LOCAL_LOGTAGS_FILES:=
diff --git a/core/definitions.mk b/core/definitions.mk
index 3499da9..0558a38 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -2285,6 +2285,7 @@
define sign-package-arg
$(hide) mv $(1) $(1).unsigned
$(hide) $(JAVA) -Djava.library.path=$$(dirname $(SIGNAPK_JNI_LIBRARY_PATH)) -jar $(SIGNAPK_JAR) \
+ $(if $(strip $(PRIVATE_CERTIFICATE_LINEAGE)), --lineage $(PRIVATE_CERTIFICATE_LINEAGE)) \
$(PRIVATE_CERTIFICATE) $(PRIVATE_PRIVATE_KEY) \
$(PRIVATE_ADDITIONAL_CERTIFICATES) $(1).unsigned $(1).signed
$(hide) mv $(1).signed $(1)
diff --git a/core/package_internal.mk b/core/package_internal.mk
index c6c2cf5..59e0701 100644
--- a/core/package_internal.mk
+++ b/core/package_internal.mk
@@ -471,6 +471,9 @@
$(LOCAL_BUILT_MODULE): $(additional_certificates)
$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates)
+$(LOCAL_BUILT_MODULE): $(LOCAL_CERTIFICATE_LINEAGE)
+$(LOCAL_BUILT_MODULE): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE)
+
# Set a actual_partition_tag (calculated in base_rules.mk) for the package.
PACKAGES.$(LOCAL_PACKAGE_NAME).PARTITION := $(actual_partition_tag)
diff --git a/tools/signapk/src/com/android/signapk/SignApk.java b/tools/signapk/src/com/android/signapk/SignApk.java
index 9809ed4..95ef05f 100644
--- a/tools/signapk/src/com/android/signapk/SignApk.java
+++ b/tools/signapk/src/com/android/signapk/SignApk.java
@@ -36,6 +36,7 @@
import com.android.apksig.ApkSignerEngine;
import com.android.apksig.DefaultApkSignerEngine;
+import com.android.apksig.SigningCertificateLineage;
import com.android.apksig.Hints;
import com.android.apksig.apk.ApkUtils;
import com.android.apksig.apk.MinSdkVersionException;
@@ -1042,6 +1043,7 @@
int alignment = 4;
Integer minSdkVersionOverride = null;
boolean signUsingApkSignatureSchemeV2 = true;
+ SigningCertificateLineage certLineage = null;
int argstart = 0;
while (argstart < args.length && args[argstart].startsWith("-")) {
@@ -1069,6 +1071,15 @@
} else if ("--disable-v2".equals(args[argstart])) {
signUsingApkSignatureSchemeV2 = false;
++argstart;
+ } else if ("--lineage".equals(args[argstart])) {
+ File lineageFile = new File(args[++argstart]);
+ try {
+ certLineage = SigningCertificateLineage.readFromFile(lineageFile);
+ } catch (Exception e) {
+ throw new IllegalArgumentException(
+ "Error reading lineage file: " + e.getMessage());
+ }
+ ++argstart;
} else {
usage();
}
@@ -1149,6 +1160,7 @@
.setV2SigningEnabled(signUsingApkSignatureSchemeV2)
.setOtherSignersSignaturesPreserved(false)
.setCreatedBy("1.0 (Android SignApk)")
+ .setSigningCertificateLineage(certLineage)
.build()) {
// We don't preserve the input APK's APK Signing Block (which contains v2
// signatures)