Merge "Revert "Adding adb_debug.prop""
diff --git a/core/Makefile b/core/Makefile
index ca3c827..e8e592a 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -125,32 +125,7 @@
.PHONY: ndk-docs
endif
-# -----------------------------------------------------------------
-# generate preview API fingerprint
-api_fingerprint := $(call intermediates-dir-for,PACKAGING,api_fingerprint)/api_fingerprint.txt
-.KATI_READONLY := api_fingerprint
-
-ifeq (REL,$(PLATFORM_VERSION_CODENAME))
- $(api_fingerprint):
- echo REL >$@
-else ifneq ($(TARGET_BUILD_APPS),)
- # TODO: use a prebuilt api_fingerprint.txt from prebuilts/sdk/current.txt once we have one
- #$(eval $(call copy-one-file,prebuilts/sdk/current/api_fingerprint.txt,$(api_fingerprint)))
- $(api_fingerprint):
- echo $(PLATFORM_PREVIEW_SDK_VERSION) >$@
-else ifneq ($(TARGET_BUILD_PDK),)
- $(eval $(call copy-one-file,$(_pdk_fusion_intermediates)/api_fingerprint.txt,$(api_fingerprint)))
-else
- ifeq ($(HOST_OS),darwin)
- $(api_fingerprint): PRIVATE_HASH := md5
- else
- $(api_fingerprint): PRIVATE_HASH := md5sum
- endif
- $(api_fingerprint): $(sort $(wildcard frameworks/base/api/*current.txt))
- cat $^ | $(PRIVATE_HASH) | cut -d' ' -f1 >$@
-
- $(call dist-for-goals,sdk,$(api_fingerprint))
-endif
+$(call dist-for-goals,sdk,$(API_FINGERPRINT))
# -----------------------------------------------------------------
# property_overrides_split_enabled
@@ -416,7 +391,7 @@
else
system_prop_file := $(wildcard $(TARGET_DEVICE_DIR)/system.prop)
endif
-$(intermediate_system_build_prop): $(BUILDINFO_SH) $(BUILDINFO_COMMON_SH) $(INTERNAL_BUILD_ID_MAKEFILE) $(BUILD_SYSTEM)/version_defaults.mk $(system_prop_file) $(INSTALLED_ANDROID_INFO_TXT_TARGET) $(api_fingerprint)
+$(intermediate_system_build_prop): $(BUILDINFO_SH) $(BUILDINFO_COMMON_SH) $(INTERNAL_BUILD_ID_MAKEFILE) $(BUILD_SYSTEM)/version_defaults.mk $(system_prop_file) $(INSTALLED_ANDROID_INFO_TXT_TARGET) $(API_FINGERPRINT)
@echo Target buildinfo: $@
@mkdir -p $(dir $@)
$(hide) echo > $@
@@ -452,7 +427,7 @@
PLATFORM_BASE_OS="$(PLATFORM_BASE_OS)" \
PLATFORM_SDK_VERSION="$(PLATFORM_SDK_VERSION)" \
PLATFORM_PREVIEW_SDK_VERSION="$(PLATFORM_PREVIEW_SDK_VERSION)" \
- PLATFORM_PREVIEW_SDK_FINGERPRINT="$$(cat $(api_fingerprint))" \
+ PLATFORM_PREVIEW_SDK_FINGERPRINT="$$(cat $(API_FINGERPRINT))" \
PLATFORM_VERSION_CODENAME="$(PLATFORM_VERSION_CODENAME)" \
PLATFORM_VERSION_ALL_CODENAMES="$(PLATFORM_VERSION_ALL_CODENAMES)" \
PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION="$(PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION)" \
@@ -1961,6 +1936,106 @@
endif
# -----------------------------------------------------------------
+# the debug ramdisk, which is the original ramdisk plus additional
+# files: force_debuggable, adb_debug.prop and userdebug sepolicy.
+# When /force_debuggable is present, /init will load userdebug sepolicy
+# and property files to allow adb root, if the device is unlocked.
+
+ifdef BUILDING_RAMDISK_IMAGE
+BUILT_DEBUG_RAMDISK_TARGET := $(PRODUCT_OUT)/ramdisk-debug.img
+INSTALLED_DEBUG_RAMDISK_TARGET := $(BUILT_DEBUG_RAMDISK_TARGET)
+
+INTERNAL_DEBUG_RAMDISK_FILES := $(filter $(TARGET_DEBUG_RAMDISK_OUT)/%, \
+ $(ALL_GENERATED_SOURCES) \
+ $(ALL_DEFAULT_INSTALLED_MODULES))
+
+# Note: TARGET_DEBUG_RAMDISK_OUT will be $(PRODUCT_OUT)/debug_ramdisk/first_stage_ramdisk,
+# if BOARD_USES_RECOVERY_AS_BOOT is true. Otherwise, it will be $(PRODUCT_OUT)/debug_ramdisk.
+# But the root dir of the ramdisk to build is always $(PRODUCT_OUT)/debug_ramdisk.
+my_debug_ramdisk_root_dir := $(PRODUCT_OUT)/debug_ramdisk
+
+INSTALLED_FILES_FILE_DEBUG_RAMDISK := $(PRODUCT_OUT)/installed-files-ramdisk-debug.txt
+INSTALLED_FILES_JSON_DEBUG_RAMDISK := $(INSTALLED_FILES_FILE_DEBUG_RAMDISK:.txt=.json)
+$(INSTALLED_FILES_FILE_DEBUG_RAMDISK): .KATI_IMPLICIT_OUTPUTS := $(INSTALLED_FILES_JSON_DEBUG_RAMDISK)
+$(INSTALLED_FILES_FILE_DEBUG_RAMDISK): DEBUG_RAMDISK_ROOT_DIR := $(my_debug_ramdisk_root_dir)
+
+# Cannot just depend on INTERNAL_DEBUG_RAMDISK_FILES like other INSTALLED_FILES_FILE_* rules.
+# Because ramdisk-debug.img will rsync from either ramdisk.img or ramdisk-recovery.img.
+# Need to depend on the built ramdisk-debug.img, to get a complete list of the installed files.
+$(INSTALLED_FILES_FILE_DEBUG_RAMDISK) : $(INSTALLED_DEBUG_RAMDISK_TARGET)
+$(INSTALLED_FILES_FILE_DEBUG_RAMDISK) : $(INTERNAL_DEBUG_RAMDISK_FILES) $(FILESLIST)
+ echo Installed file list: $@
+ mkdir -p $(dir $@)
+ rm -f $@
+ $(FILESLIST) $(DEBUG_RAMDISK_ROOT_DIR) > $(@:.txt=.json)
+ build/make/tools/fileslist_util.py -c $(@:.txt=.json) > $@
+
+# ramdisk-debug.img will rsync the content from either ramdisk.img or ramdisk-recovery.img,
+# depending on whether BOARD_USES_RECOVERY_AS_BOOT is set or not.
+ifeq ($(BOARD_USES_RECOVERY_AS_BOOT),true)
+my_debug_ramdisk_sync_dir := $(TARGET_RECOVERY_ROOT_OUT)
+else
+my_debug_ramdisk_sync_dir := $(TARGET_RAMDISK_OUT)
+endif # BOARD_USES_RECOVERY_AS_BOOT
+
+$(INSTALLED_DEBUG_RAMDISK_TARGET): DEBUG_RAMDISK_SYNC_DIR := $(my_debug_ramdisk_sync_dir)
+$(INSTALLED_DEBUG_RAMDISK_TARGET): DEBUG_RAMDISK_ROOT_DIR := $(my_debug_ramdisk_root_dir)
+# We should have just depended on ramdisk.img or ramdisk-recovery.img.
+# But ramdisk-recovery.img is not a make target, so let's depend on the boot.img directly.
+$(INSTALLED_DEBUG_RAMDISK_TARGET): $(INSTALLED_BOOTIMAGE_TARGET)
+$(INSTALLED_DEBUG_RAMDISK_TARGET): $(MKBOOTFS) $(INTERNAL_DEBUG_RAMDISK_FILES) | $(MINIGZIP)
+ $(call pretty,"Target debug ram disk: $@")
+ mkdir -p $(TARGET_DEBUG_RAMDISK_OUT)
+ touch $(TARGET_DEBUG_RAMDISK_OUT)/force_debuggable
+ rsync -a $(DEBUG_RAMDISK_SYNC_DIR)/* $(DEBUG_RAMDISK_ROOT_DIR)
+ $(MKBOOTFS) -d $(TARGET_OUT) $(DEBUG_RAMDISK_ROOT_DIR) | $(MINIGZIP) > $@
+
+.PHONY: ramdisk_debug-nodeps
+ramdisk_debug-nodeps: DEBUG_RAMDISK_SYNC_DIR := $(my_debug_ramdisk_sync_dir)
+ramdisk_debug-nodeps: DEBUG_RAMDISK_ROOT_DIR := $(my_debug_ramdisk_root_dir)
+ramdisk_debug-nodeps: $(MKBOOTFS) | $(MINIGZIP)
+ echo "make $@: ignoring dependencies"
+ mkdir -p $(TARGET_DEBUG_RAMDISK_OUT)
+ touch $(TARGET_DEBUG_RAMDISK_OUT)/force_debuggable
+ rsync -a $(DEBUG_RAMDISK_SYNC_DIR)/* $(DEBUG_RAMDISK_ROOT_DIR)
+ $(MKBOOTFS) -d $(TARGET_OUT) $(DEBUG_RAMDISK_ROOT_DIR) | $(MINIGZIP) > $(INSTALLED_DEBUG_RAMDISK_TARGET)
+
+my_debug_ramdisk_sync_dir :=
+my_debug_ramdisk_root_dir :=
+
+endif # BUILDING_RAMDISK_IMAGE
+
+# -----------------------------------------------------------------
+# the boot-debug.img, which is the kernel plus ramdisk-debug.img
+#
+# Note: it's intentional to skip signing for boot-debug.img, because it
+# can only be used if the device is unlocked with verification error.
+ifneq ($(strip $(TARGET_NO_KERNEL)),true)
+
+INSTALLED_DEBUG_BOOTIMAGE_TARGET := $(PRODUCT_OUT)/boot-debug.img
+
+# Replace ramdisk.img in $(MKBOOTIMG) ARGS with ramdisk-debug.img to build boot-debug.img
+ifeq ($(BOARD_USES_RECOVERY_AS_BOOT),true)
+INTERNAL_DEBUG_BOOTIMAGE_ARGS := $(subst $(recovery_ramdisk),$(INSTALLED_DEBUG_RAMDISK_TARGET), $(INTERNAL_RECOVERYIMAGE_ARGS))
+else
+INTERNAL_DEBUG_BOOTIMAGE_ARGS := $(subst $(INSTALLED_RAMDISK_TARGET),$(INSTALLED_DEBUG_RAMDISK_TARGET), $(INTERNAL_BOOTIMAGE_ARGS))
+endif
+
+# Depends on original boot.img and ramdisk-debug.img, to build the new boot-debug.img
+$(INSTALLED_DEBUG_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(INSTALLED_BOOTIMAGE_TARGET) $(INSTALLED_DEBUG_RAMDISK_TARGET)
+ $(call pretty,"Target boot debug image: $@")
+ $(MKBOOTIMG) $(INTERNAL_DEBUG_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $@
+ $(call assert-max-image-size,$@,$(BOARD_BOOTIMAGE_PARTITION_SIZE))
+
+.PHONY: bootimage_debug-nodeps
+bootimage_debug-nodeps: $(MKBOOTIMG)
+ echo "make $@: ignoring dependencies"
+ $(MKBOOTIMG) $(INTERNAL_DEBUG_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(INSTALLED_DEBUG_BOOTIMAGE_TARGET)
+ $(call assert-max-image-size,$(INSTALLED_DEBUG_BOOTIMAGE_TARGET),$(BOARD_BOOTIMAGE_PARTITION_SIZE))
+
+endif # TARGET_NO_KERNEL
+
+# -----------------------------------------------------------------
# system image
#
# Remove overridden packages from $(ALL_PDK_FUSION_FILES)
@@ -2347,7 +2422,7 @@
$(INSTALLED_PLATFORM_ZIP) : $(SOONG_ZIP)
# dependencies for the other partitions are defined below after their file lists
# are known
-$(INSTALLED_PLATFORM_ZIP) : $(INTERNAL_SYSTEMIMAGE_FILES) $(pdk_classes_dex) $(pdk_odex_config_mk) $(api_fingerprint)
+$(INSTALLED_PLATFORM_ZIP) : $(INTERNAL_SYSTEMIMAGE_FILES) $(pdk_classes_dex) $(pdk_odex_config_mk) $(API_FINGERPRINT)
$(call pretty,"Platform zip package: $(INSTALLED_PLATFORM_ZIP)")
rm -f $@ $@.lst
echo "-C $(PRODUCT_OUT)" >> $@.lst
@@ -2380,7 +2455,7 @@
@# Add dex-preopt files and config.
$(if $(PRIVATE_DEX_FILES),\
echo "-C $(OUT_DIR) $(addprefix -f ,$(PRIVATE_DEX_FILES))") >> $@.lst
- echo "-C $(dir $(api_fingerprint)) -f $(api_fingerprint)" >> $@.lst
+ echo "-C $(dir $(API_FINGERPRINT)) -f $(API_FINGERPRINT)" >> $@.lst
touch $(PRODUCT_OUT)/pdk.mk
echo "-C $(PRODUCT_OUT) -f $(PRIVATE_ODEX_CONFIG) -f $(PRODUCT_OUT)/pdk.mk" >> $@.lst
$(SOONG_ZIP) --ignore_missing_files -o $@ @$@.lst
diff --git a/core/android_manifest.mk b/core/android_manifest.mk
index bd5772f..06bea5e 100644
--- a/core/android_manifest.mk
+++ b/core/android_manifest.mk
@@ -41,8 +41,21 @@
fixed_android_manifest := $(full_android_manifest)
endif
+my_target_sdk_version := $(call module-target-sdk-version)
+
+ifdef TARGET_BUILD_APPS
+ ifndef TARGET_BUILD_APPS_USE_PREBUILT_SDK
+ ifeq ($(my_target_sdk_version),$(PLATFORM_VERSION_CODENAME))
+ ifdef UNBUNDLED_BUILD_TARGET_SDK_WITH_API_FINGERPRINT
+ my_target_sdk_version := $(my_target_sdk_version).$$(cat $(API_FINGERPRINT))
+ $(fixed_android_manifest): $(API_FINGERPRINT)
+ endif
+ endif
+ endif
+endif
+
$(fixed_android_manifest): PRIVATE_MIN_SDK_VERSION := $(call module-min-sdk-version)
-$(fixed_android_manifest): PRIVATE_TARGET_SDK_VERSION := $(call module-target-sdk-version)
+$(fixed_android_manifest): PRIVATE_TARGET_SDK_VERSION := $(my_target_sdk_version)
my_exported_sdk_libs_file := $(call local-intermediates-dir,COMMON)/exported-sdk-libs
$(fixed_android_manifest): PRIVATE_EXPORTED_SDK_LIBS_FILE := $(my_exported_sdk_libs_file)
diff --git a/core/board_config.mk b/core/board_config.mk
index dcfed9d..2580a33 100644
--- a/core/board_config.mk
+++ b/core/board_config.mk
@@ -241,6 +241,12 @@
endif
###########################################
+# Now we can substitute with the real value of TARGET_COPY_OUT_DEBUG_RAMDISK
+ifeq ($(BOARD_USES_RECOVERY_AS_BOOT),true)
+TARGET_COPY_OUT_DEBUG_RAMDISK := debug_ramdisk/first_stage_ramdisk
+endif
+
+###########################################
# Configure whether we're building the system image
BUILDING_SYSTEM_IMAGE := true
ifeq ($(PRODUCT_BUILD_SYSTEM_IMAGE),)
diff --git a/core/config.mk b/core/config.mk
index 386c64e..94928a2 100644
--- a/core/config.mk
+++ b/core/config.mk
@@ -1178,7 +1178,9 @@
onod odmimage-nodeps \
systemotherimage-nodeps \
ramdisk-nodeps \
+ ramdisk_debug-nodeps \
bootimage-nodeps \
+ bootimage_debug-nodeps \
recoveryimage-nodeps \
vbmetaimage-nodeps \
product-graph dump-products
diff --git a/core/envsetup.mk b/core/envsetup.mk
index 7b90334..46edc0e 100644
--- a/core/envsetup.mk
+++ b/core/envsetup.mk
@@ -225,6 +225,7 @@
TARGET_COPY_OUT_ASAN := $(TARGET_COPY_OUT_DATA)/asan
TARGET_COPY_OUT_OEM := oem
TARGET_COPY_OUT_RAMDISK := ramdisk
+TARGET_COPY_OUT_DEBUG_RAMDISK := debug_ramdisk
TARGET_COPY_OUT_ROOT := root
TARGET_COPY_OUT_RECOVERY := recovery
# The directory used for optional partitions depend on the BoardConfig, so
@@ -838,6 +839,7 @@
TARGET_RAMDISK_OUT := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_RAMDISK)
TARGET_RAMDISK_OUT_UNSTRIPPED := $(TARGET_OUT_UNSTRIPPED)
+TARGET_DEBUG_RAMDISK_OUT := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_DEBUG_RAMDISK)
TARGET_ROOT_OUT := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_ROOT)
TARGET_ROOT_OUT_BIN := $(TARGET_ROOT_OUT)/bin
diff --git a/core/main.mk b/core/main.mk
index 590bfcc..af26705 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -1429,6 +1429,9 @@
.PHONY: ramdisk
ramdisk: $(INSTALLED_RAMDISK_TARGET)
+.PHONY: ramdisk_debug
+ramdisk_debug: $(INSTALLED_DEBUG_RAMDISK_TARGET)
+
.PHONY: systemtarball
systemtarball: $(INSTALLED_SYSTEMTARBALL_TARGET)
@@ -1475,6 +1478,9 @@
.PHONY: bootimage
bootimage: $(INSTALLED_BOOTIMAGE_TARGET)
+.PHONY: bootimage_debug
+bootimage_debug: $(INSTALLED_DEBUG_BOOTIMAGE_TARGET)
+
.PHONY: vbmetaimage
vbmetaimage: $(INSTALLED_VBMETAIMAGE_TARGET)
@@ -1487,6 +1493,8 @@
$(INSTALLED_SYSTEMIMAGE_TARGET) \
$(INSTALLED_RAMDISK_TARGET) \
$(INSTALLED_BOOTIMAGE_TARGET) \
+ $(INSTALLED_DEBUG_RAMDISK_TARGET) \
+ $(INSTALLED_DEBUG_BOOTIMAGE_TARGET) \
$(INSTALLED_RECOVERYIMAGE_TARGET) \
$(INSTALLED_VBMETAIMAGE_TARGET) \
$(INSTALLED_USERDATAIMAGE_TARGET) \
@@ -1511,6 +1519,8 @@
$(INSTALLED_FILES_JSON_SYSTEMOTHER) \
$(INSTALLED_FILES_FILE_RAMDISK) \
$(INSTALLED_FILES_JSON_RAMDISK) \
+ $(INSTALLED_FILES_FILE_DEBUG_RAMDISK) \
+ $(INSTALLED_FILES_JSON_DEBUG_RAMDISK) \
$(INSTALLED_FILES_FILE_ROOT) \
$(INSTALLED_FILES_JSON_ROOT) \
$(INSTALLED_FILES_FILE_RECOVERY) \
@@ -1631,6 +1641,10 @@
$(call dist-for-goals, droidcore, \
$(INSTALLED_FILES_FILE_RAMDISK) \
$(INSTALLED_FILES_JSON_RAMDISK) \
+ $(INSTALLED_FILES_FILE_DEBUG_RAMDISK) \
+ $(INSTALLED_FILES_JSON_DEBUG_RAMDISK) \
+ $(INSTALLED_DEBUG_RAMDISK_TARGET) \
+ $(INSTALLED_DEBUG_BOOTIMAGE_TARGET) \
)
endif
diff --git a/target/board/gsi_system.prop b/target/board/gsi_system.prop
index d768c83..780aadc 100644
--- a/target/board/gsi_system.prop
+++ b/target/board/gsi_system.prop
@@ -4,6 +4,9 @@
# GSI always disables adb authentication
ro.adb.secure=0
+# GSI disables non-AOSP nnapi extensions on product partition
+ro.nnapi.extensions.deny_on_product=true
+
# TODO(b/120679683): disable RescueParty before all problem apps solved
persist.sys.disable_rescue=true
diff --git a/target/board/gsi_system_user.prop b/target/board/gsi_system_user.prop
index becb783..217bd01 100644
--- a/target/board/gsi_system_user.prop
+++ b/target/board/gsi_system_user.prop
@@ -1,6 +1,9 @@
# GSI always generate dex pre-opt in system image
ro.cp_system_other_odex=0
+# GSI disables non-AOSP nnapi extensions on product partition
+ro.nnapi.extensions.deny_on_product=true
+
# TODO(b/120679683): disable RescueParty before all problem apps solved
persist.sys.disable_rescue=true
diff --git a/target/product/security/Android.mk b/target/product/security/Android.mk
index 1d695ae..a0b2d6d 100644
--- a/target/product/security/Android.mk
+++ b/target/product/security/Android.mk
@@ -60,3 +60,30 @@
$(extra_recovery_keys)
$(SOONG_ZIP) -o $@ -j \
$(foreach key_file, $(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS), -f $(key_file))
+
+
+#######################################
+# update_engine_payload_key, used by update_engine. We use the same key as otacerts but in RSA
+# public key format.
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := update_engine_payload_key
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_STEM := update-payload-key.pub.pem
+LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/update_engine
+include $(BUILD_SYSTEM)/base_rules.mk
+$(LOCAL_BUILT_MODULE): $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+ openssl x509 -pubkey -noout -in $< > $@
+
+
+#######################################
+# update_engine_payload_key for recovery image, used by update_engine.
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := update_engine_payload_key.recovery
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_STEM := update-payload-key.pub.pem
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/system/etc/update_engine
+include $(BUILD_SYSTEM)/base_rules.mk
+$(LOCAL_BUILT_MODULE): $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+ openssl x509 -pubkey -noout -in $< > $@
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index 3e2a113..495fec3 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -93,9 +93,11 @@
# Values for "certificate" in apkcerts that mean special things.
SPECIAL_CERT_STRINGS = ("PRESIGNED", "EXTERNAL")
-# The partitions allowed to be signed by AVB (Android verified boot 2.0).
-AVB_PARTITIONS = ('boot', 'recovery', 'system', 'vendor', 'product',
- 'product_services', 'dtbo', 'odm')
+# The partitions allowed to be signed by AVB (Android Verified Boot 2.0). Note
+# that system_other is not in the list because we don't want to include its
+# descriptor into vbmeta.img.
+AVB_PARTITIONS = ('boot', 'dtbo', 'odm', 'product', 'product_services',
+ 'recovery', 'system', 'vendor')
# Partitions that should have their care_map added to META/care_map.pb
PARTITIONS_WITH_CARE_MAP = ('system', 'vendor', 'product', 'product_services',
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 64e7ca8..9aa9499 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -602,6 +602,13 @@
print(" Rewriting AVB public key of system_other in /product")
common.ZipWrite(output_tf_zip, public_key, filename)
+ # Should NOT sign boot-debug.img.
+ elif filename in (
+ "BOOT/RAMDISK/force_debuggable",
+ "RECOVERY/RAMDISK/force_debuggable"
+ "RECOVERY/RAMDISK/first_stage_ramdisk/force_debuggable"):
+ raise common.ExternalError("debuggable boot.img cannot be signed")
+
# A non-APK file; copy it verbatim.
else:
common.ZipWriteStr(output_tf_zip, out_info, data)