add "EXTERNAL" as special value of LOCAL_CERTIFICATE
Setting LOCAL_CERTIFICATE to "EXTERNAL" now marks an apk (either a
prebuilt or otherwise) as needing the default test key within the
system, but one that should be signed after the target_files is
produced but before sign_target_files_apks does the rest of the
signing. (We use this to ship apps on the system that are signed by
third parties, like Facebook.)
diff --git a/core/Makefile b/core/Makefile
index deb9f58..dfba6ce 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -208,8 +208,11 @@
@mkdir -p $(dir $@)
@rm -f $@
$(hide) $(foreach p,$(PACKAGES),\
- echo 'name="$(p).apk" certificate="$(PACKAGES.$(p).CERTIFICATE)" \
- private_key="$(PACKAGES.$(p).PRIVATE_KEY)"' >> $@;)
+ $(if $(PACKAGES.$(p).EXTERNAL_KEY),\
+ echo 'name="$(p).apk" certificate="EXTERNAL" \
+ private_key=""' >> $@;,\
+ echo 'name="$(p).apk" certificate="$(PACKAGES.$(p).CERTIFICATE)" \
+ private_key="$(PACKAGES.$(p).PRIVATE_KEY)"' >> $@;))
.PHONY: apkcerts-list
apkcerts-list: $(APKCERTS_FILE)
diff --git a/core/package.mk b/core/package.mk
index d92a8b8..70f10e0 100644
--- a/core/package.mk
+++ b/core/package.mk
@@ -244,6 +244,15 @@
ifeq ($(LOCAL_CERTIFICATE),)
LOCAL_CERTIFICATE := testkey
endif
+
+ifeq ($(LOCAL_CERTIFICATE),EXTERNAL)
+ # The special value "EXTERNAL" means that we will sign it with the
+ # default testkey, apply predexopt, but then expect the final .apk
+ # (after dexopting) to be signed by an outside tool.
+ LOCAL_CERTIFICATE := testkey
+ PACKAGES.$(LOCAL_PACKAGE_NAME).EXTERNAL_KEY := 1
+endif
+
# If this is not an absolute certificate, assign it to a generic one.
ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./)
LOCAL_CERTIFICATE := $(SRC_TARGET_DIR)/product/security/$(LOCAL_CERTIFICATE)
diff --git a/core/prebuilt.mk b/core/prebuilt.mk
index 2693f5d..b03f2af 100644
--- a/core/prebuilt.mk
+++ b/core/prebuilt.mk
@@ -42,6 +42,16 @@
endif
endif
+ifeq ($(LOCAL_CERTIFICATE),EXTERNAL)
+ # The magic string "EXTERNAL" means this package will be signed with
+ # the test key throughout the build process, but we expect the final
+ # package to be signed with a different key.
+ #
+ # This can be used for packages where we don't have access to the
+ # keys, but want the package to be predexopt'ed.
+ LOCAL_CERTIFICATE := testkey
+ PACKAGES.$(LOCAL_MODULE).EXTERNAL_KEY := 1
+endif
ifeq ($(LOCAL_CERTIFICATE),)
ifneq ($(filter APPS,$(LOCAL_MODULE_CLASS)),)
# It is now a build error to add a prebuilt .apk without