Merge "Check system certificate violation for product apks"
diff --git a/android/config.go b/android/config.go
index b3469a9..65c58ac 100644
--- a/android/config.go
+++ b/android/config.go
@@ -950,6 +950,14 @@
return Bool(c.productVariables.FlattenApex)
}
+func (c *config) EnforceSystemCertificate() bool {
+ return Bool(c.productVariables.EnforceSystemCertificate)
+}
+
+func (c *config) EnforceSystemCertificateWhitelist() []string {
+ return c.productVariables.EnforceSystemCertificateWhitelist
+}
+
func stringSlice(s *[]string) []string {
if s != nil {
return *s
diff --git a/android/variable.go b/android/variable.go
index 264869a..7e976cd 100644
--- a/android/variable.go
+++ b/android/variable.go
@@ -263,6 +263,9 @@
DexpreoptGlobalConfig *string `json:",omitempty"`
ManifestPackageNameOverrides []string `json:",omitempty"`
+
+ EnforceSystemCertificate *bool `json:",omitempty"`
+ EnforceSystemCertificateWhitelist []string `json:",omitempty"`
}
func boolPtr(v bool) *bool {
diff --git a/java/app.go b/java/app.go
index 3b2305f..4bae78a 100644
--- a/java/app.go
+++ b/java/app.go
@@ -263,6 +263,20 @@
packageFile := android.PathForModuleOut(ctx, "package.apk")
CreateAppPackage(ctx, packageFile, a.exportPackage, jniJarFile, dexJarFile, certificates)
+
+ if !a.Module.Platform() {
+ certPath := a.certificate.Pem.String()
+ systemCertPath := ctx.Config().DefaultAppCertificateDir(ctx).String()
+ if strings.HasPrefix(certPath, systemCertPath) {
+ enforceSystemCert := ctx.Config().EnforceSystemCertificate()
+ whitelist := ctx.Config().EnforceSystemCertificateWhitelist()
+
+ if enforceSystemCert && !inList(a.Module.Name(), whitelist) {
+ ctx.PropertyErrorf("certificate", "The module in product partition cannot be signed with certificate in system.")
+ }
+ }
+ }
+
a.outputFile = packageFile
bundleFile := android.PathForModuleOut(ctx, "base.zip")