APEXes can be signed with devkeys
When PRODUCT_DEFAULT_DEV_CERTIFICATE is set to /vendor/foo/devkeys/test,
then the public/private key pairs for an apex_key is searched at
/vendor/foo/devkeys directory.
To be specific,
/system/timezone/Android.bp:
apex_key {
name: "timezone.key",
public_key: "com.android.tzdata.avbpubkey",
private_key: "com.android.tzdata.pem",
}
When PRODUCT_DEFAULT_DEV_CERTIFICATE isn't set, the keys are searched at
/system/timezone, which is the path where Android.bp is located.
With PRODUCT_DEFAULT_DEV_CERTIFICATE set to /vendor/foo/devkeys/test,
the keys are searched at /vendor/foo/devkeys.
Bug: 121224311
Test: m (apex_test updated)
Test: m with crosshatch (PRODUCT_DEFAULT_DEV_CERTIFICATE is set to
/vendor/google/...)
Test: m with cheets (PRODUCT_DEFAULT_DEV_CERTIFICATE is set, but there
is no apex key there. The product is with TARGET_FLATTEN_APEX := true)
Change-Id: I213bbb96c433d851f9cc982871459fd7fb4fe47d
diff --git a/android/config.go b/android/config.go
index 65c58ac..38f6ec8 100644
--- a/android/config.go
+++ b/android/config.go
@@ -561,6 +561,19 @@
}
}
+func (c *config) ApexKeyDir(ctx ModuleContext) SourcePath {
+ // TODO(b/121224311): define another variable such as TARGET_APEX_KEY_OVERRIDE
+ defaultCert := String(c.productVariables.DefaultAppCertificate)
+ if defaultCert == "" || filepath.Dir(defaultCert) == "build/target/product/security" {
+ // When defaultCert is unset or is set to the testkeys path, use the APEX keys
+ // that is under the module dir
+ return PathForModuleSrc(ctx).SourcePath
+ } else {
+ // If not, APEX keys are under the specified directory
+ return PathForSource(ctx, filepath.Dir(defaultCert))
+ }
+}
+
func (c *config) AllowMissingDependencies() bool {
return Bool(c.productVariables.Allow_missing_dependencies)
}