Add signing certificate lineage support to soong
(This is a cherry pick.)
Test: app_test
Bug: 153366049
Merged-In: I65a92d6c40057dcc01950991fb7be485de1c9080
Change-Id: I65a92d6c40057dcc01950991fb7be485de1c9080
diff --git a/java/app.go b/java/app.go
index f1af2ad..2fea4a0 100755
--- a/java/app.go
+++ b/java/app.go
@@ -129,6 +129,9 @@
// or an android_app_certificate module name in the form ":module".
Certificate *string
+ // Name of the signing certificate lineage file.
+ Lineage *string
+
// the package name of this app. The package name in the manifest file is used if one was not given.
Package_name *string
@@ -596,13 +599,17 @@
// Build a final signed app package.
packageFile := android.PathForModuleOut(ctx, a.installApkName+".apk")
- CreateAndSignAppPackage(ctx, packageFile, a.exportPackage, jniJarFile, dexJarFile, certificates, apkDeps)
+ var lineageFile android.Path
+ if lineage := String(a.overridableAppProperties.Lineage); lineage != "" {
+ lineageFile = android.PathForModuleSrc(ctx, lineage)
+ }
+ CreateAndSignAppPackage(ctx, packageFile, a.exportPackage, jniJarFile, dexJarFile, certificates, apkDeps, lineageFile)
a.outputFile = packageFile
for _, split := range a.aapt.splits {
// Sign the split APKs
packageFile := android.PathForModuleOut(ctx, a.installApkName+"_"+split.suffix+".apk")
- CreateAndSignAppPackage(ctx, packageFile, split.path, nil, nil, certificates, apkDeps)
+ CreateAndSignAppPackage(ctx, packageFile, split.path, nil, nil, certificates, apkDeps, lineageFile)
a.extraOutputFiles = append(a.extraOutputFiles, packageFile)
}
@@ -1299,7 +1306,7 @@
}
a.certificate = certificates[0]
signed := android.PathForModuleOut(ctx, "signed", apkFilename)
- SignAppPackage(ctx, signed, dexOutput, certificates)
+ SignAppPackage(ctx, signed, dexOutput, certificates, nil)
a.outputFile = signed
} else {
alignedApk := android.PathForModuleOut(ctx, "zip-aligned", apkFilename)
@@ -1558,7 +1565,7 @@
_, certificates := collectAppDeps(ctx, false, false)
certificates = processMainCert(r.ModuleBase, String(r.properties.Certificate), certificates, ctx)
signed := android.PathForModuleOut(ctx, "signed", r.Name()+".apk")
- SignAppPackage(ctx, signed, r.aapt.exportPackage, certificates)
+ SignAppPackage(ctx, signed, r.aapt.exportPackage, certificates, nil)
r.certificate = certificates[0]
r.outputFile = signed
diff --git a/java/app_builder.go b/java/app_builder.go
index 5e7fbe6..1efc856 100644
--- a/java/app_builder.go
+++ b/java/app_builder.go
@@ -45,7 +45,7 @@
})
func CreateAndSignAppPackage(ctx android.ModuleContext, outputFile android.WritablePath,
- packageFile, jniJarFile, dexJarFile android.Path, certificates []Certificate, deps android.Paths) {
+ packageFile, jniJarFile, dexJarFile android.Path, certificates []Certificate, deps android.Paths, lineageFile android.Path) {
unsignedApkName := strings.TrimSuffix(outputFile.Base(), ".apk") + "-unsigned.apk"
unsignedApk := android.PathForModuleOut(ctx, unsignedApkName)
@@ -66,10 +66,10 @@
Implicits: deps,
})
- SignAppPackage(ctx, outputFile, unsignedApk, certificates)
+ SignAppPackage(ctx, outputFile, unsignedApk, certificates, lineageFile)
}
-func SignAppPackage(ctx android.ModuleContext, signedApk android.WritablePath, unsignedApk android.Path, certificates []Certificate) {
+func SignAppPackage(ctx android.ModuleContext, signedApk android.WritablePath, unsignedApk android.Path, certificates []Certificate, lineageFile android.Path) {
var certificateArgs []string
var deps android.Paths
@@ -78,6 +78,11 @@
deps = append(deps, c.Pem, c.Key)
}
+ var flags []string
+ if lineageFile != nil {
+ flags = append(flags, "--lineage", lineageFile.String())
+ }
+
ctx.Build(pctx, android.BuildParams{
Rule: Signapk,
Description: "signapk",
@@ -86,6 +91,7 @@
Implicits: deps,
Args: map[string]string{
"certificates": strings.Join(certificateArgs, " "),
+ "flags": strings.Join(flags, " "),
},
})
}
diff --git a/java/app_test.go b/java/app_test.go
index 4bcfa5a..1067c27 100644
--- a/java/app_test.go
+++ b/java/app_test.go
@@ -1209,7 +1209,8 @@
name string
bp string
certificateOverride string
- expected string
+ expectedLineage string
+ expectedCertificate string
}{
{
name: "default",
@@ -1221,7 +1222,8 @@
}
`,
certificateOverride: "",
- expected: "build/make/target/product/security/testkey.x509.pem build/make/target/product/security/testkey.pk8",
+ expectedLineage: "",
+ expectedCertificate: "build/make/target/product/security/testkey.x509.pem build/make/target/product/security/testkey.pk8",
},
{
name: "module certificate property",
@@ -1239,7 +1241,8 @@
}
`,
certificateOverride: "",
- expected: "cert/new_cert.x509.pem cert/new_cert.pk8",
+ expectedLineage: "",
+ expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8",
},
{
name: "path certificate property",
@@ -1252,7 +1255,8 @@
}
`,
certificateOverride: "",
- expected: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8",
+ expectedLineage: "",
+ expectedCertificate: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8",
},
{
name: "certificate overrides",
@@ -1270,7 +1274,28 @@
}
`,
certificateOverride: "foo:new_certificate",
- expected: "cert/new_cert.x509.pem cert/new_cert.pk8",
+ expectedLineage: "",
+ expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8",
+ },
+ {
+ name: "certificate lineage",
+ bp: `
+ android_app {
+ name: "foo",
+ srcs: ["a.java"],
+ certificate: ":new_certificate",
+ lineage: "lineage.bin",
+ sdk_version: "current",
+ }
+
+ android_app_certificate {
+ name: "new_certificate",
+ certificate: "cert/new_cert",
+ }
+ `,
+ certificateOverride: "",
+ expectedLineage: "--lineage lineage.bin",
+ expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8",
},
}
@@ -1286,9 +1311,14 @@
foo := ctx.ModuleForTests("foo", "android_common")
signapk := foo.Output("foo.apk")
- signFlags := signapk.Args["certificates"]
- if test.expected != signFlags {
- t.Errorf("Incorrect signing flags, expected: %q, got: %q", test.expected, signFlags)
+ signCertificateFlags := signapk.Args["certificates"]
+ if test.expectedCertificate != signCertificateFlags {
+ t.Errorf("Incorrect signing flags, expected: %q, got: %q", test.expectedCertificate, signCertificateFlags)
+ }
+
+ signFlags := signapk.Args["flags"]
+ if test.expectedLineage != signFlags {
+ t.Errorf("Incorrect signing flags, expected: %q, got: %q", test.expectedLineage, signFlags)
}
})
}
@@ -1402,6 +1432,7 @@
name: "bar",
base: "foo",
certificate: ":new_certificate",
+ lineage: "lineage.bin",
logging_parent: "bah",
}
@@ -1422,7 +1453,8 @@
variantName string
apkName string
apkPath string
- signFlag string
+ certFlag string
+ lineageFlag string
overrides []string
aaptFlag string
logging_parent string
@@ -1431,7 +1463,8 @@
moduleName: "foo",
variantName: "android_common",
apkPath: "/target/product/test_device/system/app/foo/foo.apk",
- signFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8",
+ certFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8",
+ lineageFlag: "",
overrides: []string{"qux"},
aaptFlag: "",
logging_parent: "",
@@ -1440,7 +1473,8 @@
moduleName: "bar",
variantName: "android_common_bar",
apkPath: "/target/product/test_device/system/app/bar/bar.apk",
- signFlag: "cert/new_cert.x509.pem cert/new_cert.pk8",
+ certFlag: "cert/new_cert.x509.pem cert/new_cert.pk8",
+ lineageFlag: "--lineage lineage.bin",
overrides: []string{"qux", "foo"},
aaptFlag: "",
logging_parent: "bah",
@@ -1449,7 +1483,8 @@
moduleName: "baz",
variantName: "android_common_baz",
apkPath: "/target/product/test_device/system/app/baz/baz.apk",
- signFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8",
+ certFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8",
+ lineageFlag: "",
overrides: []string{"qux", "foo"},
aaptFlag: "--rename-manifest-package org.dandroid.bp",
logging_parent: "",
@@ -1474,9 +1509,15 @@
// Check the certificate paths
signapk := variant.Output(expected.moduleName + ".apk")
- signFlag := signapk.Args["certificates"]
- if expected.signFlag != signFlag {
- t.Errorf("Incorrect signing flags, expected: %q, got: %q", expected.signFlag, signFlag)
+ certFlag := signapk.Args["certificates"]
+ if expected.certFlag != certFlag {
+ t.Errorf("Incorrect signing flags, expected: %q, got: %q", expected.certFlag, certFlag)
+ }
+
+ // Check the lineage flags
+ lineageFlag := signapk.Args["flags"]
+ if expected.lineageFlag != lineageFlag {
+ t.Errorf("Incorrect signing flags, expected: %q, got: %q", expected.lineageFlag, lineageFlag)
}
// Check if the overrides field values are correctly aggregated.
diff --git a/java/testing.go b/java/testing.go
index 6929bb7..7d7cb57 100644
--- a/java/testing.go
+++ b/java/testing.go
@@ -116,6 +116,7 @@
"cert/new_cert.x509.pem": nil,
"cert/new_cert.pk8": nil,
+ "lineage.bin": nil,
"testdata/data": nil,