commit ef1a1fdf35fcad396b75b02751d86ef926e288bb
author Spandan Das <spandandas@google.com> Fri Jan 03 19:43:38 2025 +0000
committer Spandan Das <spandandas@google.com> Fri Jan 03 19:55:46 2025 +0000
tree bab3992b3ed3a983a587fad37ce63f0ae3c63a70
parent e530ab6420f2c5a5e851a8bbd592e174c69147a3

Provide avbpubkeys of all apexes

all_apex_certs will collect the set of all public keys used to sign apex
payloads. This will be used by `CtsAppSecurityHostTestCases` to ensure
that release builds are not signed with well known keys.

Followup to https://r.android.com/3422436 which collected the test
certificates of apexes.

Bug: 329299639
Test: m nothing
Change-Id: I57314f260a0ff5d7647e6d526cacbdaf29e8b055

apex/key.go

diff --git a/apex/key.go b/apex/key.go
index 9fa9d1e..1622c65 100644
--- a/apex/key.go
+++ b/apex/key.go
@@ -182,6 +182,7 @@
 }
 
 func (_ *allApexCerts) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+	var avbpubkeys android.Paths
 	var certificatesPem android.Paths
 	ctx.VisitDirectDeps(func(m android.Module) {
 		if apex, ok := m.(*apexBundle); ok {
@@ -194,9 +195,12 @@
 				}
 			}
 			certificatesPem = append(certificatesPem, pem)
+			// avbpubkey for signing the apex payload
+			avbpubkeys = append(avbpubkeys, apex.publicKeyFile)
 		}
 	})
 	certificatesPem = android.SortedUniquePaths(certificatesPem) // For hermiticity
+	avbpubkeys = android.SortedUniquePaths(avbpubkeys)           // For hermiticity
 	var certificatesDer android.Paths
 	for index, certificatePem := range certificatesPem {
 		certificateDer := android.PathForModuleOut(ctx, fmt.Sprintf("x509.%v.der", index))
@@ -209,6 +213,7 @@
 	}
 	ctx.SetOutputFiles(certificatesPem, ".pem")
 	ctx.SetOutputFiles(certificatesDer, ".der")
+	ctx.SetOutputFiles(avbpubkeys, ".avbpubkey")
 }
 
 func (_ *allApexCerts) GenerateSingletonBuildActions(ctx android.SingletonContext) {