Sign each APEX with different container certificate Each APEX is signed with different certificate. The test certificate (along with the private key) is com.android.<name>.x509.pem and com.android.<name>.pk8. The files are in the same directory as the APEX is defined and is referenced via android_app_certificate module named com.android.<name>.certificate. The test certificate could then be overridden via PRODUCT_CERTIFICATE_OVERRIDES := <apex_module_name>:<new_cert_module_name> Test: jarsigner -verify -verbose -certs out/target/product/blueline/system/apex/com.android.media.apex shows ... X.509, CN=com.android.media, OU=Android, O=Android, L=Mountain View, ST=California, C=US Change-Id: Ic61a7d2ca41254bda79ee5bdd3faf6d429a24e39

commit: 3ef4f718f24fa593638a6001fba6aa4e3cad4374 [log] [tgz]
author: Jiyong Park <jiyong@google.com> Mon Feb 11 11:00:31 2019 +0900
committer: Jiyong Park <jiyong@google.com> Fri Feb 15 11:00:22 2019 +0900
tree: 59d302d2f602fba22f58f56dcaa3960a476eeb77
parent: c6aa503951f6d65ead9b0066568bdb47b9896ca3 [diff] [blame]
diff --git a/apex/Android.bp b/apex/Android.bp
index c077a77..6e0a908 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp

@@ -42,6 +42,7 @@
         },
     },
     key: "com.android.media.key",
+    certificate: ":com.android.media.certificate",
 }
 
 apex {
@@ -65,3 +66,8 @@
     public_key: "com.android.media.swcodec.avbpubkey",
     private_key: "com.android.media.swcodec.pem",
 }
+
+android_app_certificate {
+    name: "com.android.media.certificate",
+    certificate: "com.android.media",
+}
commit	3ef4f718f24fa593638a6001fba6aa4e3cad4374	[log] [tgz]
author	Jiyong Park <jiyong@google.com>	Mon Feb 11 11:00:31 2019 +0900
committer	Jiyong Park <jiyong@google.com>	Fri Feb 15 11:00:22 2019 +0900
tree	59d302d2f602fba22f58f56dcaa3960a476eeb77
parent	c6aa503951f6d65ead9b0066568bdb47b9896ca3 [diff] [blame]