microdroid_manager: verify APK/APEXes
Even though libapkverify doesn't do much verification for now, having
it in use would make CI detect errors in the future.
TODO:
- zipfuse should wait until APK is verified.
- boot should abort when verification fails.
Bug: 190343842
Test: MicrodroidHostTestCases
Change-Id: I221be1c7d9a0bfcd312593d3958f950311b67af5
diff --git a/apkverify/src/sigutil.rs b/apkverify/src/sigutil.rs
index 564831f..43fbe67 100644
--- a/apkverify/src/sigutil.rs
+++ b/apkverify/src/sigutil.rs
@@ -128,19 +128,19 @@
}
pub fn is_supported_signature_algorithm(algorithm_id: u32) -> bool {
- match algorithm_id {
+ matches!(
+ algorithm_id,
SIGNATURE_RSA_PSS_WITH_SHA256
- | SIGNATURE_RSA_PSS_WITH_SHA512
- | SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256
- | SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512
- | SIGNATURE_ECDSA_WITH_SHA256
- | SIGNATURE_ECDSA_WITH_SHA512
- | SIGNATURE_DSA_WITH_SHA256
- | SIGNATURE_VERITY_RSA_PKCS1_V1_5_WITH_SHA256
- | SIGNATURE_VERITY_ECDSA_WITH_SHA256
- | SIGNATURE_VERITY_DSA_WITH_SHA256 => true,
- _ => false,
- }
+ | SIGNATURE_RSA_PSS_WITH_SHA512
+ | SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256
+ | SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512
+ | SIGNATURE_ECDSA_WITH_SHA256
+ | SIGNATURE_ECDSA_WITH_SHA512
+ | SIGNATURE_DSA_WITH_SHA256
+ | SIGNATURE_VERITY_RSA_PKCS1_V1_5_WITH_SHA256
+ | SIGNATURE_VERITY_ECDSA_WITH_SHA256
+ | SIGNATURE_VERITY_DSA_WITH_SHA256
+ )
}
fn to_content_digest_algorithm(algorithm_id: u32) -> Result<u32> {
diff --git a/apkverify/src/v3.rs b/apkverify/src/v3.rs
index 0a292df..1bf8a61 100644
--- a/apkverify/src/v3.rs
+++ b/apkverify/src/v3.rs
@@ -16,6 +16,9 @@
//! Verifies APK Signature Scheme V3
+// TODO(jooyung) remove this
+#![allow(dead_code)]
+
use anyhow::{anyhow, bail, Result};
use bytes::Bytes;
use std::fs::File;