Do not require fs-verity built-in signature There are use cases where fs-verity without signature is helpful. Relax the restriction. Existing use cases (other than work-in-progress features) of fs-verity in AOSP has been migrated to signature check in userspace. Bug: 249158715 Test: CtsAppSecurityHostTestCases:android.appsecurity.cts.ApkVerityInstallTest Ignore-AOSP-First: Security implication requires some change in frameworks/base Change-Id: I6b7d7143485ad304d4aa7e8a924d32d558540b92 Merged-In: I6b7d7143485ad304d4aa7e8a924d32d558540b92

commit: 1b8ac1a87982424482d9ef0c464f1a0af6598ca3 [log] [tgz]
author: Victor Hsieh <victorhsieh@google.com> Wed Oct 05 17:15:54 2022 -0700
committer: Victor Hsieh <victorhsieh@google.com> Mon Dec 05 11:04:08 2022 -0800
tree: 2800c4cddd34a98775432cc588d1f9acb7650b40
parent: 2377248cd64666563178acb92b5580776bc4acf2 [diff]
diff --git a/fsverity_init/main.cpp b/fsverity_init/main.cpp
index 3f75dca..b502b91 100644
--- a/fsverity_init/main.cpp
+++ b/fsverity_init/main.cpp

@@ -48,12 +48,6 @@
             return -1;
         }
     } else if (command == "--lock") {
-        // Requires files backed by fs-verity to be verified with a key in .fs-verity
-        // keyring.
-        if (!android::base::WriteStringToFile("1", "/proc/sys/fs/verity/require_signatures")) {
-            PLOG(ERROR) << "Failed to enforce fs-verity signature";
-        }
-
         if (!android::base::GetBoolProperty("ro.debuggable", false)) {
             if (keyctl_restrict_keyring(keyring_id, nullptr, nullptr) < 0) {
                 PLOG(ERROR) << "Cannot restrict .fs-verity keyring";
commit	1b8ac1a87982424482d9ef0c464f1a0af6598ca3	[log] [tgz]
author	Victor Hsieh <victorhsieh@google.com>	Wed Oct 05 17:15:54 2022 -0700
committer	Victor Hsieh <victorhsieh@google.com>	Mon Dec 05 11:04:08 2022 -0800
tree	2800c4cddd34a98775432cc588d1f9acb7650b40
parent	2377248cd64666563178acb92b5580776bc4acf2 [diff]