Dump and enforce certificate for apks
Dump the list of APKs that aren't located at system partition and signed with system certificate. And when enforcement option is enabled, it makes build error if there is the apk that satisfies the condition above. Bug: 74699609 Test: m -j Test: m out/target/product/$(get_build_var TARGET_DEVICE)/certificate_violation_modules.txt Change-Id: I23c41f2665dd97abac3e77d1c82d81ff91b894eb
This commit is contained in:
Jeongik Cha
parent
8d95a14476
commit
b2c4bb7e3d
|
|
@ -0,0 +1,12 @@
|
|||
|
||||
ifeq (true,$(filter true, \
|
||||
$(LOCAL_PRODUCT_MODULE) $(LOCAL_PRODUCT_SERVICES_MODULE) \
|
||||
$(LOCAL_VENDOR_MODULE) $(LOCAL_PROPRIETARY_MODULE)))
|
||||
ifneq (,$(filter $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))%,$(LOCAL_CERTIFICATE)))
|
||||
CERTIFICATE_VIOLATION_MODULES += $(LOCAL_MODULE)
|
||||
ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT))
|
||||
$(if $(filter $(LOCAL_MODULE),$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST)),,\
|
||||
$(call pretty-error,The module in product partition cannot be signed with certificate in system.))
|
||||
endif
|
||||
endif
|
||||
endif
|
||||
|
|
@ -77,6 +77,9 @@ ALL_FINDBUGS_FILES:=
|
|||
# GPL module license files
|
||||
ALL_GPL_MODULE_LICENSE_FILES:=
|
||||
|
||||
# Packages with certificate violation
|
||||
CERTIFICATE_VIOLATION_MODULES :=
|
||||
|
||||
# Target and host installed module's dependencies on shared libraries.
|
||||
# They are list of "<module_name>:<installed_file>:lib1,lib2...".
|
||||
TARGET_DEPENDENCIES_ON_SHARED_LIBRARIES :=
|
||||
|
|
|
|||
|
|
@ -1096,6 +1096,13 @@ ifdef FULL_BUILD
|
|||
$(TARGET_OUT_SYSTEM_OTHER)/%.vdex \
|
||||
$(TARGET_OUT_SYSTEM_OTHER)/%.art
|
||||
endif
|
||||
|
||||
CERTIFICATE_VIOLATION_MODULES_FILENAME := $(PRODUCT_OUT)/certificate_violation_modules.txt
|
||||
$(CERTIFICATE_VIOLATION_MODULES_FILENAME):
|
||||
rm -f $@
|
||||
$(foreach m,$(sort $(CERTIFICATE_VIOLATION_MODULES)), echo $(m) >> $@;)
|
||||
$(call dist-for-goals,droidcore,$(CERTIFICATE_VIOLATION_MODULES_FILENAME))
|
||||
|
||||
all_offending_files :=
|
||||
$(foreach makefile,$(ARTIFACT_PATH_REQUIREMENT_PRODUCTS),\
|
||||
$(eval requirements := $(PRODUCTS.$(makefile).ARTIFACT_PATH_REQUIREMENTS)) \
|
||||
|
|
|
|||
|
|
@ -535,6 +535,7 @@ endif
|
|||
ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./)
|
||||
LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE)
|
||||
endif
|
||||
include $(BUILD_SYSTEM)/app_certificate_validate.mk
|
||||
private_key := $(LOCAL_CERTIFICATE).pk8
|
||||
certificate := $(LOCAL_CERTIFICATE).x509.pem
|
||||
additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8)
|
||||
|
|
|
|||
|
|
@ -306,6 +306,8 @@ else
|
|||
$(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
|
||||
endif
|
||||
|
||||
include $(BUILD_SYSTEM)/app_certificate_validate.mk
|
||||
|
||||
# Disable dex-preopt of prebuilts to save space, if requested.
|
||||
ifndef LOCAL_DEX_PREOPT
|
||||
ifeq ($(DONT_DEXPREOPT_PREBUILTS),true)
|
||||
|
|
|
|||
|
|
@ -204,6 +204,8 @@ _product_var_list := \
|
|||
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE \
|
||||
PRODUCT_ACTIONABLE_COMPATIBLE_PROPERTY_DISABLE \
|
||||
PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS \
|
||||
PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT \
|
||||
PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST \
|
||||
PRODUCT_ARTIFACT_PATH_REQUIREMENT_HINT \
|
||||
PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST \
|
||||
PRODUCT_USE_DYNAMIC_PARTITION_SIZE \
|
||||
|
|
|
|||
|
|
@ -367,6 +367,11 @@ PRODUCT_PRODUCT_PROPERTIES := \
|
|||
$(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_PRODUCT_PROPERTIES))
|
||||
.KATI_READONLY := PRODUCT_PRODUCT_PROPERTIES
|
||||
|
||||
ENFORCE_SYSTEM_CERTIFICATE := \
|
||||
$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT)
|
||||
|
||||
ENFORCE_SYSTEM_CERTIFICATE_WHITELIST := \
|
||||
$(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST))
|
||||
|
||||
# A list of property assignments, like "key = value", with zero or more
|
||||
# whitespace characters on either side of the '='.
|
||||
|
|
|
|||
|
|
@ -108,7 +108,7 @@ ifdef LOCAL_CERTIFICATE
|
|||
PACKAGES.$(LOCAL_MODULE).CERTIFICATE := $(LOCAL_CERTIFICATE)
|
||||
PACKAGES.$(LOCAL_MODULE).PRIVATE_KEY := $(patsubst %.x509.pem,%.pk8,$(LOCAL_CERTIFICATE))
|
||||
endif
|
||||
|
||||
include $(BUILD_SYSTEM)/app_certificate_validate.mk
|
||||
PACKAGES.$(LOCAL_MODULE).OVERRIDES := $(strip $(LOCAL_OVERRIDES_PACKAGES))
|
||||
|
||||
ifdef LOCAL_SOONG_BUNDLE
|
||||
|
|
|
|||
|
|
@ -146,6 +146,9 @@ $(call add_json_str, DexpreoptGlobalConfig, $(DEX_PREOPT_CONFIG))
|
|||
|
||||
$(call add_json_list, ManifestPackageNameOverrides, $(PRODUCT_MANIFEST_PACKAGE_NAME_OVERRIDES))
|
||||
|
||||
$(call add_json_bool, EnforceSystemCertificate, $(ENFORCE_SYSTEM_CERTIFICATE))
|
||||
$(call add_json_list, EnforceSystemCertificateWhitelist, $(ENFORCE_SYSTEM_CERTIFICATE_WHITELIST))
|
||||
|
||||
$(call add_json_map, VendorVars)
|
||||
$(foreach namespace,$(SOONG_CONFIG_NAMESPACES),\
|
||||
$(call add_json_map, $(namespace))\
|
||||
|
|
|
|||
Loading…
Reference in New Issue