forked from openkylin/platform_build
Add signing certificate lineage file support.
Also add multi-cert support to prebuilt apps so that they can benefit from the new lineage feature. (This is a cherry-pick change.) Test: m GoogleServicesFramework w/ modified build rules Test: m PrebuiltGmsCore w/ modified build rules Test: apksigner lineage -v --print-certs -in <built_module_path> Fixes: 152897457 Change-Id: If7d5d4bd308629c8340231520214c76c8a568a65 Merged-In: If7d5d4bd308629c8340231520214c76c8a568a65
This commit is contained in:
parent
0889aaeeae
commit
95445e6913
|
@ -163,6 +163,13 @@ else
|
|||
$(built_module) : $(LOCAL_CERTIFICATE).pk8 $(LOCAL_CERTIFICATE).x509.pem
|
||||
$(built_module) : PRIVATE_PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8
|
||||
$(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
|
||||
|
||||
additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8)
|
||||
$(built_module): $(additional_certificates)
|
||||
$(built_module): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates)
|
||||
|
||||
$(built_module): $(LOCAL_CERTIFICATE_LINEAGE)
|
||||
$(built_module): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE)
|
||||
endif
|
||||
|
||||
include $(BUILD_SYSTEM)/app_certificate_validate.mk
|
||||
|
|
|
@ -152,6 +152,7 @@ LOCAL_JAVA_RESOURCE_FILES:=
|
|||
LOCAL_JETIFIER_ENABLED:=
|
||||
LOCAL_JNI_SHARED_LIBRARIES:=
|
||||
LOCAL_JNI_SHARED_LIBRARIES_ABI:=
|
||||
LOCAL_CERTIFICATE_LINEAGE:=
|
||||
LOCAL_LDFLAGS:=
|
||||
LOCAL_LDLIBS:=
|
||||
LOCAL_LOGTAGS_FILES:=
|
||||
|
|
|
@ -2285,6 +2285,7 @@ endef
|
|||
define sign-package-arg
|
||||
$(hide) mv $(1) $(1).unsigned
|
||||
$(hide) $(JAVA) -Djava.library.path=$$(dirname $(SIGNAPK_JNI_LIBRARY_PATH)) -jar $(SIGNAPK_JAR) \
|
||||
$(if $(strip $(PRIVATE_CERTIFICATE_LINEAGE)), --lineage $(PRIVATE_CERTIFICATE_LINEAGE)) \
|
||||
$(PRIVATE_CERTIFICATE) $(PRIVATE_PRIVATE_KEY) \
|
||||
$(PRIVATE_ADDITIONAL_CERTIFICATES) $(1).unsigned $(1).signed
|
||||
$(hide) mv $(1).signed $(1)
|
||||
|
|
|
@ -471,6 +471,9 @@ PACKAGES.$(LOCAL_PACKAGE_NAME).CERTIFICATE := $(certificate)
|
|||
$(LOCAL_BUILT_MODULE): $(additional_certificates)
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates)
|
||||
|
||||
$(LOCAL_BUILT_MODULE): $(LOCAL_CERTIFICATE_LINEAGE)
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE)
|
||||
|
||||
# Set a actual_partition_tag (calculated in base_rules.mk) for the package.
|
||||
PACKAGES.$(LOCAL_PACKAGE_NAME).PARTITION := $(actual_partition_tag)
|
||||
|
||||
|
|
|
@ -36,6 +36,7 @@ import org.conscrypt.OpenSSLProvider;
|
|||
|
||||
import com.android.apksig.ApkSignerEngine;
|
||||
import com.android.apksig.DefaultApkSignerEngine;
|
||||
import com.android.apksig.SigningCertificateLineage;
|
||||
import com.android.apksig.Hints;
|
||||
import com.android.apksig.apk.ApkUtils;
|
||||
import com.android.apksig.apk.MinSdkVersionException;
|
||||
|
@ -1042,6 +1043,7 @@ class SignApk {
|
|||
int alignment = 4;
|
||||
Integer minSdkVersionOverride = null;
|
||||
boolean signUsingApkSignatureSchemeV2 = true;
|
||||
SigningCertificateLineage certLineage = null;
|
||||
|
||||
int argstart = 0;
|
||||
while (argstart < args.length && args[argstart].startsWith("-")) {
|
||||
|
@ -1069,6 +1071,15 @@ class SignApk {
|
|||
} else if ("--disable-v2".equals(args[argstart])) {
|
||||
signUsingApkSignatureSchemeV2 = false;
|
||||
++argstart;
|
||||
} else if ("--lineage".equals(args[argstart])) {
|
||||
File lineageFile = new File(args[++argstart]);
|
||||
try {
|
||||
certLineage = SigningCertificateLineage.readFromFile(lineageFile);
|
||||
} catch (Exception e) {
|
||||
throw new IllegalArgumentException(
|
||||
"Error reading lineage file: " + e.getMessage());
|
||||
}
|
||||
++argstart;
|
||||
} else {
|
||||
usage();
|
||||
}
|
||||
|
@ -1149,6 +1160,7 @@ class SignApk {
|
|||
.setV2SigningEnabled(signUsingApkSignatureSchemeV2)
|
||||
.setOtherSignersSignaturesPreserved(false)
|
||||
.setCreatedBy("1.0 (Android SignApk)")
|
||||
.setSigningCertificateLineage(certLineage)
|
||||
.build()) {
|
||||
// We don't preserve the input APK's APK Signing Block (which contains v2
|
||||
// signatures)
|
||||
|
|
Loading…
Reference in New Issue