diff --git a/core/app_prebuilt_internal.mk b/core/app_prebuilt_internal.mk index 05d900160..61e13e9ff 100644 --- a/core/app_prebuilt_internal.mk +++ b/core/app_prebuilt_internal.mk @@ -163,6 +163,13 @@ else $(built_module) : $(LOCAL_CERTIFICATE).pk8 $(LOCAL_CERTIFICATE).x509.pem $(built_module) : PRIVATE_PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8 $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem + + additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8) + $(built_module): $(additional_certificates) + $(built_module): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates) + + $(built_module): $(LOCAL_CERTIFICATE_LINEAGE) + $(built_module): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE) endif include $(BUILD_SYSTEM)/app_certificate_validate.mk diff --git a/core/clear_vars.mk b/core/clear_vars.mk index e27d91c27..3d481df55 100644 --- a/core/clear_vars.mk +++ b/core/clear_vars.mk @@ -152,6 +152,7 @@ LOCAL_JAVA_RESOURCE_FILES:= LOCAL_JETIFIER_ENABLED:= LOCAL_JNI_SHARED_LIBRARIES:= LOCAL_JNI_SHARED_LIBRARIES_ABI:= +LOCAL_CERTIFICATE_LINEAGE:= LOCAL_LDFLAGS:= LOCAL_LDLIBS:= LOCAL_LOGTAGS_FILES:= diff --git a/core/definitions.mk b/core/definitions.mk index 3499da932..0558a3833 100644 --- a/core/definitions.mk +++ b/core/definitions.mk @@ -2285,6 +2285,7 @@ endef define sign-package-arg $(hide) mv $(1) $(1).unsigned $(hide) $(JAVA) -Djava.library.path=$$(dirname $(SIGNAPK_JNI_LIBRARY_PATH)) -jar $(SIGNAPK_JAR) \ + $(if $(strip $(PRIVATE_CERTIFICATE_LINEAGE)), --lineage $(PRIVATE_CERTIFICATE_LINEAGE)) \ $(PRIVATE_CERTIFICATE) $(PRIVATE_PRIVATE_KEY) \ $(PRIVATE_ADDITIONAL_CERTIFICATES) $(1).unsigned $(1).signed $(hide) mv $(1).signed $(1) diff --git a/core/package_internal.mk b/core/package_internal.mk index c6c2cf55c..59e0701e4 100644 --- a/core/package_internal.mk +++ b/core/package_internal.mk @@ -471,6 +471,9 @@ PACKAGES.$(LOCAL_PACKAGE_NAME).CERTIFICATE := $(certificate) $(LOCAL_BUILT_MODULE): $(additional_certificates) $(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates) +$(LOCAL_BUILT_MODULE): $(LOCAL_CERTIFICATE_LINEAGE) +$(LOCAL_BUILT_MODULE): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE) + # Set a actual_partition_tag (calculated in base_rules.mk) for the package. PACKAGES.$(LOCAL_PACKAGE_NAME).PARTITION := $(actual_partition_tag) diff --git a/tools/signapk/src/com/android/signapk/SignApk.java b/tools/signapk/src/com/android/signapk/SignApk.java index 9809ed406..95ef05f4d 100644 --- a/tools/signapk/src/com/android/signapk/SignApk.java +++ b/tools/signapk/src/com/android/signapk/SignApk.java @@ -36,6 +36,7 @@ import org.conscrypt.OpenSSLProvider; import com.android.apksig.ApkSignerEngine; import com.android.apksig.DefaultApkSignerEngine; +import com.android.apksig.SigningCertificateLineage; import com.android.apksig.Hints; import com.android.apksig.apk.ApkUtils; import com.android.apksig.apk.MinSdkVersionException; @@ -1042,6 +1043,7 @@ class SignApk { int alignment = 4; Integer minSdkVersionOverride = null; boolean signUsingApkSignatureSchemeV2 = true; + SigningCertificateLineage certLineage = null; int argstart = 0; while (argstart < args.length && args[argstart].startsWith("-")) { @@ -1069,6 +1071,15 @@ class SignApk { } else if ("--disable-v2".equals(args[argstart])) { signUsingApkSignatureSchemeV2 = false; ++argstart; + } else if ("--lineage".equals(args[argstart])) { + File lineageFile = new File(args[++argstart]); + try { + certLineage = SigningCertificateLineage.readFromFile(lineageFile); + } catch (Exception e) { + throw new IllegalArgumentException( + "Error reading lineage file: " + e.getMessage()); + } + ++argstart; } else { usage(); } @@ -1149,6 +1160,7 @@ class SignApk { .setV2SigningEnabled(signUsingApkSignatureSchemeV2) .setOtherSignersSignaturesPreserved(false) .setCreatedBy("1.0 (Android SignApk)") + .setSigningCertificateLineage(certLineage) .build()) { // We don't preserve the input APK's APK Signing Block (which contains v2 // signatures)