Resolve verification errors for v3.1 sigs and min-sdk-version 33

apksig is designed to behave as the platform would based on the min / max SDK versions; when a min-sdk-version is not explicitly provided, apksig will use the minSdkVersion from the APK's manifest. A device running Android T or later will only verify the v3.1 signature if it exists; apksig will behave the same for an APK signed with a v3.1 signature and a min-sdk-version of 33 or later. This commit resolves the verification errors that were reported when apksig only verified the v3.1 signature with a min-sdk-version of 33 by properly recognizing the v3.1 signature as an extension of v3 and also sufficient to meet the min v2 signature requirement for apps targeting SDK version 30. Bug: 208504694 Test: gradlew test Change-Id: I28eadf4103358eb23cbc10880ac90c394e54e333
author: Michael Groover <mpgroover@google.com> 2021-11-30 16:54:37 -0800
committer: Michael Groover <mpgroover@google.com> 2021-11-30 16:54:37 -0800
commit: 45343b234b5c563e424177c66e6c6021edc7a013 (patch)
tree: 5864c893b2b02fa673b514335c5d6e166f61f55b
parent: 45f34cf07116cf9b13809bd0d24f37670558c0b9 (diff)
download: apksig-45343b234b5c563e424177c66e6c6021edc7a013.tar.gz
4 files changed, 29 insertions, 2 deletions
diff --git a/src/main/java/com/android/apksig/ApkVerifier.java b/src/main/java/com/android/apksig/ApkVerifier.java
index 31b13e3..1613c26 100644
--- a/src/main/java/com/android/apksig/ApkVerifier.java
+++ b/src/main/java/com/android/apksig/ApkVerifier.java
@@ -561,7 +561,7 @@ public class ApkVerifier {
                         // Allow this case to fall through to the next as a signature satisfying a
                         // later scheme version will also satisfy this requirement.
                     case VERSION_APK_SIGNATURE_SCHEME_V3:
-                        if (result.isVerifiedUsingV3Scheme()) {
+                        if (result.isVerifiedUsingV3Scheme() || result.isVerifiedUsingV31Scheme()) {
                             break;
                         }
                         result.addError(Issue.MIN_SIG_SCHEME_FOR_TARGET_SDK_NOT_MET,
@@ -577,7 +577,10 @@ public class ApkVerifier {
 
         // Verified
         result.setVerified();
-        if (result.isVerifiedUsingV3Scheme()) {
+        if (result.isVerifiedUsingV31Scheme()) {
+            List<Result.V3SchemeSignerInfo> v31Signers = result.getV31SchemeSigners();
+            result.addSignerCertificate(v31Signers.get(v31Signers.size() - 1).getCertificate());
+        } else if (result.isVerifiedUsingV3Scheme()) {
             List<Result.V3SchemeSignerInfo> v3Signers = result.getV3SchemeSigners();
             result.addSignerCertificate(v3Signers.get(v3Signers.size() - 1).getCertificate());
         } else if (result.isVerifiedUsingV2Scheme()) {
diff --git a/src/test/java/com/android/apksig/ApkVerifierTest.java b/src/test/java/com/android/apksig/ApkVerifierTest.java
index ac8061e..31ed430 100644
--- a/src/test/java/com/android/apksig/ApkVerifierTest.java
+++ b/src/test/java/com/android/apksig/ApkVerifierTest.java
@@ -1455,6 +1455,30 @@ public class ApkVerifierTest {
                 SECOND_RSA_2048_SIGNER_RESOURCE_NAME);
     }
 
+    @Test
+    public void verify31_minSdkVersionT_resultSuccessfullyVerified() throws Exception {
+        // When a min-sdk-version of 33 is explicitly specified, apksig will behave the same as a
+        // device running this API level and only verify a v3.1 signature if it exists. This test
+        // verifies this v3.1 signature is sufficient to report the APK as verified.
+        ApkVerifier.Result result = verifyForMinSdkVersion("v31-rsa-2048_2-tgt-33-1-tgt-28.apk",
+                33);
+
+        assertVerified(result);
+        assertTrue(result.isVerifiedUsingV31Scheme());
+    }
+
+    @Test
+    public void verify31_minSdkVersionTTargetSdk30_resultSuccessfullyVerified() throws Exception {
+        // This test verifies when a min-sdk-version of 33 is specified and the APK targets API
+        // level 30 or later, the v3.1 signature is sufficient to report the APK meets the
+        // requirement of a minimum v2 signature.
+        ApkVerifier.Result result = verifyForMinSdkVersion(
+                "v31-ec-p256-2-tgt-33-1-tgt-28-targetSdk-30.apk", 33);
+
+        assertVerified(result);
+        assertTrue(result.isVerifiedUsingV31Scheme());
+    }
+
     private ApkVerifier.Result verify(String apkFilenameInResources)
             throws IOException, ApkFormatException, NoSuchAlgorithmException {
         return verify(apkFilenameInResources, null, null);
diff --git a/src/test/resources/com/android/apksig/v31-ec-p256-2-tgt-33-1-tgt-28-targetSdk-30.apk b/src/test/resources/com/android/apksig/v31-ec-p256-2-tgt-33-1-tgt-28-targetSdk-30.apk
new file mode 100644
index 0000000..ad14731
--- /dev/null
+++ b/src/test/resources/com/android/apksig/v31-ec-p256-2-tgt-33-1-tgt-28-targetSdk-30.apk
diff --git a/src/test/resources/com/android/apksig/v31-rsa-2048_2-tgt-33-1-tgt-28.apk b/src/test/resources/com/android/apksig/v31-rsa-2048_2-tgt-33-1-tgt-28.apk
new file mode 100644
index 0000000..aeaec33
--- /dev/null
+++ b/src/test/resources/com/android/apksig/v31-rsa-2048_2-tgt-33-1-tgt-28.apk
author	Michael Groover <mpgroover@google.com>	2021-11-30 16:54:37 -0800
committer	Michael Groover <mpgroover@google.com>	2021-11-30 16:54:37 -0800
commit	45343b234b5c563e424177c66e6c6021edc7a013 (patch)
tree	5864c893b2b02fa673b514335c5d6e166f61f55b
parent	45f34cf07116cf9b13809bd0d24f37670558c0b9 (diff)
download	apksig-45343b234b5c563e424177c66e6c6021edc7a013.tar.gz