diff options
author | Michael Groover <mpgroover@google.com> | 2021-11-30 16:54:37 -0800 |
---|---|---|
committer | Michael Groover <mpgroover@google.com> | 2021-11-30 16:54:37 -0800 |
commit | 45343b234b5c563e424177c66e6c6021edc7a013 (patch) | |
tree | 5864c893b2b02fa673b514335c5d6e166f61f55b | |
parent | 45f34cf07116cf9b13809bd0d24f37670558c0b9 (diff) | |
download | apksig-45343b234b5c563e424177c66e6c6021edc7a013.tar.gz |
Resolve verification errors for v3.1 sigs and min-sdk-version 33
apksig is designed to behave as the platform would based on the min /
max SDK versions; when a min-sdk-version is not explicitly provided,
apksig will use the minSdkVersion from the APK's manifest. A device
running Android T or later will only verify the v3.1 signature if it
exists; apksig will behave the same for an APK signed with a v3.1
signature and a min-sdk-version of 33 or later. This commit resolves
the verification errors that were reported when apksig only verified
the v3.1 signature with a min-sdk-version of 33 by properly
recognizing the v3.1 signature as an extension of v3 and also
sufficient to meet the min v2 signature requirement for apps targeting
SDK version 30.
Bug: 208504694
Test: gradlew test
Change-Id: I28eadf4103358eb23cbc10880ac90c394e54e333
-rw-r--r-- | src/main/java/com/android/apksig/ApkVerifier.java | 7 | ||||
-rw-r--r-- | src/test/java/com/android/apksig/ApkVerifierTest.java | 24 | ||||
-rw-r--r-- | src/test/resources/com/android/apksig/v31-ec-p256-2-tgt-33-1-tgt-28-targetSdk-30.apk | bin | 0 -> 12700 bytes | |||
-rw-r--r-- | src/test/resources/com/android/apksig/v31-rsa-2048_2-tgt-33-1-tgt-28.apk | bin | 0 -> 16791 bytes |
4 files changed, 29 insertions, 2 deletions
diff --git a/src/main/java/com/android/apksig/ApkVerifier.java b/src/main/java/com/android/apksig/ApkVerifier.java index 31b13e3..1613c26 100644 --- a/src/main/java/com/android/apksig/ApkVerifier.java +++ b/src/main/java/com/android/apksig/ApkVerifier.java @@ -561,7 +561,7 @@ public class ApkVerifier { // Allow this case to fall through to the next as a signature satisfying a // later scheme version will also satisfy this requirement. case VERSION_APK_SIGNATURE_SCHEME_V3: - if (result.isVerifiedUsingV3Scheme()) { + if (result.isVerifiedUsingV3Scheme() || result.isVerifiedUsingV31Scheme()) { break; } result.addError(Issue.MIN_SIG_SCHEME_FOR_TARGET_SDK_NOT_MET, @@ -577,7 +577,10 @@ public class ApkVerifier { // Verified result.setVerified(); - if (result.isVerifiedUsingV3Scheme()) { + if (result.isVerifiedUsingV31Scheme()) { + List<Result.V3SchemeSignerInfo> v31Signers = result.getV31SchemeSigners(); + result.addSignerCertificate(v31Signers.get(v31Signers.size() - 1).getCertificate()); + } else if (result.isVerifiedUsingV3Scheme()) { List<Result.V3SchemeSignerInfo> v3Signers = result.getV3SchemeSigners(); result.addSignerCertificate(v3Signers.get(v3Signers.size() - 1).getCertificate()); } else if (result.isVerifiedUsingV2Scheme()) { diff --git a/src/test/java/com/android/apksig/ApkVerifierTest.java b/src/test/java/com/android/apksig/ApkVerifierTest.java index ac8061e..31ed430 100644 --- a/src/test/java/com/android/apksig/ApkVerifierTest.java +++ b/src/test/java/com/android/apksig/ApkVerifierTest.java @@ -1455,6 +1455,30 @@ public class ApkVerifierTest { SECOND_RSA_2048_SIGNER_RESOURCE_NAME); } + @Test + public void verify31_minSdkVersionT_resultSuccessfullyVerified() throws Exception { + // When a min-sdk-version of 33 is explicitly specified, apksig will behave the same as a + // device running this API level and only verify a v3.1 signature if it exists. This test + // verifies this v3.1 signature is sufficient to report the APK as verified. + ApkVerifier.Result result = verifyForMinSdkVersion("v31-rsa-2048_2-tgt-33-1-tgt-28.apk", + 33); + + assertVerified(result); + assertTrue(result.isVerifiedUsingV31Scheme()); + } + + @Test + public void verify31_minSdkVersionTTargetSdk30_resultSuccessfullyVerified() throws Exception { + // This test verifies when a min-sdk-version of 33 is specified and the APK targets API + // level 30 or later, the v3.1 signature is sufficient to report the APK meets the + // requirement of a minimum v2 signature. + ApkVerifier.Result result = verifyForMinSdkVersion( + "v31-ec-p256-2-tgt-33-1-tgt-28-targetSdk-30.apk", 33); + + assertVerified(result); + assertTrue(result.isVerifiedUsingV31Scheme()); + } + private ApkVerifier.Result verify(String apkFilenameInResources) throws IOException, ApkFormatException, NoSuchAlgorithmException { return verify(apkFilenameInResources, null, null); diff --git a/src/test/resources/com/android/apksig/v31-ec-p256-2-tgt-33-1-tgt-28-targetSdk-30.apk b/src/test/resources/com/android/apksig/v31-ec-p256-2-tgt-33-1-tgt-28-targetSdk-30.apk Binary files differnew file mode 100644 index 0000000..ad14731 --- /dev/null +++ b/src/test/resources/com/android/apksig/v31-ec-p256-2-tgt-33-1-tgt-28-targetSdk-30.apk diff --git a/src/test/resources/com/android/apksig/v31-rsa-2048_2-tgt-33-1-tgt-28.apk b/src/test/resources/com/android/apksig/v31-rsa-2048_2-tgt-33-1-tgt-28.apk Binary files differnew file mode 100644 index 0000000..aeaec33 --- /dev/null +++ b/src/test/resources/com/android/apksig/v31-rsa-2048_2-tgt-33-1-tgt-28.apk |