Ensure v3.0 signer returned when app min SDK equals rotation min SDK am: 8083582d08

Original change: https://googleplex-android-review.googlesource.com/c/platform/tools/apksig/+/17968716 Change-Id: Ib8ee1b67aa54cbf00ee91f90e2ccaaabd4a74f4e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Michael Groover <mpgroover@google.com> 2022-04-27 05:30:53 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2022-04-27 05:30:53 +0000
commit: 52d2a0536fc31b4a75343936c672303283092e8e (patch)
tree: 6c20a33b3909f7b814b3e2fb1308e605d83c82ac
parent: 45343b234b5c563e424177c66e6c6021edc7a013 (diff)
parent: 8083582d084031424d959afb679a2114c9a5d4ac (diff)
download: apksig-52d2a0536fc31b4a75343936c672303283092e8e.tar.gz
3 files changed, 39 insertions, 1 deletions
diff --git a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
index 6423804..62c24bc 100644
--- a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
+++ b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
@@ -426,7 +426,14 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
             // at this point (and likely only one will be needed
             processedConfigs.add(config);
             currentMinSdk = config.minSdkVersion;
-            if (currentMinSdk <= mMinSdkVersion || currentMinSdk <= AndroidSdkVersion.P) {
+            // If the rotation is targeting a development release and this is the v3.1 signer, then
+            // the minSdkVersion of this signer should equal the maxSdkVersion of the next signer;
+            // this ensures a package with the minSdkVersion set to the rotationMinSdkVersion has
+            // a v3.0 block with the min / max SDK version set to this same minSdkVersion from the
+            // v3.1 block.
+            if ((mRotationTargetsDevRelease && currentMinSdk < mMinSdkVersion)
+                    || (!mRotationTargetsDevRelease && currentMinSdk <= mMinSdkVersion)
+                    || currentMinSdk <= AndroidSdkVersion.P) {
                 // this satisfies all we need, stop here
                 break;
             }
diff --git a/src/test/java/com/android/apksig/ApkSignerTest.java b/src/test/java/com/android/apksig/ApkSignerTest.java
index 46126bb..adc3a38 100644
--- a/src/test/java/com/android/apksig/ApkSignerTest.java
+++ b/src/test/java/com/android/apksig/ApkSignerTest.java
@@ -1804,6 +1804,37 @@ public class ApkSignerTest {
     }
 
     @Test
+    public void testV31_rotationMinSdkVersionEqualsMinSdkVersion_v3SignerPresent()
+            throws Exception {
+        // The SDK version for Sv2 (32) is used as the minSdkVersion for the V3.1 signature
+        // scheme to allow rotation to target the T development platform; this will be updated
+        // to the real SDK version of T once its SDK is finalized. This test verifies if a
+        // package has Sv2 as its minSdkVersion, the signing can complete as expected with the
+        // v3 block signed by the original signer and targeting just Sv2, and the v3.1 block
+        // signed by the rotated signer and targeting the dev release of Sv2 and all later releases.
+        List<ApkSigner.SignerConfig> rsa2048SignerConfigWithLineage =
+                Arrays.asList(
+                        getDefaultSignerConfigFromResources(FIRST_RSA_2048_SIGNER_RESOURCE_NAME),
+                        getDefaultSignerConfigFromResources(SECOND_RSA_2048_SIGNER_RESOURCE_NAME));
+        SigningCertificateLineage lineage =
+                Resources.toSigningCertificateLineage(
+                        ApkSignerTest.class, LINEAGE_RSA_2048_2_SIGNERS_RESOURCE_NAME);
+
+        File signedApk = sign("original-minSdk32.apk",
+                new ApkSigner.Builder(rsa2048SignerConfigWithLineage)
+                        .setV1SigningEnabled(true)
+                        .setV2SigningEnabled(true)
+                        .setV3SigningEnabled(true)
+                        .setV4SigningEnabled(false)
+                        .setMinSdkVersionForRotation(V3SchemeConstants.MIN_SDK_WITH_V31_SUPPORT)
+                        .setSigningCertificateLineage(lineage));
+        ApkVerifier.Result result = verify(signedApk, null);
+
+        assertVerified(result);
+        assertEquals(AndroidSdkVersion.Sv2, result.getV3SchemeSigners().get(0).getMaxSdkVersion());
+    }
+
+    @Test
     public void testV31_rotationMinSdkVersionTWithoutLineage_v30VerificationSucceeds()
             throws Exception {
         // apksig allows setting a rotation-min-sdk-version without providing a rotated signing
diff --git a/src/test/resources/com/android/apksig/original-minSdk32.apk b/src/test/resources/com/android/apksig/original-minSdk32.apk
new file mode 100644
index 0000000..1d50f27
--- /dev/null
+++ b/src/test/resources/com/android/apksig/original-minSdk32.apk
author	Michael Groover <mpgroover@google.com>	2022-04-27 05:30:53 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-04-27 05:30:53 +0000
commit	52d2a0536fc31b4a75343936c672303283092e8e (patch)
tree	6c20a33b3909f7b814b3e2fb1308e605d83c82ac
parent	45343b234b5c563e424177c66e6c6021edc7a013 (diff)
parent	8083582d084031424d959afb679a2114c9a5d4ac (diff)
download	apksig-52d2a0536fc31b4a75343936c672303283092e8e.tar.gz