Update v3.1 signing block to target T's finalized SDK 33

The v3.1 signature scheme was introduced in Android T, but during the
development of T, the SDK version was set to that of the previously
released platform, Sv2, at 32. In order to test the new signature
scheme on T, the v3.1 signing block had to use a min SDK version of
32 to ensure the block's SDK range would apply to T. Now that the
T SDK has been finalized with a version of 33, this new value
can be used for packages targeting T for rotation.

Note, this will not affect packages signed with the previous min
SDK version of 32 since that would still apply to this finalized
SDK version.

Bug: 232118308
Test: gradlew test
Change-Id: I0764227c70806494f9c0361eecd068e228b4171e

3 files changed, 11 insertions, 79 deletions

diff --git a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
index 62c24bc..f25bc59 100644
--- a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
+++ b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
@@ -22,7 +22,6 @@ import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERITY_PADDIN
 import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V2;
 import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V3;
 import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_JAR_SIGNATURE_SCHEME;
-import static com.android.apksig.internal.apk.v3.V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION;
 import static com.android.apksig.internal.apk.v3.V3SchemeConstants.MIN_SDK_WITH_V31_SUPPORT;
 import static com.android.apksig.internal.apk.v3.V3SchemeConstants.MIN_SDK_WITH_V3_SUPPORT;
 
@@ -339,17 +338,6 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
         }
     }
 
-    private int getDevReleaseRotationMinSdkVersion() {
-        // TODO (b/199793805): Once the T SDK is finalized and T development releases are using
-        // the new SDK version, this should be removed and mRotationMinSdkVersion should be used
-        // as is for rotation SDK version targeting.
-        // To support targeting the development release use the API level of the previous
-        // platform release as this is the value returned from Build.Version.SDK_INT until
-        // the SDK is finalized.
-        return mRotationMinSdkVersion == MIN_SDK_WITH_V31_SUPPORT
-                ? DEV_RELEASE_ROTATION_MIN_SDK_VERSION : mRotationMinSdkVersion;
-    }
-
     private boolean signingLineageHas31Support() {
         return mSigningCertificateLineage != null
                 && mRotationMinSdkVersion >= MIN_SDK_WITH_V31_SUPPORT
@@ -375,7 +363,6 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
 
         List<ApkSigningBlockUtils.SignerConfig> processedConfigs = new ArrayList<>();
 
-        int rotationMinSdkVersion = getDevReleaseRotationMinSdkVersion();
         // we have our configs, now touch them up to appropriately cover all SDK levels since APK
         // signature scheme v3 was introduced
         int currentMinSdk = Integer.MAX_VALUE;
@@ -397,7 +384,7 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
                 // this needs to change
                 config.maxSdkVersion = Integer.MAX_VALUE;
             } else {
-                if (mRotationTargetsDevRelease && currentMinSdk == rotationMinSdkVersion) {
+                if (mRotationTargetsDevRelease && currentMinSdk == mRotationMinSdkVersion) {
                     // The currentMinSdk is both the SDK version for the active development release
                     // as well as the most recent released platform. To ensure the v3.0 signer will
                     // target the released platform, overlap the maxSdkVersion for the v3.0 signer
@@ -414,12 +401,12 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
             // than that requested to support rotation.
             if (mSigningCertificateLineage != null
                     && ((mRotationTargetsDevRelease
-                        ? config.maxSdkVersion > rotationMinSdkVersion
-                        : config.maxSdkVersion >= rotationMinSdkVersion))) {
+                        ? config.maxSdkVersion > mRotationMinSdkVersion
+                        : config.maxSdkVersion >= mRotationMinSdkVersion))) {
                 config.mSigningCertificateLineage =
                         mSigningCertificateLineage.getSubLineage(config.certificates.get(0));
-                if (config.minSdkVersion < rotationMinSdkVersion) {
-                    config.minSdkVersion = rotationMinSdkVersion;
+                if (config.minSdkVersion < mRotationMinSdkVersion) {
+                    config.minSdkVersion = mRotationMinSdkVersion;
                 }
             }
             // we know that this config will be used, so add it to our result, order doesn't matter
@@ -428,7 +415,7 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
             currentMinSdk = config.minSdkVersion;
             // If the rotation is targeting a development release and this is the v3.1 signer, then
             // the minSdkVersion of this signer should equal the maxSdkVersion of the next signer;
-            // this ensures a package with the minSdkVersion set to the rotationMinSdkVersion has
+            // this ensures a package with the minSdkVersion set to the mRotationMinSdkVersion has
             // a v3.0 block with the min / max SDK version set to this same minSdkVersion from the
             // v3.1 block.
             if ((mRotationTargetsDevRelease && currentMinSdk < mMinSdkVersion)
@@ -466,7 +453,6 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
             return null;
         }
 
-        int rotationMinSdkVersion = getDevReleaseRotationMinSdkVersion();
         List<ApkSigningBlockUtils.SignerConfig> v31SignerConfigs = new ArrayList<>();
         Iterator<ApkSigningBlockUtils.SignerConfig> v3SignerIterator =
                 v3SignerConfigs.iterator();
@@ -474,7 +460,7 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
             ApkSigningBlockUtils.SignerConfig signerConfig = v3SignerIterator.next();
             // All signing configs with a min SDK version that supports v3.1 should be used
             // in the v3.1 signing block and removed from the v3.0 block.
-            if (signerConfig.minSdkVersion >= rotationMinSdkVersion) {
+            if (signerConfig.minSdkVersion >= mRotationMinSdkVersion) {
                 v31SignerConfigs.add(signerConfig);
                 v3SignerIterator.remove();
             }
@@ -1105,7 +1091,7 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
                 .setRunnablesExecutor(mExecutor)
                 .setBlockId(V3SchemeConstants.APK_SIGNATURE_SCHEME_V3_BLOCK_ID);
             if (signingLineageHas31Support()) {
-                builder.setRotationMinSdkVersion(getDevReleaseRotationMinSdkVersion());
+                builder.setRotationMinSdkVersion(mRotationMinSdkVersion);
             }
             v3SigningSchemeBlockAndDigests =
                 builder.build().generateApkSignatureSchemeV3BlockAndDigests();
@@ -1824,13 +1810,6 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
                                 + " v3 without an accompanying SigningCertificateLineage");
             }
 
-            if (mRotationMinSdkVersion == MIN_SDK_WITH_V31_SUPPORT) {
-                // To ensure the APK will install on the currently released platform with the
-                // original signing key, also set the rotation to target a dev release to ensure
-                // the original signing key block targets up through 31.
-                mRotationTargetsDevRelease = true;
-            }
-
             return new DefaultApkSignerEngine(
                     mSignerConfigs,
                     mStampSignerConfig,
diff --git a/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java b/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java
index 319b57f..6963dd3 100644
--- a/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java
+++ b/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java
@@ -35,13 +35,6 @@ public class V3SchemeConstants {
      * {@link com.android.apksig.ApkSigner.Builder#setMinSdkVersionForRotation(int)}.
      */
     public static final int DEFAULT_ROTATION_MIN_SDK_VERSION  = AndroidSdkVersion.T;
-    /**
-     * The v3.1 signature scheme is initially intended for the T development release, but until
-     * the T SDK is finalized it is using the SDK version of the latest platform release. To support
-     * testing of the v3.1 signature scheme and key rotation on the T development release, the
-     * rotation-min-sdk-version should use the SDK version of Sv2 in the v3.1 signer block.
-     */
-    public static final int DEV_RELEASE_ROTATION_MIN_SDK_VERSION = AndroidSdkVersion.Sv2;
 
     /**
      * This attribute is intended to be written to the V3.0 signer block as an additional attribute
diff --git a/src/test/java/com/android/apksig/ApkSignerTest.java b/src/test/java/com/android/apksig/ApkSignerTest.java
index 9004d80..313d4c5 100644
--- a/src/test/java/com/android/apksig/ApkSignerTest.java
+++ b/src/test/java/com/android/apksig/ApkSignerTest.java
@@ -1608,11 +1608,8 @@ public class ApkSignerTest {
         assertTrue(resultMinRotationT.isVerifiedUsingV31Scheme());
         assertResultContainsSigners(resultMinRotationT, true, FIRST_RSA_2048_SIGNER_RESOURCE_NAME,
             SECOND_RSA_2048_SIGNER_RESOURCE_NAME);
-        // Since T is still under development, it is using the SDK version of the previous platform
-        // release, so to test v3.1 on T the rotation-min-sdk-version must target the SDK version
-        // of Sv2.
         assertV31SignerTargetsMinApiLevel(resultMinRotationT, SECOND_RSA_2048_SIGNER_RESOURCE_NAME,
-            V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION);
+            AndroidSdkVersion.T);
         assertVerified(resultMinRotationU);
         assertTrue(resultMinRotationU.isVerifiedUsingV31Scheme());
         assertResultContainsSigners(resultMinRotationU, true, FIRST_RSA_2048_SIGNER_RESOURCE_NAME,
@@ -1703,13 +1700,10 @@ public class ApkSignerTest {
                         .setSourceStampSignerConfig(rsa2048OriginalSignerConfig));
         ApkVerifier.Result result = verify(signedApk, null);
 
-        // Since T is still under development, it is using the SDK version of the previous platform
-        // release, so to test v3.1 on T the rotation-min-sdk-version must target the SDK version
-        // of Sv2.
         assertResultContainsSigners(result, true, FIRST_RSA_2048_SIGNER_RESOURCE_NAME,
                 SECOND_RSA_2048_SIGNER_RESOURCE_NAME);
         assertV31SignerTargetsMinApiLevel(result, SECOND_RSA_2048_SIGNER_RESOURCE_NAME,
-                V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION);
+                AndroidSdkVersion.T);
         assertSourceStampVerified(signedApk, result);
     }
 
@@ -1790,40 +1784,6 @@ public class ApkSignerTest {
     }
 
     @Test
-    public void testV31_rotationMinSdkVersionT_v30SignerTargetsAtLeast31() throws Exception {
-        // The T development release is currently using the API level of S until its own SDK is
-        // finalized. This requires apksig to sign an APK targeting T for rotation with a V3.1
-        // block that targets API level 31. By default, apksig will decrement the SDK version for
-        // the current signer block and use that as the maxSdkVersion for the next signer; however
-        // this means the original signing key will only target through 30 which would prevent
-        // an APK signed with V3.1 targeting T from installing on a device running S. This test
-        // ensures targeting T will use the rotation-targets-dev-release option so that the APK
-        // can still install on devices with an API level of 31.
-        List<ApkSigner.SignerConfig> rsa2048SignerConfigWithLineage =
-                Arrays.asList(
-                        getDefaultSignerConfigFromResources(FIRST_RSA_2048_SIGNER_RESOURCE_NAME),
-                        getDefaultSignerConfigFromResources(SECOND_RSA_2048_SIGNER_RESOURCE_NAME));
-        SigningCertificateLineage lineage =
-                Resources.toSigningCertificateLineage(
-                        ApkSignerTest.class, LINEAGE_RSA_2048_2_SIGNERS_RESOURCE_NAME);
-
-        File signedApk = sign("original.apk",
-                new ApkSigner.Builder(rsa2048SignerConfigWithLineage)
-                        .setV1SigningEnabled(true)
-                        .setV2SigningEnabled(true)
-                        .setV3SigningEnabled(true)
-                        .setV4SigningEnabled(false)
-                        .setMinSdkVersionForRotation(V3SchemeConstants.MIN_SDK_WITH_V31_SUPPORT)
-                        .setSigningCertificateLineage(lineage));
-        ApkVerifier.Result result = verify(signedApk, null);
-
-        assertVerified(result);
-        assertTrue(result.isVerifiedUsingV31Scheme());
-        assertTrue(result.getV31SchemeSigners().get(0).getRotationTargetsDevRelease());
-        assertTrue(result.getV3SchemeSigners().get(0).getMaxSdkVersion() >= AndroidSdkVersion.S);
-    }
-
-    @Test
     public void testV31_rotationMinSdkVersionEqualsMinSdkVersion_v3SignerPresent()
             throws Exception {
         // The SDK version for Sv2 (32) is used as the minSdkVersion for the V3.1 signature
@@ -1908,7 +1868,7 @@ public class ApkSignerTest {
         assertTrue(result.isVerifiedUsingV31Scheme());
         assertEquals(AndroidSdkVersion.Sv2, result.getV3SchemeSigners().get(0).getMaxSdkVersion());
         assertV31SignerTargetsMinApiLevel(result, SECOND_RSA_2048_SIGNER_RESOURCE_NAME,
-                V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION);
+                AndroidSdkVersion.T);
     }
 
     @Test