Snap for 8581162 from fc6387ff79c434dd2616d3391655ec5c12ba415c to tm-releaseandroid-vts-13.0_r8android-vts-13.0_r7android-vts-13.0_r6android-vts-13.0_r5android-vts-13.0_r4android-vts-13.0_r3android-vts-13.0_r2android-vts-13.0_r1android-security-13.0.0_r6android-security-13.0.0_r5android-security-13.0.0_r4android-security-13.0.0_r3android-security-13.0.0_r2android-security-13.0.0_r1android-platform-13.0.0_r2android-platform-13.0.0_r1android-cts-13.0_r8android-cts-13.0_r7android-cts-13.0_r6android-cts-13.0_r5android-cts-13.0_r4android-cts-13.0_r3android-cts-13.0_r2android-cts-13.0_r1android-13.0.0_r8android-13.0.0_r7android-13.0.0_r6android-13.0.0_r5android-13.0.0_r4android-13.0.0_r31android-13.0.0_r3android-13.0.0_r2android-13.0.0_r12android-13.0.0_r1android13-tests-releaseandroid13-s3-releaseandroid13-s2-releaseandroid13-s1-releaseandroid13-release

Change-Id: I586a11bda63e3e25a485df14b0166543556056ba

3 files changed, 11 insertions, 79 deletions

diff --git a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
index 62c24bc..f25bc59 100644
--- a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
+++ b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
@@ -22,7 +22,6 @@ import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERITY_PADDIN
 import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V2;
 import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V3;
 import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_JAR_SIGNATURE_SCHEME;
-import static com.android.apksig.internal.apk.v3.V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION;
 import static com.android.apksig.internal.apk.v3.V3SchemeConstants.MIN_SDK_WITH_V31_SUPPORT;
 import static com.android.apksig.internal.apk.v3.V3SchemeConstants.MIN_SDK_WITH_V3_SUPPORT;
 
@@ -339,17 +338,6 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
         }
     }
 
-    private int getDevReleaseRotationMinSdkVersion() {
-        // TODO (b/199793805): Once the T SDK is finalized and T development releases are using
-        // the new SDK version, this should be removed and mRotationMinSdkVersion should be used
-        // as is for rotation SDK version targeting.
-        // To support targeting the development release use the API level of the previous
-        // platform release as this is the value returned from Build.Version.SDK_INT until
-        // the SDK is finalized.
-        return mRotationMinSdkVersion == MIN_SDK_WITH_V31_SUPPORT
-                ? DEV_RELEASE_ROTATION_MIN_SDK_VERSION : mRotationMinSdkVersion;
-    }
-
     private boolean signingLineageHas31Support() {
         return mSigningCertificateLineage != null
                 && mRotationMinSdkVersion >= MIN_SDK_WITH_V31_SUPPORT
@@ -375,7 +363,6 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
 
         List<ApkSigningBlockUtils.SignerConfig> processedConfigs = new ArrayList<>();
 
-        int rotationMinSdkVersion = getDevReleaseRotationMinSdkVersion();
         // we have our configs, now touch them up to appropriately cover all SDK levels since APK
         // signature scheme v3 was introduced
         int currentMinSdk = Integer.MAX_VALUE;
@@ -397,7 +384,7 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
                 // this needs to change
                 config.maxSdkVersion = Integer.MAX_VALUE;
             } else {
-                if (mRotationTargetsDevRelease && currentMinSdk == rotationMinSdkVersion) {
+                if (mRotationTargetsDevRelease && currentMinSdk == mRotationMinSdkVersion) {
                     // The currentMinSdk is both the SDK version for the active development release
                     // as well as the most recent released platform. To ensure the v3.0 signer will
                     // target the released platform, overlap the maxSdkVersion for the v3.0 signer
@@ -414,12 +401,12 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
             // than that requested to support rotation.
             if (mSigningCertificateLineage != null
                     && ((mRotationTargetsDevRelease
-                        ? config.maxSdkVersion > rotationMinSdkVersion
-                        : config.maxSdkVersion >= rotationMinSdkVersion))) {
+                        ? config.maxSdkVersion > mRotationMinSdkVersion
+                        : config.maxSdkVersion >= mRotationMinSdkVersion))) {
                 config.mSigningCertificateLineage =
                         mSigningCertificateLineage.getSubLineage(config.certificates.get(0));
-                if (config.minSdkVersion < rotationMinSdkVersion) {
-                    config.minSdkVersion = rotationMinSdkVersion;
+                if (config.minSdkVersion < mRotationMinSdkVersion) {
+                    config.minSdkVersion = mRotationMinSdkVersion;
                 }
             }
             // we know that this config will be used, so add it to our result, order doesn't matter
@@ -428,7 +415,7 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
             currentMinSdk = config.minSdkVersion;
             // If the rotation is targeting a development release and this is the v3.1 signer, then
             // the minSdkVersion of this signer should equal the maxSdkVersion of the next signer;
-            // this ensures a package with the minSdkVersion set to the rotationMinSdkVersion has
+            // this ensures a package with the minSdkVersion set to the mRotationMinSdkVersion has
             // a v3.0 block with the min / max SDK version set to this same minSdkVersion from the
             // v3.1 block.
             if ((mRotationTargetsDevRelease && currentMinSdk < mMinSdkVersion)
@@ -466,7 +453,6 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
             return null;
         }
 
-        int rotationMinSdkVersion = getDevReleaseRotationMinSdkVersion();
         List<ApkSigningBlockUtils.SignerConfig> v31SignerConfigs = new ArrayList<>();
         Iterator<ApkSigningBlockUtils.SignerConfig> v3SignerIterator =
                 v3SignerConfigs.iterator();
@@ -474,7 +460,7 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
             ApkSigningBlockUtils.SignerConfig signerConfig = v3SignerIterator.next();
             // All signing configs with a min SDK version that supports v3.1 should be used
             // in the v3.1 signing block and removed from the v3.0 block.
-            if (signerConfig.minSdkVersion >= rotationMinSdkVersion) {
+            if (signerConfig.minSdkVersion >= mRotationMinSdkVersion) {
                 v31SignerConfigs.add(signerConfig);
                 v3SignerIterator.remove();
             }
@@ -1105,7 +1091,7 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
                 .setRunnablesExecutor(mExecutor)
                 .setBlockId(V3SchemeConstants.APK_SIGNATURE_SCHEME_V3_BLOCK_ID);
             if (signingLineageHas31Support()) {
-                builder.setRotationMinSdkVersion(getDevReleaseRotationMinSdkVersion());
+                builder.setRotationMinSdkVersion(mRotationMinSdkVersion);
             }
             v3SigningSchemeBlockAndDigests =
                 builder.build().generateApkSignatureSchemeV3BlockAndDigests();
@@ -1824,13 +1810,6 @@ public class DefaultApkSignerEngine implements ApkSignerEngine {
                                 + " v3 without an accompanying SigningCertificateLineage");
             }
 
-            if (mRotationMinSdkVersion == MIN_SDK_WITH_V31_SUPPORT) {
-                // To ensure the APK will install on the currently released platform with the
-                // original signing key, also set the rotation to target a dev release to ensure
-                // the original signing key block targets up through 31.
-                mRotationTargetsDevRelease = true;
-            }
-
             return new DefaultApkSignerEngine(
                     mSignerConfigs,
                     mStampSignerConfig,
diff --git a/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java b/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java
index 319b57f..6963dd3 100644
--- a/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java
+++ b/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java
@@ -35,13 +35,6 @@ public class V3SchemeConstants {
      * {@link com.android.apksig.ApkSigner.Builder#setMinSdkVersionForRotation(int)}.
      */
     public static final int DEFAULT_ROTATION_MIN_SDK_VERSION  = AndroidSdkVersion.T;
-    /**
-     * The v3.1 signature scheme is initially intended for the T development release, but until
-     * the T SDK is finalized it is using the SDK version of the latest platform release. To support
-     * testing of the v3.1 signature scheme and key rotation on the T development release, the
-     * rotation-min-sdk-version should use the SDK version of Sv2 in the v3.1 signer block.
-     */
-    public static final int DEV_RELEASE_ROTATION_MIN_SDK_VERSION = AndroidSdkVersion.Sv2;
 
     /**
      * This attribute is intended to be written to the V3.0 signer block as an additional attribute
diff --git a/src/test/java/com/android/apksig/ApkSignerTest.java b/src/test/java/com/android/apksig/ApkSignerTest.java
index 9740d75..83e0499 100644
--- a/src/test/java/com/android/apksig/ApkSignerTest.java
+++ b/src/test/java/com/android/apksig/ApkSignerTest.java
@@ -1607,11 +1607,8 @@ public class ApkSignerTest {
         assertTrue(resultMinRotationT.isVerifiedUsingV31Scheme());
         assertResultContainsSigners(resultMinRotationT, true, FIRST_RSA_2048_SIGNER_RESOURCE_NAME,
             SECOND_RSA_2048_SIGNER_RESOURCE_NAME);
-        // Since T is still under development, it is using the SDK version of the previous platform
-        // release, so to test v3.1 on T the rotation-min-sdk-version must target the SDK version
-        // of Sv2.
         assertV31SignerTargetsMinApiLevel(resultMinRotationT, SECOND_RSA_2048_SIGNER_RESOURCE_NAME,
-            V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION);
+            AndroidSdkVersion.T);
         assertVerified(resultMinRotationU);
         assertTrue(resultMinRotationU.isVerifiedUsingV31Scheme());
         assertResultContainsSigners(resultMinRotationU, true, FIRST_RSA_2048_SIGNER_RESOURCE_NAME,
@@ -1702,13 +1699,10 @@ public class ApkSignerTest {
                         .setSourceStampSignerConfig(rsa2048OriginalSignerConfig));
         ApkVerifier.Result result = verify(signedApk, null);
 
-        // Since T is still under development, it is using the SDK version of the previous platform
-        // release, so to test v3.1 on T the rotation-min-sdk-version must target the SDK version
-        // of Sv2.
         assertResultContainsSigners(result, true, FIRST_RSA_2048_SIGNER_RESOURCE_NAME,
                 SECOND_RSA_2048_SIGNER_RESOURCE_NAME);
         assertV31SignerTargetsMinApiLevel(result, SECOND_RSA_2048_SIGNER_RESOURCE_NAME,
-                V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION);
+                AndroidSdkVersion.T);
         assertSourceStampVerified(signedApk, result);
     }
 
@@ -1789,40 +1783,6 @@ public class ApkSignerTest {
     }
 
     @Test
-    public void testV31_rotationMinSdkVersionT_v30SignerTargetsAtLeast31() throws Exception {
-        // The T development release is currently using the API level of S until its own SDK is
-        // finalized. This requires apksig to sign an APK targeting T for rotation with a V3.1
-        // block that targets API level 31. By default, apksig will decrement the SDK version for
-        // the current signer block and use that as the maxSdkVersion for the next signer; however
-        // this means the original signing key will only target through 30 which would prevent
-        // an APK signed with V3.1 targeting T from installing on a device running S. This test
-        // ensures targeting T will use the rotation-targets-dev-release option so that the APK
-        // can still install on devices with an API level of 31.
-        List<ApkSigner.SignerConfig> rsa2048SignerConfigWithLineage =
-                Arrays.asList(
-                        getDefaultSignerConfigFromResources(FIRST_RSA_2048_SIGNER_RESOURCE_NAME),
-                        getDefaultSignerConfigFromResources(SECOND_RSA_2048_SIGNER_RESOURCE_NAME));
-        SigningCertificateLineage lineage =
-                Resources.toSigningCertificateLineage(
-                        ApkSignerTest.class, LINEAGE_RSA_2048_2_SIGNERS_RESOURCE_NAME);
-
-        File signedApk = sign("original.apk",
-                new ApkSigner.Builder(rsa2048SignerConfigWithLineage)
-                        .setV1SigningEnabled(true)
-                        .setV2SigningEnabled(true)
-                        .setV3SigningEnabled(true)
-                        .setV4SigningEnabled(false)
-                        .setMinSdkVersionForRotation(V3SchemeConstants.MIN_SDK_WITH_V31_SUPPORT)
-                        .setSigningCertificateLineage(lineage));
-        ApkVerifier.Result result = verify(signedApk, null);
-
-        assertVerified(result);
-        assertTrue(result.isVerifiedUsingV31Scheme());
-        assertTrue(result.getV31SchemeSigners().get(0).getRotationTargetsDevRelease());
-        assertTrue(result.getV3SchemeSigners().get(0).getMaxSdkVersion() >= AndroidSdkVersion.S);
-    }
-
-    @Test
     public void testV31_rotationMinSdkVersionEqualsMinSdkVersion_v3SignerPresent()
             throws Exception {
         // The SDK version for Sv2 (32) is used as the minSdkVersion for the V3.1 signature
@@ -1907,7 +1867,7 @@ public class ApkSignerTest {
         assertTrue(result.isVerifiedUsingV31Scheme());
         assertEquals(AndroidSdkVersion.Sv2, result.getV3SchemeSigners().get(0).getMaxSdkVersion());
         assertV31SignerTargetsMinApiLevel(result, SECOND_RSA_2048_SIGNER_RESOURCE_NAME,
-                V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION);
+                AndroidSdkVersion.T);
     }
 
     @Test