diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-05-12 17:41:04 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-05-12 17:41:04 +0000 |
commit | 1d160ad78743887b2914272fdc66852b25d988bf (patch) | |
tree | ff0d39868ed17a0eb0b106756c976dedd72195b1 | |
parent | 900230408bf8a2ccdfdd552c746757f56366ef12 (diff) | |
parent | fc6387ff79c434dd2616d3391655ec5c12ba415c (diff) | |
download | apksig-t_frc_swc_330443010.tar.gz |
Snap for 8580258 from fc6387ff79c434dd2616d3391655ec5c12ba415c to tm-frc-media-swcodec-releaset_frc_swc_330443040t_frc_swc_330443010android13-frc-media-swcodec-release
Change-Id: I89043c5f7507f96ecac2d0e7e77b84915b780961
3 files changed, 11 insertions, 79 deletions
diff --git a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java index 62c24bc..f25bc59 100644 --- a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java +++ b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java @@ -22,7 +22,6 @@ import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERITY_PADDIN import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V2; import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V3; import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_JAR_SIGNATURE_SCHEME; -import static com.android.apksig.internal.apk.v3.V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION; import static com.android.apksig.internal.apk.v3.V3SchemeConstants.MIN_SDK_WITH_V31_SUPPORT; import static com.android.apksig.internal.apk.v3.V3SchemeConstants.MIN_SDK_WITH_V3_SUPPORT; @@ -339,17 +338,6 @@ public class DefaultApkSignerEngine implements ApkSignerEngine { } } - private int getDevReleaseRotationMinSdkVersion() { - // TODO (b/199793805): Once the T SDK is finalized and T development releases are using - // the new SDK version, this should be removed and mRotationMinSdkVersion should be used - // as is for rotation SDK version targeting. - // To support targeting the development release use the API level of the previous - // platform release as this is the value returned from Build.Version.SDK_INT until - // the SDK is finalized. - return mRotationMinSdkVersion == MIN_SDK_WITH_V31_SUPPORT - ? DEV_RELEASE_ROTATION_MIN_SDK_VERSION : mRotationMinSdkVersion; - } - private boolean signingLineageHas31Support() { return mSigningCertificateLineage != null && mRotationMinSdkVersion >= MIN_SDK_WITH_V31_SUPPORT @@ -375,7 +363,6 @@ public class DefaultApkSignerEngine implements ApkSignerEngine { List<ApkSigningBlockUtils.SignerConfig> processedConfigs = new ArrayList<>(); - int rotationMinSdkVersion = getDevReleaseRotationMinSdkVersion(); // we have our configs, now touch them up to appropriately cover all SDK levels since APK // signature scheme v3 was introduced int currentMinSdk = Integer.MAX_VALUE; @@ -397,7 +384,7 @@ public class DefaultApkSignerEngine implements ApkSignerEngine { // this needs to change config.maxSdkVersion = Integer.MAX_VALUE; } else { - if (mRotationTargetsDevRelease && currentMinSdk == rotationMinSdkVersion) { + if (mRotationTargetsDevRelease && currentMinSdk == mRotationMinSdkVersion) { // The currentMinSdk is both the SDK version for the active development release // as well as the most recent released platform. To ensure the v3.0 signer will // target the released platform, overlap the maxSdkVersion for the v3.0 signer @@ -414,12 +401,12 @@ public class DefaultApkSignerEngine implements ApkSignerEngine { // than that requested to support rotation. if (mSigningCertificateLineage != null && ((mRotationTargetsDevRelease - ? config.maxSdkVersion > rotationMinSdkVersion - : config.maxSdkVersion >= rotationMinSdkVersion))) { + ? config.maxSdkVersion > mRotationMinSdkVersion + : config.maxSdkVersion >= mRotationMinSdkVersion))) { config.mSigningCertificateLineage = mSigningCertificateLineage.getSubLineage(config.certificates.get(0)); - if (config.minSdkVersion < rotationMinSdkVersion) { - config.minSdkVersion = rotationMinSdkVersion; + if (config.minSdkVersion < mRotationMinSdkVersion) { + config.minSdkVersion = mRotationMinSdkVersion; } } // we know that this config will be used, so add it to our result, order doesn't matter @@ -428,7 +415,7 @@ public class DefaultApkSignerEngine implements ApkSignerEngine { currentMinSdk = config.minSdkVersion; // If the rotation is targeting a development release and this is the v3.1 signer, then // the minSdkVersion of this signer should equal the maxSdkVersion of the next signer; - // this ensures a package with the minSdkVersion set to the rotationMinSdkVersion has + // this ensures a package with the minSdkVersion set to the mRotationMinSdkVersion has // a v3.0 block with the min / max SDK version set to this same minSdkVersion from the // v3.1 block. if ((mRotationTargetsDevRelease && currentMinSdk < mMinSdkVersion) @@ -466,7 +453,6 @@ public class DefaultApkSignerEngine implements ApkSignerEngine { return null; } - int rotationMinSdkVersion = getDevReleaseRotationMinSdkVersion(); List<ApkSigningBlockUtils.SignerConfig> v31SignerConfigs = new ArrayList<>(); Iterator<ApkSigningBlockUtils.SignerConfig> v3SignerIterator = v3SignerConfigs.iterator(); @@ -474,7 +460,7 @@ public class DefaultApkSignerEngine implements ApkSignerEngine { ApkSigningBlockUtils.SignerConfig signerConfig = v3SignerIterator.next(); // All signing configs with a min SDK version that supports v3.1 should be used // in the v3.1 signing block and removed from the v3.0 block. - if (signerConfig.minSdkVersion >= rotationMinSdkVersion) { + if (signerConfig.minSdkVersion >= mRotationMinSdkVersion) { v31SignerConfigs.add(signerConfig); v3SignerIterator.remove(); } @@ -1105,7 +1091,7 @@ public class DefaultApkSignerEngine implements ApkSignerEngine { .setRunnablesExecutor(mExecutor) .setBlockId(V3SchemeConstants.APK_SIGNATURE_SCHEME_V3_BLOCK_ID); if (signingLineageHas31Support()) { - builder.setRotationMinSdkVersion(getDevReleaseRotationMinSdkVersion()); + builder.setRotationMinSdkVersion(mRotationMinSdkVersion); } v3SigningSchemeBlockAndDigests = builder.build().generateApkSignatureSchemeV3BlockAndDigests(); @@ -1824,13 +1810,6 @@ public class DefaultApkSignerEngine implements ApkSignerEngine { + " v3 without an accompanying SigningCertificateLineage"); } - if (mRotationMinSdkVersion == MIN_SDK_WITH_V31_SUPPORT) { - // To ensure the APK will install on the currently released platform with the - // original signing key, also set the rotation to target a dev release to ensure - // the original signing key block targets up through 31. - mRotationTargetsDevRelease = true; - } - return new DefaultApkSignerEngine( mSignerConfigs, mStampSignerConfig, diff --git a/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java b/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java index 319b57f..6963dd3 100644 --- a/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java +++ b/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java @@ -35,13 +35,6 @@ public class V3SchemeConstants { * {@link com.android.apksig.ApkSigner.Builder#setMinSdkVersionForRotation(int)}. */ public static final int DEFAULT_ROTATION_MIN_SDK_VERSION = AndroidSdkVersion.T; - /** - * The v3.1 signature scheme is initially intended for the T development release, but until - * the T SDK is finalized it is using the SDK version of the latest platform release. To support - * testing of the v3.1 signature scheme and key rotation on the T development release, the - * rotation-min-sdk-version should use the SDK version of Sv2 in the v3.1 signer block. - */ - public static final int DEV_RELEASE_ROTATION_MIN_SDK_VERSION = AndroidSdkVersion.Sv2; /** * This attribute is intended to be written to the V3.0 signer block as an additional attribute diff --git a/src/test/java/com/android/apksig/ApkSignerTest.java b/src/test/java/com/android/apksig/ApkSignerTest.java index 9740d75..83e0499 100644 --- a/src/test/java/com/android/apksig/ApkSignerTest.java +++ b/src/test/java/com/android/apksig/ApkSignerTest.java @@ -1607,11 +1607,8 @@ public class ApkSignerTest { assertTrue(resultMinRotationT.isVerifiedUsingV31Scheme()); assertResultContainsSigners(resultMinRotationT, true, FIRST_RSA_2048_SIGNER_RESOURCE_NAME, SECOND_RSA_2048_SIGNER_RESOURCE_NAME); - // Since T is still under development, it is using the SDK version of the previous platform - // release, so to test v3.1 on T the rotation-min-sdk-version must target the SDK version - // of Sv2. assertV31SignerTargetsMinApiLevel(resultMinRotationT, SECOND_RSA_2048_SIGNER_RESOURCE_NAME, - V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION); + AndroidSdkVersion.T); assertVerified(resultMinRotationU); assertTrue(resultMinRotationU.isVerifiedUsingV31Scheme()); assertResultContainsSigners(resultMinRotationU, true, FIRST_RSA_2048_SIGNER_RESOURCE_NAME, @@ -1702,13 +1699,10 @@ public class ApkSignerTest { .setSourceStampSignerConfig(rsa2048OriginalSignerConfig)); ApkVerifier.Result result = verify(signedApk, null); - // Since T is still under development, it is using the SDK version of the previous platform - // release, so to test v3.1 on T the rotation-min-sdk-version must target the SDK version - // of Sv2. assertResultContainsSigners(result, true, FIRST_RSA_2048_SIGNER_RESOURCE_NAME, SECOND_RSA_2048_SIGNER_RESOURCE_NAME); assertV31SignerTargetsMinApiLevel(result, SECOND_RSA_2048_SIGNER_RESOURCE_NAME, - V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION); + AndroidSdkVersion.T); assertSourceStampVerified(signedApk, result); } @@ -1789,40 +1783,6 @@ public class ApkSignerTest { } @Test - public void testV31_rotationMinSdkVersionT_v30SignerTargetsAtLeast31() throws Exception { - // The T development release is currently using the API level of S until its own SDK is - // finalized. This requires apksig to sign an APK targeting T for rotation with a V3.1 - // block that targets API level 31. By default, apksig will decrement the SDK version for - // the current signer block and use that as the maxSdkVersion for the next signer; however - // this means the original signing key will only target through 30 which would prevent - // an APK signed with V3.1 targeting T from installing on a device running S. This test - // ensures targeting T will use the rotation-targets-dev-release option so that the APK - // can still install on devices with an API level of 31. - List<ApkSigner.SignerConfig> rsa2048SignerConfigWithLineage = - Arrays.asList( - getDefaultSignerConfigFromResources(FIRST_RSA_2048_SIGNER_RESOURCE_NAME), - getDefaultSignerConfigFromResources(SECOND_RSA_2048_SIGNER_RESOURCE_NAME)); - SigningCertificateLineage lineage = - Resources.toSigningCertificateLineage( - ApkSignerTest.class, LINEAGE_RSA_2048_2_SIGNERS_RESOURCE_NAME); - - File signedApk = sign("original.apk", - new ApkSigner.Builder(rsa2048SignerConfigWithLineage) - .setV1SigningEnabled(true) - .setV2SigningEnabled(true) - .setV3SigningEnabled(true) - .setV4SigningEnabled(false) - .setMinSdkVersionForRotation(V3SchemeConstants.MIN_SDK_WITH_V31_SUPPORT) - .setSigningCertificateLineage(lineage)); - ApkVerifier.Result result = verify(signedApk, null); - - assertVerified(result); - assertTrue(result.isVerifiedUsingV31Scheme()); - assertTrue(result.getV31SchemeSigners().get(0).getRotationTargetsDevRelease()); - assertTrue(result.getV3SchemeSigners().get(0).getMaxSdkVersion() >= AndroidSdkVersion.S); - } - - @Test public void testV31_rotationMinSdkVersionEqualsMinSdkVersion_v3SignerPresent() throws Exception { // The SDK version for Sv2 (32) is used as the minSdkVersion for the V3.1 signature @@ -1907,7 +1867,7 @@ public class ApkSignerTest { assertTrue(result.isVerifiedUsingV31Scheme()); assertEquals(AndroidSdkVersion.Sv2, result.getV3SchemeSigners().get(0).getMaxSdkVersion()); assertV31SignerTargetsMinApiLevel(result, SECOND_RSA_2048_SIGNER_RESOURCE_NAME, - V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION); + AndroidSdkVersion.T); } @Test |