Age | Commit message (Collapse) | Author |
|
gki13-boot-release
Change-Id: Ia5d67777c4dacfc1c5070ee5e15ee6867d959497
|
|
Bug: 242648940
Merged-In: Ib5ec9865aa9d92a37fc00e4ac9d1358f2414b07b
Change-Id: I5acc22a31d412f1998399b71c73bd3f5424615bd
|
|
Bug: 236760014
Merged-In: Ib5ec9865aa9d92a37fc00e4ac9d1358f2414b07b
Change-Id: Ic2183a26e9ea7815828001add7cab0109b34866f
|
|
gki13-boot-release
Change-Id: Ic926c15795029e7ea6f7915570d4f3a3064b9b78
|
|
Original change: https://android-review.googlesource.com/c/platform/tools/apksig/+/2128975
Change-Id: I4954bc5feea58eb0fbdc44cd54ff7d3ea5080cd0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
Original change: https://android-review.googlesource.com/c/platform/tools/apksig/+/2128975
Change-Id: Ib683b5e4336d4ea127177fa2445c006c94d7eedf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
The CLI tool apksigner can pass the option with "--align-file-size" flag
to ApkSigner.
This corresponds to the change made to signapk.
(https://android-review.googlesource.com/c/platform/build/+/1762580)
Bug: 194771859
Test: apksigner sign --key key --cert cert --in in.apk --out out.apk
out.apk should be sized as multiples of 4K
Test: ./gradlew test
Change-Id: Ib5ec9865aa9d92a37fc00e4ac9d1358f2414b07b
|
|
am: fc6387ff79
Original change: https://googleplex-android-review.googlesource.com/c/platform/tools/apksig/+/18332988
Change-Id: Idf56920a9fe5045340f8709a82b5af872643215e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
|
|
The v3.1 signature scheme was introduced in Android T, but during the
development of T, the SDK version was set to that of the previously
released platform, Sv2, at 32. In order to test the new signature
scheme on T, the v3.1 signing block had to use a min SDK version of
32 to ensure the block's SDK range would apply to T. Now that the
T SDK has been finalized with a version of 33, this new value
can be used for packages targeting T for rotation.
Note, this will not affect packages signed with the previous min
SDK version of 32 since that would still apply to this finalized
SDK version.
Bug: 232118308
Test: gradlew test
Change-Id: I0764227c70806494f9c0361eecd068e228b4171e
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/tools/apksig/+/18152826
Change-Id: Ic3397feffb875df0048e7391143a44f06e1c9c7a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
into tm-dev am: 37dcfdcbcb
Original change: https://googleplex-android-review.googlesource.com/c/platform/tools/apksig/+/18104170
Change-Id: I8d9df8657c97bd8ce30c8bc6385b12b23f9d33e9
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
|
|
into tm-dev
|
|
This commit adds a timestamp attribute to the source stamp block
containing the epoch time at which the block was signed.
Bug: 216204639
Test: gradlew test
Change-Id: I1ef084b04c8c252b3d9257e297196a55405549c8
Merged-In: I1ef084b04c8c252b3d9257e297196a55405549c8
(cherry picked from commit b5f70f9d1f4b9aa6b71883fe911b1d13d1bf493c)
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/tools/apksig/+/18084651
Change-Id: I6ea196c4a438e1583dec238c7fdb6b36e3a3b6b0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
The apksigner comand line tool currently has an option to print the
details about an app's signing certificate(s), but there was no way
for a user to obtain the actual signing certificate. This commit
adds a new option to display the PEM encoding of each signing
certificate to stdout that can be used when verifying an APK's
signature or lineage.
Fixes: 230795090
Test: Manually verified PEM output was displayed when requested.
Change-Id: Ib7051d6d0bbdd99b95d37c0a9ccf7e06ef737b29
|
|
Android T introduced the v3.1 signature scheme to allow packages to
target T+ for signing key rotation with a single APK. To allow apps
to take advantage of this new signing scheme, as well as to avoid
some of the known issues with key rotation on previous platform
releases, this commit updates apksig to target T for signing key
rotation when an explicit rotation-min-sdk-version is not specified.
Bug: 230486681
Test: gradlew test
Change-Id: If1043bb80be087e51685ff267fb640fc8ce4defe
|
|
8083582d08
Original change: https://googleplex-android-review.googlesource.com/c/platform/tools/apksig/+/17968716
Change-Id: Ia4f6da08ea9b388ed13bf63d5bc9cb39534bc210
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
Android T introduced the v3.1 signature scheme that allows apps to
target APK signing key rotation to an SDK version T+ and the original
signing key will be used for previous releases. Since releases under
development use the SDK version of the previously released SDK, the
v3.1 scheme also supports targeting a development release; in the
case of T, the v3.1 block will target Sv2's SDK version (32) during
development and the v3.0 block will use 32 as the max SDK version
for the block. However, if an app's minSdkVersion is set to 32, the
previous behavior would only return the v3.1 signer causing v3.0
signing to fail due to a missing signing config. This commit
updates the logic to continue parsing the signers if the v3.1's
minSdkVersion is equal to the app's minSdkVersion when supporting
a development release.
Bug: 230340743
Test: gradlew test
Change-Id: Ibd13f899c7686cd5db6e509b6a2ecca73992b732
|
|
gki13-boot-release
Change-Id: Ie9b1170886b81668d062e8becd11aef17288a60c
|
|
apksig is designed to behave as the platform would based on the min /
max SDK versions; when a min-sdk-version is not explicitly provided,
apksig will use the minSdkVersion from the APK's manifest. A device
running Android T or later will only verify the v3.1 signature if it
exists; apksig will behave the same for an APK signed with a v3.1
signature and a min-sdk-version of 33 or later. This commit resolves
the verification errors that were reported when apksig only verified
the v3.1 signature with a min-sdk-version of 33 by properly
recognizing the v3.1 signature as an extension of v3 and also
sufficient to meet the min v2 signature requirement for apps targeting
SDK version 30.
Bug: 208504694
Test: gradlew test
Change-Id: I28eadf4103358eb23cbc10880ac90c394e54e333
|
|
During the development of a new platform, the SDK version of the most
recently finalized platform release is used. Initially T used the
SDK version of S (31), but recently Sv2 was finalized and the SDK
version was bumped to 32. In order for the v3.1 signing block to
be recognized on a device running T, the device SDK version must fall
within the bounds of the v3.1 signer's min / max SDK version. The
v3.1 signature scheme will still work on devices running T with the
new SDK version of 32 since apksig was using 31 as the min SDK
version, but this value is also used as the max SDK version for the
v3.0 signer. Since Sv2 is also using 32 as its API level, the max
SDK version of 31 written to the v3.0 signer block prevents the device
from recognizing a proper v3.0 signer. This commit updates the
API level used for the v3.1 signer block to 32 which will also update
the v3.0 signing block to use 32 as the max SDK version allowing
APKs signed with the v3.1 signature scheme targeting T for rotation
to properly install with the original signer on a device running Sv2
with the finalized SDK.
Fixes: 205551461
Test: gradlew test
Change-Id: I44d65c36adfea4d792ae97afa1aac6ddfd09bdd3
|
|
Prior to Android S, when multiple apps share a common signer in their
signing lineage with non-default capabilities, the platform would
assign the capabilities declared for this signer in one of the app's
lineage to the same signer in the lineage of the rest of the apps.
This commit updates the developer signing docs to ensure developers
are aware of this issue.
Bug: 201588245
Test: gradlew test
Change-Id: If3e6395efdfe1a6c926933d3d6ee3857df1d6841
|
|
Bug: 202011194
Test: ./gradlew test
Test: adb install on T/master
$ adb install orig.apk
Performing Incremental Install
Serving...
All files should be loaded. Notifying the device.
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Failed to collect certificates from /data/app/vmdl54972609.tmp/orig.apk using APK Signature Scheme v4: V4 signature certificate does not match V2/V3]
Performing Streamed Install
Success
Test: adb install on S (sc-dev)
$ adb install orig.apk
Performing Incremental Install
Serving...
All files should be loaded. Notifying the device.
Success
Install command complete in 229 ms
Change-Id: Id1910fbc88f1399ea5b1ea33a43962e7f36c009b
|
|
apksig allows a value to be set for rotation-min-sdk-version without
requiring a rotated signing key / lineage to be specified. This allows
a generic signing config to be used that supports both dev and prod
builds where the dev build is using the rotated signign key but the prod
build is still using only the original key with the
rotation-min-sdk-version set for both. This commit ensures that the
rotation stripping attribute is only written to the v3.0 signer if
a rotated signing key is used in the v3.1 signing block.
Bug: 202830422
Test: gradlew test
Change-Id: I3010d591f7be6113708b01034e46d11b0352095c
|
|
Android T introduced the V3.1 signature scheme to allow APK version
targeting for key rotation; this scheme allows a single APK to support
rotation on SDK version X for X >= Android T, while all previous
releases will only see and use the original signing key. This requires
the V4 signature to be updated to include both the rotated signing key
when installed on a device running X+ as well as the original signing
key for devices running a version < X. This commit adds two new tests
to ensure the V4 signature contains the expected signer both when
the V3.1 signature scheme is used as well as when only the V3.0
scheme is used for rotation. The V3.1 test is currently marked with
@Ignore and should be re-enabled once the V4 scheme supports V3.1.
Bug: 202011194
Test: gradlew test
Change-Id: I4a4c43553c9e1e72c7b6d97c6b716ad57728666a
|
|
-s ours am: ac8b0779f9 -s ours am: dfdb515d8f -s ours am: f9e407c437 -s ours
am skip reason: Merged-In I95928fddc96f3a90e2ae935e9ccd6229801471d1 with SHA-1 e290dbccf5 is already in history
Original change: https://android-review.googlesource.com/c/platform/tools/apksig/+/1847864
Change-Id: I28c1586fdfd584f1446b9e65326273ac627ee038
|
|
-s ours am: ac8b0779f9 -s ours am: dfdb515d8f -s ours
am skip reason: Merged-In I95928fddc96f3a90e2ae935e9ccd6229801471d1 with SHA-1 e290dbccf5 is already in history
Original change: https://android-review.googlesource.com/c/platform/tools/apksig/+/1847864
Change-Id: I10b72c33ab451f550cf20286de9e43409be8261d
|
|
-s ours am: ac8b0779f9 -s ours
am skip reason: Merged-In I95928fddc96f3a90e2ae935e9ccd6229801471d1 with SHA-1 e290dbccf5 is already in history
Original change: https://android-review.googlesource.com/c/platform/tools/apksig/+/1847864
Change-Id: I6b6ff21428c05e31a43805c025753c890b3965ff
|
|
-s ours
am skip reason: Merged-In I95928fddc96f3a90e2ae935e9ccd6229801471d1 with SHA-1 e290dbccf5 is already in history
Original change: https://android-review.googlesource.com/c/platform/tools/apksig/+/1847864
Change-Id: I23eead2f639b649fd050ffc6746260a61ea15545
|
|
am skip reason: Merged-In I95928fddc96f3a90e2ae935e9ccd6229801471d1 with SHA-1 e290dbccf5 is already in history
Original change: https://android-review.googlesource.com/c/platform/tools/apksig/+/1847864
Change-Id: I5ff9877d6757c58d697aea6d131f6958a39c93f8
|
|
Android T introduced SDK version targeting for rotation on T+ by
allowing a caller to specify a rotation-min-sdk-version. If this
value is less than T, then the rotated signing key should be used in
the V3.0 signing block. However, a value X > P and < T can cause
multiple signers to be written to the V3 block, one targeting P -
X-1 with the original signing key, and the other targeting X and
later with the rotated key. Since SDK version targeting has not
been thoroughly tested on previous platform releases, this commit
will set the rotation-min-sdk-version to P when a value X < T
is provided to ensure the V3 block only contains the rotated
signer. This remains consistent with the documentation and will
ensure apps that have already rotated prior to T can specify
the version on which they rotated to see the original V3 behavior.
Bug: 202424396
Test: gradlew test
Change-Id: I00dae110b8f9c552e6cd5100491b0caa5e7138f8
|
|
Bug: 202323961
Merged-In: I95928fddc96f3a90e2ae935e9ccd6229801471d1
Change-Id: I5b3c094df6ddac36e784ab8efcfe6dee3e16f3bf
|
|
am: 457ed55614 am: 3fcc439416
Original change: https://android-review.googlesource.com/c/platform/tools/apksig/+/1832095
Change-Id: I038561ef2d82d44a7587519726748cd1fdb9445f
|
|
am: 457ed55614
Original change: https://android-review.googlesource.com/c/platform/tools/apksig/+/1832095
Change-Id: I3c431740fb07ec267d303b8fbf5a7ada3244b87f
|
|
Original change: https://android-review.googlesource.com/c/platform/tools/apksig/+/1832095
Change-Id: Ieeacd95d092c2c5d97891f8005d6f5f0d6bf7050
|
|
Original change: https://android-review.googlesource.com/c/platform/tools/apksig/+/1832095
Change-Id: I09b6b836ecd79602176d3dedc5788d4088c07b84
|
|
Original change: https://android-review.googlesource.com/c/platform/tools/apksig/+/1832095
Change-Id: I95928fddc96f3a90e2ae935e9ccd6229801471d1
|
|
Bug: 200723313
Test: gradlew test
Change-Id: I570fddb6cad076b4df0ffcc0342e426b74794a4f
|
|
As it's already being distributed in the sdk-repo build-tools windows
package.
Bug: 187222815
Change-Id: I72cb642d11e33b198fcfa914a3b49df1b856f416
|
|
The v3.1 signature scheme supports targeting rotation for a platform
under development that is using the SDK version of the previously
released platform. This commit updates the documentation for this new
apksigner flag.
Bug: 192301300
Test: gradlew test
Change-Id: I9204411227f4a2949ce51a0c47ac072d86ee4deb
|
|
When a new release is under development, its SDK version is set to
the SDK version of the previous release; during the majority of the
T development, the SDK version of a device running T will be S (31).
Since S- devices do not know about the v3.1 block ID, it is safe to
set the minSdkVersion of a v3.1 signer using a rotated key to 31;
T devices will recognize the new signature scheme and use the rotated
signer, but if the same APK were installed on an S device the v3.1
block would be ignored, and the original signer would be used. However
once T is released and U is using the SDK version of T, if rotation
needs to target U, just specifying the SDK version of T will not be
sufficient since this could then install on T and U devices. The
new rotation-targets-dev-release flag will allow a v3.1 signer to
target the active release under development; if this new flag is set
then the minSdkVersion of the v3.1 signer must be within range of the
device's SDK version and the system property ro.build.version.codename
must not be set to "REL".
Bug: 192301300
Test: gradlew test
Change-Id: Id6ca0b6d5db575f301cf715ebaceadfd1df19de0
|
|
|
|
This commit adds support for a new v3.1 APK signature scheme that
allows APK signing key rotation to target T+. This version will still
default to using the v3.0 signing block for rotation, but once the
build system is updated to support the new rotation-min-sdk-version
option v3.1 will be enabled by default for all key rotations.
This commit also updates all of the golden APKs that use key rotation
because the minSdkVersion of the v3 signer is updated from 24 (the
first API level that supports the signature algorithm) to 28 (the
first API level that supports v3).
Bug: 192301300
Test: gradlew test
Change-Id: I49cc98ea803d18d53131a78be668921d58ac5f4b
|
|
f87eca1c75 -s ours am: f08d2c71b5 -s ours am: 9aaf5d3436 -s ours am: bd994a2df1 -s ours
am skip reason: Merged-In Ibd5933cd1bd1b831e7eea5147eca3799faf0ad1a with SHA-1 7adce360a6 is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/tools/apksig/+/15550978
Change-Id: Ie6e80e8f16b79afad72fc5d52ac561af3ced414f
|
|
f87eca1c75 -s ours am: f08d2c71b5 -s ours am: 9aaf5d3436 -s ours
am skip reason: Merged-In Ibd5933cd1bd1b831e7eea5147eca3799faf0ad1a with SHA-1 7adce360a6 is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/tools/apksig/+/15550978
Change-Id: I16ed1df3b0d55573780b30f1cfbc0dda1df9f929
|
|
f87eca1c75 -s ours am: f08d2c71b5 -s ours
am skip reason: Merged-In Ibd5933cd1bd1b831e7eea5147eca3799faf0ad1a with SHA-1 7adce360a6 is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/tools/apksig/+/15550978
Change-Id: I024beeadae9a5f6d1427736ca45429161da2db8e
|
|
f87eca1c75 -s ours
am skip reason: Merged-In Ibd5933cd1bd1b831e7eea5147eca3799faf0ad1a with SHA-1 7adce360a6 is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/tools/apksig/+/15550978
Change-Id: Ib0d3f42e4292bafdb40a890fbca7dcc284f06954
|
|
Merged-In: Ibd5933cd1bd1b831e7eea5147eca3799faf0ad1a
Change-Id: I81da1fe802c2ce5be6058918e2d7cec2ec1a8890
|