Add signing certificate lineage file support.

Also add multi-cert support to prebuilt apps so that they can benefit from the new lineage feature. Test: m GoogleServicesFramework w/ modified build rules Test: m PrebuiltGmsCore w/ modified build rules Test: apksigner lineage -v --print-certs -in <built_module_path> Fixes: 152897457 Change-Id: If7d5d4bd308629c8340231520214c76c8a568a65
2020-04-02 13:01:08 -07:00
parent 96c9e6ed00
commit e2348338e4
5 changed files with 24 additions and 0 deletions
--- a/tools/signapk/src/com/android/signapk/SignApk.java
+++ b/tools/signapk/src/com/android/signapk/SignApk.java
@@ -36,6 +36,7 @@ import org.conscrypt.OpenSSLProvider;

 import com.android.apksig.ApkSignerEngine;
 import com.android.apksig.DefaultApkSignerEngine;
+import com.android.apksig.SigningCertificateLineage;
 import com.android.apksig.Hints;
 import com.android.apksig.apk.ApkUtils;
 import com.android.apksig.apk.MinSdkVersionException;
@@ -1046,6 +1047,7 @@ class SignApk {
        Integer minSdkVersionOverride = null;
        boolean signUsingApkSignatureSchemeV2 = true;
        boolean signUsingApkSignatureSchemeV4 = false;
+        SigningCertificateLineage certLineage = null;

        int argstart = 0;
        while (argstart < args.length && args[argstart].startsWith("-")) {
@@ -1076,6 +1078,15 @@ class SignApk {
            } else if ("--enable-v4".equals(args[argstart])) {
                signUsingApkSignatureSchemeV4 = true;
                ++argstart;
+            } else if ("--lineage".equals(args[argstart])) {
+                File lineageFile = new File(args[++argstart]);
+                try {
+                    certLineage = SigningCertificateLineage.readFromFile(lineageFile);
+                } catch (Exception e) {
+                    throw new IllegalArgumentException(
+                            "Error reading lineage file: " + e.getMessage());
+                }
+                ++argstart;
            } else {
                usage();
            }
@@ -1166,6 +1177,7 @@ class SignApk {
                                .setV2SigningEnabled(signUsingApkSignatureSchemeV2)
                                .setOtherSignersSignaturesPreserved(false)
                                .setCreatedBy("1.0 (Android SignApk)")
+                                .setSigningCertificateLineage(certLineage)
                                .build()) {
                    // We don't preserve the input APK's APK Signing Block (which contains v2
                    // signatures)