diff --git a/java/app.go b/java/app.go index 6554d6693..48576603e 100755 --- a/java/app.go +++ b/java/app.go @@ -128,6 +128,9 @@ type overridableAppProperties struct { // Name of the signing certificate lineage file or filegroup module. Lineage *string `android:"path"` + // For overriding the --rotation-min-sdk-version property of apksig + RotationMinSdkVersion *string + // the package name of this app. The package name in the manifest file is used if one was not given. Package_name *string @@ -693,7 +696,10 @@ func (a *AndroidApp) generateAndroidBuildActions(ctx android.ModuleContext) { if lineage := String(a.overridableAppProperties.Lineage); lineage != "" { lineageFile = android.PathForModuleSrc(ctx, lineage) } - CreateAndSignAppPackage(ctx, packageFile, a.exportPackage, jniJarFile, dexJarFile, certificates, apkDeps, v4SignatureFile, lineageFile) + + rotationMinSdkVersion := String(a.overridableAppProperties.RotationMinSdkVersion) + + CreateAndSignAppPackage(ctx, packageFile, a.exportPackage, jniJarFile, dexJarFile, certificates, apkDeps, v4SignatureFile, lineageFile, rotationMinSdkVersion) a.outputFile = packageFile if v4SigningRequested { a.extraOutputFiles = append(a.extraOutputFiles, v4SignatureFile) @@ -705,7 +711,7 @@ func (a *AndroidApp) generateAndroidBuildActions(ctx android.ModuleContext) { if v4SigningRequested { v4SignatureFile = android.PathForModuleOut(ctx, a.installApkName+"_"+split.suffix+".apk.idsig") } - CreateAndSignAppPackage(ctx, packageFile, split.path, nil, nil, certificates, apkDeps, v4SignatureFile, lineageFile) + CreateAndSignAppPackage(ctx, packageFile, split.path, nil, nil, certificates, apkDeps, v4SignatureFile, lineageFile, rotationMinSdkVersion) a.extraOutputFiles = append(a.extraOutputFiles, packageFile) if v4SigningRequested { a.extraOutputFiles = append(a.extraOutputFiles, v4SignatureFile) diff --git a/java/app_builder.go b/java/app_builder.go index 4a18dcada..74cd85c08 100644 --- a/java/app_builder.go +++ b/java/app_builder.go @@ -52,7 +52,7 @@ var combineApk = pctx.AndroidStaticRule("combineApk", }) func CreateAndSignAppPackage(ctx android.ModuleContext, outputFile android.WritablePath, - packageFile, jniJarFile, dexJarFile android.Path, certificates []Certificate, deps android.Paths, v4SignatureFile android.WritablePath, lineageFile android.Path) { + packageFile, jniJarFile, dexJarFile android.Path, certificates []Certificate, deps android.Paths, v4SignatureFile android.WritablePath, lineageFile android.Path, rotationMinSdkVersion string) { unsignedApkName := strings.TrimSuffix(outputFile.Base(), ".apk") + "-unsigned.apk" unsignedApk := android.PathForModuleOut(ctx, unsignedApkName) @@ -73,10 +73,10 @@ func CreateAndSignAppPackage(ctx android.ModuleContext, outputFile android.Writa Implicits: deps, }) - SignAppPackage(ctx, outputFile, unsignedApk, certificates, v4SignatureFile, lineageFile) + SignAppPackage(ctx, outputFile, unsignedApk, certificates, v4SignatureFile, lineageFile, rotationMinSdkVersion) } -func SignAppPackage(ctx android.ModuleContext, signedApk android.WritablePath, unsignedApk android.Path, certificates []Certificate, v4SignatureFile android.WritablePath, lineageFile android.Path) { +func SignAppPackage(ctx android.ModuleContext, signedApk android.WritablePath, unsignedApk android.Path, certificates []Certificate, v4SignatureFile android.WritablePath, lineageFile android.Path, rotationMinSdkVersion string) { var certificateArgs []string var deps android.Paths @@ -97,6 +97,10 @@ func SignAppPackage(ctx android.ModuleContext, signedApk android.WritablePath, u deps = append(deps, lineageFile) } + if rotationMinSdkVersion != "" { + flags = append(flags, "--rotation-min-sdk-version", rotationMinSdkVersion) + } + rule := Signapk args := map[string]string{ "certificates": strings.Join(certificateArgs, " "), diff --git a/java/app_import.go b/java/app_import.go index 3e5f972a4..faf471634 100644 --- a/java/app_import.go +++ b/java/app_import.go @@ -77,6 +77,9 @@ type AndroidAppImportProperties struct { // Name of the signing certificate lineage file or filegroup module. Lineage *string `android:"path"` + // For overriding the --rotation-min-sdk-version property of apksig + RotationMinSdkVersion *string + // Sign with the default system dev certificate. Must be used judiciously. Most imported apps // need to either specify a specific certificate or be presigned. Default_dev_cert *bool @@ -330,7 +333,10 @@ func (a *AndroidAppImport) generateAndroidBuildActions(ctx android.ModuleContext if lineage := String(a.properties.Lineage); lineage != "" { lineageFile = android.PathForModuleSrc(ctx, lineage) } - SignAppPackage(ctx, signed, jnisUncompressed, certificates, nil, lineageFile) + + rotationMinSdkVersion := String(a.properties.RotationMinSdkVersion) + + SignAppPackage(ctx, signed, jnisUncompressed, certificates, nil, lineageFile, rotationMinSdkVersion) a.outputFile = signed } else { alignedApk := android.PathForModuleOut(ctx, "zip-aligned", apkFilename) diff --git a/java/app_import_test.go b/java/app_import_test.go index efa52c178..55d24c4b8 100644 --- a/java/app_import_test.go +++ b/java/app_import_test.go @@ -112,6 +112,7 @@ func TestAndroidAppImport_SigningLineage(t *testing.T) { certificate: "platform", additional_certificates: [":additional_certificate"], lineage: "lineage.bin", + rotationMinSdkVersion: "32", } android_app_certificate { @@ -131,11 +132,12 @@ func TestAndroidAppImport_SigningLineage(t *testing.T) { if expected != certificatesFlag { t.Errorf("Incorrect certificates flags, expected: %q, got: %q", expected, certificatesFlag) } - // Check cert signing lineage flag. - signingFlag := signedApk.Args["flags"] - expected = "--lineage lineage.bin" - if expected != signingFlag { - t.Errorf("Incorrect signing flags, expected: %q, got: %q", expected, signingFlag) + + // Check cert signing flags. + actualCertSigningFlags := signedApk.Args["flags"] + expectedCertSigningFlags := "--lineage lineage.bin --rotation-min-sdk-version 32" + if expectedCertSigningFlags != actualCertSigningFlags { + t.Errorf("Incorrect signing flags, expected: %q, got: %q", expectedCertSigningFlags, actualCertSigningFlags) } } diff --git a/java/app_test.go b/java/app_test.go index 07439fcd0..349c1b5f2 100644 --- a/java/app_test.go +++ b/java/app_test.go @@ -1485,11 +1485,11 @@ func TestJNISDK(t *testing.T) { func TestCertificates(t *testing.T) { testCases := []struct { - name string - bp string - certificateOverride string - expectedLineage string - expectedCertificate string + name string + bp string + certificateOverride string + expectedCertSigningFlags string + expectedCertificate string }{ { name: "default", @@ -1500,9 +1500,9 @@ func TestCertificates(t *testing.T) { sdk_version: "current", } `, - certificateOverride: "", - expectedLineage: "", - expectedCertificate: "build/make/target/product/security/testkey.x509.pem build/make/target/product/security/testkey.pk8", + certificateOverride: "", + expectedCertSigningFlags: "", + expectedCertificate: "build/make/target/product/security/testkey.x509.pem build/make/target/product/security/testkey.pk8", }, { name: "module certificate property", @@ -1519,9 +1519,9 @@ func TestCertificates(t *testing.T) { certificate: "cert/new_cert", } `, - certificateOverride: "", - expectedLineage: "", - expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8", + certificateOverride: "", + expectedCertSigningFlags: "", + expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8", }, { name: "path certificate property", @@ -1533,9 +1533,9 @@ func TestCertificates(t *testing.T) { sdk_version: "current", } `, - certificateOverride: "", - expectedLineage: "", - expectedCertificate: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8", + certificateOverride: "", + expectedCertSigningFlags: "", + expectedCertificate: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8", }, { name: "certificate overrides", @@ -1552,18 +1552,19 @@ func TestCertificates(t *testing.T) { certificate: "cert/new_cert", } `, - certificateOverride: "foo:new_certificate", - expectedLineage: "", - expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8", + certificateOverride: "foo:new_certificate", + expectedCertSigningFlags: "", + expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8", }, { - name: "certificate lineage", + name: "certificate signing flags", bp: ` android_app { name: "foo", srcs: ["a.java"], certificate: ":new_certificate", lineage: "lineage.bin", + rotationMinSdkVersion: "32", sdk_version: "current", } @@ -1572,18 +1573,19 @@ func TestCertificates(t *testing.T) { certificate: "cert/new_cert", } `, - certificateOverride: "", - expectedLineage: "--lineage lineage.bin", - expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8", + certificateOverride: "", + expectedCertSigningFlags: "--lineage lineage.bin --rotation-min-sdk-version 32", + expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8", }, { - name: "lineage from filegroup", + name: "cert signing flags from filegroup", bp: ` android_app { name: "foo", srcs: ["a.java"], certificate: ":new_certificate", lineage: ":lineage_bin", + rotationMinSdkVersion: "32", sdk_version: "current", } @@ -1597,9 +1599,9 @@ func TestCertificates(t *testing.T) { srcs: ["lineage.bin"], } `, - certificateOverride: "", - expectedLineage: "--lineage lineage.bin", - expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8", + certificateOverride: "", + expectedCertSigningFlags: "--lineage lineage.bin --rotation-min-sdk-version 32", + expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8", }, } @@ -1620,8 +1622,8 @@ func TestCertificates(t *testing.T) { signCertificateFlags := signapk.Args["certificates"] android.AssertStringEquals(t, "certificates flags", test.expectedCertificate, signCertificateFlags) - signFlags := signapk.Args["flags"] - android.AssertStringEquals(t, "signing flags", test.expectedLineage, signFlags) + certSigningFlags := signapk.Args["flags"] + android.AssertStringEquals(t, "cert signing flags", test.expectedCertSigningFlags, certSigningFlags) }) } } @@ -1800,6 +1802,7 @@ func TestOverrideAndroidApp(t *testing.T) { base: "foo", certificate: ":new_certificate", lineage: "lineage.bin", + rotationMinSdkVersion: "32", logging_parent: "bah", } @@ -1845,89 +1848,89 @@ func TestOverrideAndroidApp(t *testing.T) { `) expectedVariants := []struct { - name string - moduleName string - variantName string - apkName string - apkPath string - certFlag string - lineageFlag string - overrides []string - packageFlag string - renameResources bool - logging_parent string + name string + moduleName string + variantName string + apkName string + apkPath string + certFlag string + certSigningFlags string + overrides []string + packageFlag string + renameResources bool + logging_parent string }{ { - name: "foo", - moduleName: "foo", - variantName: "android_common", - apkPath: "out/soong/target/product/test_device/system/app/foo/foo.apk", - certFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8", - lineageFlag: "", - overrides: []string{"qux"}, - packageFlag: "", - renameResources: false, - logging_parent: "", + name: "foo", + moduleName: "foo", + variantName: "android_common", + apkPath: "out/soong/target/product/test_device/system/app/foo/foo.apk", + certFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8", + certSigningFlags: "", + overrides: []string{"qux"}, + packageFlag: "", + renameResources: false, + logging_parent: "", }, { - name: "foo", - moduleName: "bar", - variantName: "android_common_bar", - apkPath: "out/soong/target/product/test_device/system/app/bar/bar.apk", - certFlag: "cert/new_cert.x509.pem cert/new_cert.pk8", - lineageFlag: "--lineage lineage.bin", - overrides: []string{"qux", "foo"}, - packageFlag: "", - renameResources: false, - logging_parent: "bah", + name: "foo", + moduleName: "bar", + variantName: "android_common_bar", + apkPath: "out/soong/target/product/test_device/system/app/bar/bar.apk", + certFlag: "cert/new_cert.x509.pem cert/new_cert.pk8", + certSigningFlags: "--lineage lineage.bin --rotation-min-sdk-version 32", + overrides: []string{"qux", "foo"}, + packageFlag: "", + renameResources: false, + logging_parent: "bah", }, { - name: "foo", - moduleName: "baz", - variantName: "android_common_baz", - apkPath: "out/soong/target/product/test_device/system/app/baz/baz.apk", - certFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8", - lineageFlag: "", - overrides: []string{"qux", "foo"}, - packageFlag: "org.dandroid.bp", - renameResources: true, - logging_parent: "", + name: "foo", + moduleName: "baz", + variantName: "android_common_baz", + apkPath: "out/soong/target/product/test_device/system/app/baz/baz.apk", + certFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8", + certSigningFlags: "", + overrides: []string{"qux", "foo"}, + packageFlag: "org.dandroid.bp", + renameResources: true, + logging_parent: "", }, { - name: "foo", - moduleName: "baz_no_rename_resources", - variantName: "android_common_baz_no_rename_resources", - apkPath: "out/soong/target/product/test_device/system/app/baz_no_rename_resources/baz_no_rename_resources.apk", - certFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8", - lineageFlag: "", - overrides: []string{"qux", "foo"}, - packageFlag: "org.dandroid.bp", - renameResources: false, - logging_parent: "", + name: "foo", + moduleName: "baz_no_rename_resources", + variantName: "android_common_baz_no_rename_resources", + apkPath: "out/soong/target/product/test_device/system/app/baz_no_rename_resources/baz_no_rename_resources.apk", + certFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8", + certSigningFlags: "", + overrides: []string{"qux", "foo"}, + packageFlag: "org.dandroid.bp", + renameResources: false, + logging_parent: "", }, { - name: "foo_no_rename_resources", - moduleName: "baz_base_no_rename_resources", - variantName: "android_common_baz_base_no_rename_resources", - apkPath: "out/soong/target/product/test_device/system/app/baz_base_no_rename_resources/baz_base_no_rename_resources.apk", - certFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8", - lineageFlag: "", - overrides: []string{"qux", "foo_no_rename_resources"}, - packageFlag: "org.dandroid.bp", - renameResources: false, - logging_parent: "", + name: "foo_no_rename_resources", + moduleName: "baz_base_no_rename_resources", + variantName: "android_common_baz_base_no_rename_resources", + apkPath: "out/soong/target/product/test_device/system/app/baz_base_no_rename_resources/baz_base_no_rename_resources.apk", + certFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8", + certSigningFlags: "", + overrides: []string{"qux", "foo_no_rename_resources"}, + packageFlag: "org.dandroid.bp", + renameResources: false, + logging_parent: "", }, { - name: "foo_no_rename_resources", - moduleName: "baz_override_base_rename_resources", - variantName: "android_common_baz_override_base_rename_resources", - apkPath: "out/soong/target/product/test_device/system/app/baz_override_base_rename_resources/baz_override_base_rename_resources.apk", - certFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8", - lineageFlag: "", - overrides: []string{"qux", "foo_no_rename_resources"}, - packageFlag: "org.dandroid.bp", - renameResources: true, - logging_parent: "", + name: "foo_no_rename_resources", + moduleName: "baz_override_base_rename_resources", + variantName: "android_common_baz_override_base_rename_resources", + apkPath: "out/soong/target/product/test_device/system/app/baz_override_base_rename_resources/baz_override_base_rename_resources.apk", + certFlag: "build/make/target/product/security/expiredkey.x509.pem build/make/target/product/security/expiredkey.pk8", + certSigningFlags: "", + overrides: []string{"qux", "foo_no_rename_resources"}, + packageFlag: "org.dandroid.bp", + renameResources: true, + logging_parent: "", }, } for _, expected := range expectedVariants { @@ -1941,9 +1944,9 @@ func TestOverrideAndroidApp(t *testing.T) { certFlag := signapk.Args["certificates"] android.AssertStringEquals(t, "certificates flags", expected.certFlag, certFlag) - // Check the lineage flags - lineageFlag := signapk.Args["flags"] - android.AssertStringEquals(t, "signing flags", expected.lineageFlag, lineageFlag) + // Check the cert signing flags + certSigningFlags := signapk.Args["flags"] + android.AssertStringEquals(t, "cert signing flags", expected.certSigningFlags, certSigningFlags) // Check if the overrides field values are correctly aggregated. mod := variant.Module().(*AndroidApp) diff --git a/java/rro.go b/java/rro.go index 0b4d0916a..1ab7751fd 100644 --- a/java/rro.go +++ b/java/rro.go @@ -51,6 +51,9 @@ type RuntimeResourceOverlayProperties struct { // Name of the signing certificate lineage file. Lineage *string + // For overriding the --rotation-min-sdk-version property of apksig + RotationMinSdkVersion *string + // optional theme name. If specified, the overlay package will be applied // only when the ro.boot.vendor.overlay.theme system property is set to the same value. Theme *string @@ -149,7 +152,10 @@ func (r *RuntimeResourceOverlay) GenerateAndroidBuildActions(ctx android.ModuleC if lineage := String(r.properties.Lineage); lineage != "" { lineageFile = android.PathForModuleSrc(ctx, lineage) } - SignAppPackage(ctx, signed, r.aapt.exportPackage, certificates, nil, lineageFile) + + rotationMinSdkVersion := String(r.properties.RotationMinSdkVersion) + + SignAppPackage(ctx, signed, r.aapt.exportPackage, certificates, nil, lineageFile, rotationMinSdkVersion) r.certificate = certificates[0] r.outputFile = signed diff --git a/java/rro_test.go b/java/rro_test.go index 27abbe4f3..2d76a4d2f 100644 --- a/java/rro_test.go +++ b/java/rro_test.go @@ -33,6 +33,7 @@ func TestRuntimeResourceOverlay(t *testing.T) { name: "foo", certificate: "platform", lineage: "lineage.bin", + rotationMinSdkVersion: "32", product_specific: true, static_libs: ["bar"], resource_libs: ["baz"], @@ -88,13 +89,14 @@ func TestRuntimeResourceOverlay(t *testing.T) { t.Errorf("Resource lib flag %q missing in aapt2 link flags: %q", resourceLibFlag, aapt2Flags) } - // Check cert signing flag. + // Check cert signing flags. signedApk := m.Output("signed/foo.apk") - lineageFlag := signedApk.Args["flags"] - expectedLineageFlag := "--lineage lineage.bin" - if expectedLineageFlag != lineageFlag { - t.Errorf("Incorrect signing lineage flags, expected: %q, got: %q", expectedLineageFlag, lineageFlag) + actualCertSigningFlags := signedApk.Args["flags"] + expectedCertSigningFlags := "--lineage lineage.bin --rotation-min-sdk-version 32" + if expectedCertSigningFlags != actualCertSigningFlags { + t.Errorf("Incorrect cert signing flags, expected: %q, got: %q", expectedCertSigningFlags, actualCertSigningFlags) } + signingFlag := signedApk.Args["certificates"] expected := "build/make/target/product/security/platform.x509.pem build/make/target/product/security/platform.pk8" if expected != signingFlag {