PackageSignatureTest gets all apex certs dynamically
PackageSignatureTest currently uses a handcrafted list of known apex
test certificates. It uses this list to verify that release builds are
not signed with test signatures. This CL updates
`PackageSignatureTest` to get the test signatures dynamically.
Implementation details
- Add `all_apex_certs{.der}` to assets of the CTS apk. This is a
singleton soong module that will provide the certs of all the
apexes in the tree. These certs will be packaged into the `assets/`
directory of the app
- Use AssetManager.list to get the list of all files in `assets`. This
directory might contain other files, so `wellKnownSignatures` might be
a superset of test signatures. This has been done for ease of
implementation, and should not produce false positives.
- Update `wellKnownSignatures` with the signatures read from the assets
directory.
Bug: 329299639
Test: Commented out `R.raw.sig_com_android_neuralnetworks` (read from
res/`)
Test: atest PackageSignatureTest
Test: verified that the test fails (as expected) and com.google.android.neuralnetworks appears in "These packages should not be signed with a well known key"
IOW, the test cert is being read from assets/ correctly
Change-Id: Ia2a4d546a2beaaaebaac49ee583c9b4d35601a98
2 files changed
