ApkVerityTestApp is a test helper app to be installed with fs-verity signature file (.fsv_sig). In order for this CTS test to run on a release build across vendors, the signature needs to be verified against a release certificate loaded to kernel.
Modifying the test helper app will also require to sign the apk with a local debug key. You will also need to point the test to use your local build.
On debuggable build, it can be done by:
adb root adb shell 'mini-keyctl padd asymmetric fsv-play .fs-verity' < fsverity-debug.x509.der
On user build, the keyring is closed and doesn't accept extra key. A workaround is to copy the .der file to /system/etc/security/fsverity. Upon reboot, the certificate will be loaded to kernel as usual.
You need to override the prebuilts with the debug build.
m CtsApkVerityTestDebugFiles
. Copy the output to a temporary directory, e.g.(cd $ANDROID_BUILD_TOP && cp `cat out/soong/.intermediates/cts/hostsidetests/appsecurity/test-apps/ApkVerityTestApp/testdata/CtsApkVerityTestDebugFiles/gen/CtsApkVerityTestDebugFiles.txt` /tmp/prebuilts/)
cp CtsApkVerityTestApp.apk CtsApkVerityTestApp2.apk cp CtsApkVerityTestAppSplit.apk.fsv_sig CtsApkVerityTestApp2.apk.fsv_sig
for f in CtsApkVerityTestApp*; do echo $f | sed -E 's/([^.]+)\.(.+)/mv & \1Prebuilt.\2/'; done | sh
atest CtsAppSecurityHostTestCases:android.appsecurity.cts.ApkVerityInstallTest
https://android-build.googleplex.com/builds/submitted/9178658/test_suites_arm64/latest/ https://android-build.googleplex.com/builds/submitted/9178658/test_suites_x86_64/latest/
cp CtsApkVerityTestApp.apk CtsApkVerityTestApp2.apk cp CtsApkVerityTestAppSplit.apk.fsv_sig CtsApkVerityTestApp2.apk.fsv_sig
for f in CtsApkVerityTestApp*; do echo $f | sed -E 's/([^.]+)\.(.+)/mv & \1Prebuilt.\2/'; done | sh