commit | 96a825bce18136069f3d176188b31c966306e03a | [log] [tgz] |
---|---|---|
author | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | Fri Sep 25 22:02:19 2020 +0000 |
committer | Android (Google) Code Review <android-gerrit@google.com> | Fri Sep 25 22:02:19 2020 +0000 |
tree | bc77c65ac96177d0ea7105734008db689a906a5c | |
parent | 60af2e0f5bd5ad26e209aad549e354d7ae710748 [diff] | |
parent | ff15e8d6d79cba9995b1bca0c71a7ed7debb903c [diff] |
Merge changes from topic "am-1b27ce2a609945c2b46aba3bb47fd42c" into rvc-d1-dev-plus-aosp * changes: Add API to obtain certificates in source stamp signer's lineage am: 5983b339ae am: 8a448eaf9d Obtain the V1 signing certificate during stamp verification am: 7515f8919e am: 8e1663fe35 Create lineage for source stamps am: 37ec54b324 am: b43d3d279d Verify source stamp lineage am: 211faf0d42 am: 7f649078a5 Supporting V3 cert rotation logic in V4. am: 6956cda737 am: 5754e8149a Ignoring more exceptions in "ignore error" mode. am: 52c11ad593 am: 0ab5f001be Add stamp attributes to source stamp signing block am: 75a0246582 am: 2850421bca Accept lineage for source stamps in signer am: 271820bebc am: 5a637946aa Code cleanup based on static analysis am: 069429b191 am: eb328c92cd Create lightweight utils and source stamp verifier am: c088f66022 am: 6310e7e515 Code cleanup based on latest static analysis report am: e00c1779d4 am: 8330255406 Add API to ApkUtils to obtain APK's versionCode am: 343ceae3e9 am: 643a98c20e Restore internal constants used by clients am: 4430b29acd am: 235ad03cbc Add API to verify source stamp signature am: 92825ed1cc am: 012dd6c5d2 Stamp refactorings am: 9f0e49e0a5 am: 36d1908677
apksig is a project which aims to simplify APK signing and checking whether APK signatures are expected to verify on Android. apksig supports JAR signing (used by Android since day one) and APK Signature Scheme v2 (supported since Android Nougat, API Level 24). apksig is meant to be used outside of Android devices.
The key feature of apksig is that it knows about differences in APK signature verification logic between different versions of the Android platform. apksig thus thoroughly checks whether an APK's signature is expected to verify on all Android platform versions supported by the APK. When signing an APK, apksig chooses the most appropriate cryptographic algorithms based on the Android platform versions supported by the APK being signed.
The project consists of two subprojects:
apksig library offers three primitives:
ApkSigner
which signs the provided APK so that it verifies on all Android platform versions supported by the APK. The range of platform versions can be customized.ApkVerifier
which checks whether the provided APK is expected to verify on all Android platform versions supported by the APK. The range of platform versions can be customized.(Default)ApkSignerEngine
which abstracts away signing APKs from parsing and building APKs. This is useful in optimized APK building pipelines, such as in Android Plugin for Gradle, which need to perform signing while building an APK, instead of after. For simpler use cases where the APK to be signed is available upfront, the ApkSigner
above is easier to use.NOTE: Some public classes of the library are in packages having the word “internal” in their name. These are not public API of the library. Do not use *.internal.* classes directly because these classes may change any time without regard to existing clients outside of apksig
and apksigner
.
apksigner command-line tool offers two operations:
apksigner sign
for usage information.apksigner verify
for usage information.The tool determines the range of Android platform versions (API Levels) supported by the APK by inspecting the APK's AndroidManifest.xml. This behavior can be overridden by specifying the range of platform versions on the command-line.