Google Git
Sign in
android / platform / tools / apksig / 6c01b3d573894f3da948cd4d5e48b694831b9c56^! / .
commit6c01b3d573894f3da948cd4d5e48b694831b9c56[log] [tgz]
authorDan Cashman <dcashman@google.com>Fri Mar 30 19:22:38 2018 -0700
committerDaniel Cashman <dcashman@google.com>Fri Apr 06 13:35:37 2018 +0000
treeb2e1147db251ade37046ea6a48a29c394e4ca4ca
parent6b48791c8043284fd59e83f033f677cece497481 [diff]
Add ROLLBACK past signing cert capability.

Add a new capability that may be granted to past signing certificates
after changing to a new signing certificate that will allow applications
to go back to a previous signing certificate.  This capability is
intended to not be granted, but may be added later in the event that
a signing certificate change caused undesirable behavior.

(cherry-pick of commit: 26f734ffa011f6f22e5f83a9a80b877ddcc0c10a)
Bug: 73927694
Test: bazel test ...
Change-Id: Ic837ec66a97865ce941b202093e9bbe26fcfba90
Merged-In: Ic837ec66a97865ce941b202093e9bbe26fcfba90

diff --git a/src/main/java/com/android/apksig/SigningCertificateLineage.java b/src/main/java/com/android/apksig/SigningCertificateLineage.java
index b3d10f2..440f13d 100644
--- a/src/main/java/com/android/apksig/SigningCertificateLineage.java
+++ b/src/main/java/com/android/apksig/SigningCertificateLineage.java

@@ -81,6 +81,14 @@
     /** grant SIGNATURE permissions to pkgs with this cert */
     private static final int PAST_CERT_PERMISSION = 4;
 
+    /**
+     * Enable updates back to this certificate.  WARNING: this effectively removes any benefit of
+     * signing certificate changes, since a compromised key could retake control of an app even
+     * after change, and should only be used if there is a problem encountered when trying to ditch
+     * an older cert.
+     */
+    private static final int PAST_CERT_ROLLBACK = 8;
+
     private final int mMinSdkVersion;
 
     /**
@@ -571,6 +579,25 @@
             }
 
             /**
+             * Set the {@code PAST_CERT_ROLLBACK} flag in this capabilities object.  This flag
+             * is used by the platform to determine if this app is willing to upgrade to a new
+             * version that is signed by one of its past signing certificates.
+             *
+             * <note> WARNING: this effectively removes any benefit of signing certificate changes,
+             * since a compromised key could retake control of an app even after change, and should
+             * only be used if there is a problem encountered when trying to ditch an older cert
+             * </note>
+             */
+            public Builder setRollback(boolean enabled) {
+                if (enabled) {
+                    mFlags |= PAST_CERT_ROLLBACK;
+                } else {
+                    mFlags &= ~PAST_CERT_ROLLBACK;
+                }
+                return this;
+            }
+
+            /**
              * Returns a new {@code SignerConfig} instance configured based on the configuration of
              * this builder.
              */