Snap for 8513843 from 8083582d084031424d959afb679a2114c9a5d4ac to mainline-uwb-release
Change-Id: I3201d8dfa5b625643644477902b65c991357b93d
diff --git a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
index 6423804..62c24bc 100644
--- a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
+++ b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
@@ -426,7 +426,14 @@
// at this point (and likely only one will be needed
processedConfigs.add(config);
currentMinSdk = config.minSdkVersion;
- if (currentMinSdk <= mMinSdkVersion || currentMinSdk <= AndroidSdkVersion.P) {
+ // If the rotation is targeting a development release and this is the v3.1 signer, then
+ // the minSdkVersion of this signer should equal the maxSdkVersion of the next signer;
+ // this ensures a package with the minSdkVersion set to the rotationMinSdkVersion has
+ // a v3.0 block with the min / max SDK version set to this same minSdkVersion from the
+ // v3.1 block.
+ if ((mRotationTargetsDevRelease && currentMinSdk < mMinSdkVersion)
+ || (!mRotationTargetsDevRelease && currentMinSdk <= mMinSdkVersion)
+ || currentMinSdk <= AndroidSdkVersion.P) {
// this satisfies all we need, stop here
break;
}
diff --git a/src/test/java/com/android/apksig/ApkSignerTest.java b/src/test/java/com/android/apksig/ApkSignerTest.java
index 46126bb..adc3a38 100644
--- a/src/test/java/com/android/apksig/ApkSignerTest.java
+++ b/src/test/java/com/android/apksig/ApkSignerTest.java
@@ -1804,6 +1804,37 @@
}
@Test
+ public void testV31_rotationMinSdkVersionEqualsMinSdkVersion_v3SignerPresent()
+ throws Exception {
+ // The SDK version for Sv2 (32) is used as the minSdkVersion for the V3.1 signature
+ // scheme to allow rotation to target the T development platform; this will be updated
+ // to the real SDK version of T once its SDK is finalized. This test verifies if a
+ // package has Sv2 as its minSdkVersion, the signing can complete as expected with the
+ // v3 block signed by the original signer and targeting just Sv2, and the v3.1 block
+ // signed by the rotated signer and targeting the dev release of Sv2 and all later releases.
+ List<ApkSigner.SignerConfig> rsa2048SignerConfigWithLineage =
+ Arrays.asList(
+ getDefaultSignerConfigFromResources(FIRST_RSA_2048_SIGNER_RESOURCE_NAME),
+ getDefaultSignerConfigFromResources(SECOND_RSA_2048_SIGNER_RESOURCE_NAME));
+ SigningCertificateLineage lineage =
+ Resources.toSigningCertificateLineage(
+ ApkSignerTest.class, LINEAGE_RSA_2048_2_SIGNERS_RESOURCE_NAME);
+
+ File signedApk = sign("original-minSdk32.apk",
+ new ApkSigner.Builder(rsa2048SignerConfigWithLineage)
+ .setV1SigningEnabled(true)
+ .setV2SigningEnabled(true)
+ .setV3SigningEnabled(true)
+ .setV4SigningEnabled(false)
+ .setMinSdkVersionForRotation(V3SchemeConstants.MIN_SDK_WITH_V31_SUPPORT)
+ .setSigningCertificateLineage(lineage));
+ ApkVerifier.Result result = verify(signedApk, null);
+
+ assertVerified(result);
+ assertEquals(AndroidSdkVersion.Sv2, result.getV3SchemeSigners().get(0).getMaxSdkVersion());
+ }
+
+ @Test
public void testV31_rotationMinSdkVersionTWithoutLineage_v30VerificationSucceeds()
throws Exception {
// apksig allows setting a rotation-min-sdk-version without providing a rotated signing
diff --git a/src/test/resources/com/android/apksig/original-minSdk32.apk b/src/test/resources/com/android/apksig/original-minSdk32.apk
new file mode 100644
index 0000000..1d50f27
--- /dev/null
+++ b/src/test/resources/com/android/apksig/original-minSdk32.apk
Binary files differ
