Merge "Update v3.1 signing block to target T's finalized SDK 33" into tm-dev am: fc6387ff79 am: 3c9f6e5a0b
Original change: https://googleplex-android-review.googlesource.com/c/platform/tools/apksig/+/18332988
Change-Id: Id860243bed79b64771312f85bcbbad183f41ee26
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
index 62c24bc..f25bc59 100644
--- a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
+++ b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
@@ -22,7 +22,6 @@
import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V2;
import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V3;
import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_JAR_SIGNATURE_SCHEME;
-import static com.android.apksig.internal.apk.v3.V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION;
import static com.android.apksig.internal.apk.v3.V3SchemeConstants.MIN_SDK_WITH_V31_SUPPORT;
import static com.android.apksig.internal.apk.v3.V3SchemeConstants.MIN_SDK_WITH_V3_SUPPORT;
@@ -339,17 +338,6 @@
}
}
- private int getDevReleaseRotationMinSdkVersion() {
- // TODO (b/199793805): Once the T SDK is finalized and T development releases are using
- // the new SDK version, this should be removed and mRotationMinSdkVersion should be used
- // as is for rotation SDK version targeting.
- // To support targeting the development release use the API level of the previous
- // platform release as this is the value returned from Build.Version.SDK_INT until
- // the SDK is finalized.
- return mRotationMinSdkVersion == MIN_SDK_WITH_V31_SUPPORT
- ? DEV_RELEASE_ROTATION_MIN_SDK_VERSION : mRotationMinSdkVersion;
- }
-
private boolean signingLineageHas31Support() {
return mSigningCertificateLineage != null
&& mRotationMinSdkVersion >= MIN_SDK_WITH_V31_SUPPORT
@@ -375,7 +363,6 @@
List<ApkSigningBlockUtils.SignerConfig> processedConfigs = new ArrayList<>();
- int rotationMinSdkVersion = getDevReleaseRotationMinSdkVersion();
// we have our configs, now touch them up to appropriately cover all SDK levels since APK
// signature scheme v3 was introduced
int currentMinSdk = Integer.MAX_VALUE;
@@ -397,7 +384,7 @@
// this needs to change
config.maxSdkVersion = Integer.MAX_VALUE;
} else {
- if (mRotationTargetsDevRelease && currentMinSdk == rotationMinSdkVersion) {
+ if (mRotationTargetsDevRelease && currentMinSdk == mRotationMinSdkVersion) {
// The currentMinSdk is both the SDK version for the active development release
// as well as the most recent released platform. To ensure the v3.0 signer will
// target the released platform, overlap the maxSdkVersion for the v3.0 signer
@@ -414,12 +401,12 @@
// than that requested to support rotation.
if (mSigningCertificateLineage != null
&& ((mRotationTargetsDevRelease
- ? config.maxSdkVersion > rotationMinSdkVersion
- : config.maxSdkVersion >= rotationMinSdkVersion))) {
+ ? config.maxSdkVersion > mRotationMinSdkVersion
+ : config.maxSdkVersion >= mRotationMinSdkVersion))) {
config.mSigningCertificateLineage =
mSigningCertificateLineage.getSubLineage(config.certificates.get(0));
- if (config.minSdkVersion < rotationMinSdkVersion) {
- config.minSdkVersion = rotationMinSdkVersion;
+ if (config.minSdkVersion < mRotationMinSdkVersion) {
+ config.minSdkVersion = mRotationMinSdkVersion;
}
}
// we know that this config will be used, so add it to our result, order doesn't matter
@@ -428,7 +415,7 @@
currentMinSdk = config.minSdkVersion;
// If the rotation is targeting a development release and this is the v3.1 signer, then
// the minSdkVersion of this signer should equal the maxSdkVersion of the next signer;
- // this ensures a package with the minSdkVersion set to the rotationMinSdkVersion has
+ // this ensures a package with the minSdkVersion set to the mRotationMinSdkVersion has
// a v3.0 block with the min / max SDK version set to this same minSdkVersion from the
// v3.1 block.
if ((mRotationTargetsDevRelease && currentMinSdk < mMinSdkVersion)
@@ -466,7 +453,6 @@
return null;
}
- int rotationMinSdkVersion = getDevReleaseRotationMinSdkVersion();
List<ApkSigningBlockUtils.SignerConfig> v31SignerConfigs = new ArrayList<>();
Iterator<ApkSigningBlockUtils.SignerConfig> v3SignerIterator =
v3SignerConfigs.iterator();
@@ -474,7 +460,7 @@
ApkSigningBlockUtils.SignerConfig signerConfig = v3SignerIterator.next();
// All signing configs with a min SDK version that supports v3.1 should be used
// in the v3.1 signing block and removed from the v3.0 block.
- if (signerConfig.minSdkVersion >= rotationMinSdkVersion) {
+ if (signerConfig.minSdkVersion >= mRotationMinSdkVersion) {
v31SignerConfigs.add(signerConfig);
v3SignerIterator.remove();
}
@@ -1105,7 +1091,7 @@
.setRunnablesExecutor(mExecutor)
.setBlockId(V3SchemeConstants.APK_SIGNATURE_SCHEME_V3_BLOCK_ID);
if (signingLineageHas31Support()) {
- builder.setRotationMinSdkVersion(getDevReleaseRotationMinSdkVersion());
+ builder.setRotationMinSdkVersion(mRotationMinSdkVersion);
}
v3SigningSchemeBlockAndDigests =
builder.build().generateApkSignatureSchemeV3BlockAndDigests();
@@ -1824,13 +1810,6 @@
+ " v3 without an accompanying SigningCertificateLineage");
}
- if (mRotationMinSdkVersion == MIN_SDK_WITH_V31_SUPPORT) {
- // To ensure the APK will install on the currently released platform with the
- // original signing key, also set the rotation to target a dev release to ensure
- // the original signing key block targets up through 31.
- mRotationTargetsDevRelease = true;
- }
-
return new DefaultApkSignerEngine(
mSignerConfigs,
mStampSignerConfig,
diff --git a/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java b/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java
index 319b57f..6963dd3 100644
--- a/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java
+++ b/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeConstants.java
@@ -35,13 +35,6 @@
* {@link com.android.apksig.ApkSigner.Builder#setMinSdkVersionForRotation(int)}.
*/
public static final int DEFAULT_ROTATION_MIN_SDK_VERSION = AndroidSdkVersion.T;
- /**
- * The v3.1 signature scheme is initially intended for the T development release, but until
- * the T SDK is finalized it is using the SDK version of the latest platform release. To support
- * testing of the v3.1 signature scheme and key rotation on the T development release, the
- * rotation-min-sdk-version should use the SDK version of Sv2 in the v3.1 signer block.
- */
- public static final int DEV_RELEASE_ROTATION_MIN_SDK_VERSION = AndroidSdkVersion.Sv2;
/**
* This attribute is intended to be written to the V3.0 signer block as an additional attribute
diff --git a/src/test/java/com/android/apksig/ApkSignerTest.java b/src/test/java/com/android/apksig/ApkSignerTest.java
index 9740d75..83e0499 100644
--- a/src/test/java/com/android/apksig/ApkSignerTest.java
+++ b/src/test/java/com/android/apksig/ApkSignerTest.java
@@ -1607,11 +1607,8 @@
assertTrue(resultMinRotationT.isVerifiedUsingV31Scheme());
assertResultContainsSigners(resultMinRotationT, true, FIRST_RSA_2048_SIGNER_RESOURCE_NAME,
SECOND_RSA_2048_SIGNER_RESOURCE_NAME);
- // Since T is still under development, it is using the SDK version of the previous platform
- // release, so to test v3.1 on T the rotation-min-sdk-version must target the SDK version
- // of Sv2.
assertV31SignerTargetsMinApiLevel(resultMinRotationT, SECOND_RSA_2048_SIGNER_RESOURCE_NAME,
- V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION);
+ AndroidSdkVersion.T);
assertVerified(resultMinRotationU);
assertTrue(resultMinRotationU.isVerifiedUsingV31Scheme());
assertResultContainsSigners(resultMinRotationU, true, FIRST_RSA_2048_SIGNER_RESOURCE_NAME,
@@ -1702,13 +1699,10 @@
.setSourceStampSignerConfig(rsa2048OriginalSignerConfig));
ApkVerifier.Result result = verify(signedApk, null);
- // Since T is still under development, it is using the SDK version of the previous platform
- // release, so to test v3.1 on T the rotation-min-sdk-version must target the SDK version
- // of Sv2.
assertResultContainsSigners(result, true, FIRST_RSA_2048_SIGNER_RESOURCE_NAME,
SECOND_RSA_2048_SIGNER_RESOURCE_NAME);
assertV31SignerTargetsMinApiLevel(result, SECOND_RSA_2048_SIGNER_RESOURCE_NAME,
- V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION);
+ AndroidSdkVersion.T);
assertSourceStampVerified(signedApk, result);
}
@@ -1789,40 +1783,6 @@
}
@Test
- public void testV31_rotationMinSdkVersionT_v30SignerTargetsAtLeast31() throws Exception {
- // The T development release is currently using the API level of S until its own SDK is
- // finalized. This requires apksig to sign an APK targeting T for rotation with a V3.1
- // block that targets API level 31. By default, apksig will decrement the SDK version for
- // the current signer block and use that as the maxSdkVersion for the next signer; however
- // this means the original signing key will only target through 30 which would prevent
- // an APK signed with V3.1 targeting T from installing on a device running S. This test
- // ensures targeting T will use the rotation-targets-dev-release option so that the APK
- // can still install on devices with an API level of 31.
- List<ApkSigner.SignerConfig> rsa2048SignerConfigWithLineage =
- Arrays.asList(
- getDefaultSignerConfigFromResources(FIRST_RSA_2048_SIGNER_RESOURCE_NAME),
- getDefaultSignerConfigFromResources(SECOND_RSA_2048_SIGNER_RESOURCE_NAME));
- SigningCertificateLineage lineage =
- Resources.toSigningCertificateLineage(
- ApkSignerTest.class, LINEAGE_RSA_2048_2_SIGNERS_RESOURCE_NAME);
-
- File signedApk = sign("original.apk",
- new ApkSigner.Builder(rsa2048SignerConfigWithLineage)
- .setV1SigningEnabled(true)
- .setV2SigningEnabled(true)
- .setV3SigningEnabled(true)
- .setV4SigningEnabled(false)
- .setMinSdkVersionForRotation(V3SchemeConstants.MIN_SDK_WITH_V31_SUPPORT)
- .setSigningCertificateLineage(lineage));
- ApkVerifier.Result result = verify(signedApk, null);
-
- assertVerified(result);
- assertTrue(result.isVerifiedUsingV31Scheme());
- assertTrue(result.getV31SchemeSigners().get(0).getRotationTargetsDevRelease());
- assertTrue(result.getV3SchemeSigners().get(0).getMaxSdkVersion() >= AndroidSdkVersion.S);
- }
-
- @Test
public void testV31_rotationMinSdkVersionEqualsMinSdkVersion_v3SignerPresent()
throws Exception {
// The SDK version for Sv2 (32) is used as the minSdkVersion for the V3.1 signature
@@ -1907,7 +1867,7 @@
assertTrue(result.isVerifiedUsingV31Scheme());
assertEquals(AndroidSdkVersion.Sv2, result.getV3SchemeSigners().get(0).getMaxSdkVersion());
assertV31SignerTargetsMinApiLevel(result, SECOND_RSA_2048_SIGNER_RESOURCE_NAME,
- V3SchemeConstants.DEV_RELEASE_ROTATION_MIN_SDK_VERSION);
+ AndroidSdkVersion.T);
}
@Test
