From 08d79c12de87674e006c9b3e8e68f9a52d6e180b Mon Sep 17 00:00:00 2001 From: Doug Zongker Date: Wed, 5 Oct 2011 08:16:30 -0700 Subject: [PATCH] sign non-PRESIGNED prebuilt apks Since dev keys can now vary per device, we can't assume they are checked in with the correct signature. Change-Id: I7577a3a6bd98d005c15936c99b2944acc4412798 --- core/prebuilt.mk | 88 ++++++++++++++++++++++++++++-------------------- 1 file changed, 51 insertions(+), 37 deletions(-) diff --git a/core/prebuilt.mk b/core/prebuilt.mk index 8c03341638..54a7fa9f65 100644 --- a/core/prebuilt.mk +++ b/core/prebuilt.mk @@ -54,11 +54,61 @@ endif PACKAGES.$(LOCAL_MODULE).OVERRIDES := $(strip $(LOCAL_OVERRIDES_PACKAGES)) -# Ensure that prebuilt .apks have been aligned. +ifeq ($(LOCAL_CERTIFICATE),EXTERNAL) + # The magic string "EXTERNAL" means this package will be signed with + # the default dev key throughout the build process, but we expect + # the final package to be signed with a different key. + # + # This can be used for packages where we don't have access to the + # keys, but want the package to be predexopt'ed. + LOCAL_CERTIFICATE := $(DEFAULT_SYSTEM_DEV_CERTIFICATE) + PACKAGES.$(LOCAL_MODULE).EXTERNAL_KEY := 1 + + $(built_module) : PRIVATE_PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8 + $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem +endif +ifeq ($(LOCAL_CERTIFICATE),) + ifneq ($(filter APPS,$(LOCAL_MODULE_CLASS)),) + # It is now a build error to add a prebuilt .apk without + # specifying a key for it. + $(error No LOCAL_CERTIFICATE specified for prebuilt "$(LOCAL_SRC_FILES)") + endif +else ifeq ($(LOCAL_CERTIFICATE),PRESIGNED) + # The magic string "PRESIGNED" means this package is already checked + # signed with its release key. + # + # By setting .CERTIFICATE but not .PRIVATE_KEY, this package will be + # mentioned in apkcerts.txt (with certificate set to "PRESIGNED") + # but the dexpreopt process will not try to re-sign the app. + PACKAGES.$(LOCAL_MODULE).CERTIFICATE := PRESIGNED + PACKAGES := $(PACKAGES) $(LOCAL_MODULE) +else + # If this is not an absolute certificate, assign it to a generic one. + ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./) + LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE) + endif + + PACKAGES.$(LOCAL_MODULE).PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8 + PACKAGES.$(LOCAL_MODULE).CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem + PACKAGES := $(PACKAGES) $(LOCAL_MODULE) + + $(built_module) : PRIVATE_PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8 + $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem +endif + ifneq ($(filter APPS,$(LOCAL_MODULE_CLASS)),) +ifeq ($(LOCAL_CERTIFICATE),PRESIGNED) +# Ensure that presigned .apks have been aligned. $(built_module) : $(LOCAL_PATH)/$(LOCAL_SRC_FILES) | $(ZIPALIGN) $(transform-prebuilt-to-target-with-zipalign) else +# Sign and align non-presigned .apks. +$(built_module) : $(LOCAL_PATH)/$(LOCAL_SRC_FILES) | $(ACP) $(ZIPALIGN) $(SIGNAPK_JAR) + $(transform-prebuilt-to-target) + $(sign-package) + $(align-package) +endif +else ifneq ($(LOCAL_PREBUILT_STRIP_COMMENTS),) $(built_module) : $(LOCAL_PATH)/$(LOCAL_SRC_FILES) $(transform-prebuilt-to-target-strip-comments) @@ -86,42 +136,6 @@ $(common_javalib_jar) : $(common_classes_jar) | $(ACP) $(built_module) : $(common_javalib_jar) endif # TARGET JAVA_LIBRARIES -ifeq ($(LOCAL_CERTIFICATE),EXTERNAL) - # The magic string "EXTERNAL" means this package will be signed with - # the test key throughout the build process, but we expect the final - # package to be signed with a different key. - # - # This can be used for packages where we don't have access to the - # keys, but want the package to be predexopt'ed. - LOCAL_CERTIFICATE := $(DEFAULT_SYSTEM_DEV_CERTIFICATE) - PACKAGES.$(LOCAL_MODULE).EXTERNAL_KEY := 1 -endif -ifeq ($(LOCAL_CERTIFICATE),) - ifneq ($(filter APPS,$(LOCAL_MODULE_CLASS)),) - # It is now a build error to add a prebuilt .apk without - # specifying a key for it. - $(error No LOCAL_CERTIFICATE specified for prebuilt "$(LOCAL_SRC_FILES)") - endif -else ifeq ($(LOCAL_CERTIFICATE),PRESIGNED) - # The magic string "PRESIGNED" means this package is already checked - # signed with its release key. - # - # By setting .CERTIFICATE but not .PRIVATE_KEY, this package will be - # mentioned in apkcerts.txt (with certificate set to "PRESIGNED") - # but the dexpreopt process will not try to re-sign the app. - PACKAGES.$(LOCAL_MODULE).CERTIFICATE := PRESIGNED - PACKAGES := $(PACKAGES) $(LOCAL_MODULE) -else - # If this is not an absolute certificate, assign it to a generic one. - ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./) - LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE) - endif - - PACKAGES.$(LOCAL_MODULE).PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8 - PACKAGES.$(LOCAL_MODULE).CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem - PACKAGES := $(PACKAGES) $(LOCAL_MODULE) -endif - ifneq ($(prebuilt_module_is_a_library),) ifneq ($(LOCAL_IS_HOST_MODULE),) $(transform-host-ranlib-copy-hack)