commit 95445e6913568e27e3b64d90494d20d5c829121d
author Jaewoong Jung <jungjw@google.com> Thu Apr 02 13:01:08 2020 -0700
committer Jaewoong Jung <jungjw@google.com> Mon Apr 06 13:42:23 2020 -0700
tree dddb2f93c34d9a96b28d4b182e440dfd8b17b1bc
parent 0889aaeeae27a59ee8ddfea4f2baa67179fd23bb

Add signing certificate lineage file support.

Also add multi-cert support to prebuilt apps so that they can benefit
from the new lineage feature.

(This is a cherry-pick change.)

Test: m GoogleServicesFramework w/ modified build rules
Test: m PrebuiltGmsCore w/ modified build rules
Test: apksigner lineage -v --print-certs -in <built_module_path>
Fixes: 152897457
Change-Id: If7d5d4bd308629c8340231520214c76c8a568a65
Merged-In: If7d5d4bd308629c8340231520214c76c8a568a65

core/app_prebuilt_internal.mk

diff --git a/core/app_prebuilt_internal.mk b/core/app_prebuilt_internal.mk
index 05d9001..61e13e9 100644
--- a/core/app_prebuilt_internal.mk
+++ b/core/app_prebuilt_internal.mk
@@ -163,6 +163,13 @@
   $(built_module) : $(LOCAL_CERTIFICATE).pk8 $(LOCAL_CERTIFICATE).x509.pem
   $(built_module) : PRIVATE_PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8
   $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
+
+  additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8)
+  $(built_module): $(additional_certificates)
+  $(built_module): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates)
+
+  $(built_module): $(LOCAL_CERTIFICATE_LINEAGE)
+  $(built_module): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE)
 endif
 
 include $(BUILD_SYSTEM)/app_certificate_validate.mk

core/clear_vars.mk

diff --git a/core/clear_vars.mk b/core/clear_vars.mk
index e27d91c..3d481df 100644
--- a/core/clear_vars.mk
+++ b/core/clear_vars.mk
@@ -152,6 +152,7 @@
 LOCAL_JETIFIER_ENABLED:=
 LOCAL_JNI_SHARED_LIBRARIES:=
 LOCAL_JNI_SHARED_LIBRARIES_ABI:=
+LOCAL_CERTIFICATE_LINEAGE:=
 LOCAL_LDFLAGS:=
 LOCAL_LDLIBS:=
 LOCAL_LOGTAGS_FILES:=

core/definitions.mk

diff --git a/core/definitions.mk b/core/definitions.mk
index 3499da9..0558a38 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -2285,6 +2285,7 @@
 define sign-package-arg
 $(hide) mv $(1) $(1).unsigned
 $(hide) $(JAVA) -Djava.library.path=$$(dirname $(SIGNAPK_JNI_LIBRARY_PATH)) -jar $(SIGNAPK_JAR) \
+    $(if $(strip $(PRIVATE_CERTIFICATE_LINEAGE)), --lineage $(PRIVATE_CERTIFICATE_LINEAGE)) \
     $(PRIVATE_CERTIFICATE) $(PRIVATE_PRIVATE_KEY) \
     $(PRIVATE_ADDITIONAL_CERTIFICATES) $(1).unsigned $(1).signed
 $(hide) mv $(1).signed $(1)

core/package_internal.mk

diff --git a/core/package_internal.mk b/core/package_internal.mk
index c6c2cf5..59e0701 100644
--- a/core/package_internal.mk
+++ b/core/package_internal.mk
@@ -471,6 +471,9 @@
 $(LOCAL_BUILT_MODULE): $(additional_certificates)
 $(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates)
 
+$(LOCAL_BUILT_MODULE): $(LOCAL_CERTIFICATE_LINEAGE)
+$(LOCAL_BUILT_MODULE): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE)
+
 # Set a actual_partition_tag (calculated in base_rules.mk) for the package.
 PACKAGES.$(LOCAL_PACKAGE_NAME).PARTITION := $(actual_partition_tag)