Use key rotation aware check when sharedUID signatures change on OTA
The platform supports all packages in a sharedUserId changing their
signatures during an OTA; if there is more than one package in the
sharedUserId, the signing details of the first signer are used as
the shared signing details for the sharedUserId, and all other
packages in the sharedUserId must exactly match these signatures.
This works in the absence of key rotation, but if one of the packages
has a rotated signing key but still grants the previous signer
the SHARED_USER_ID capability, then this check would fail if another
package is in the sharedUserId and signed by the original signing key
since the exact signature comparision would fail, resulting in the
device boot looping. This commit updates this signature check when
the signing details change for a sharedUserId to instead use a
rotation aware check that allows the new signing details if the
package being checked is signed by the same signer as the shared
signing details, or if the current signer of one is in the lineage
of the other with the SHARED_USER_ID capability granted to it.
Fixes: 232476481
Test: Added two new packages in a sharedUserId, changed the signatures
of both in the system image, one with a rotated key, and
verified the platform recognized the new signers.
Change-Id: Idaf923783ac6b5ee3af130955044e3e61bbcfa76
2 files changed