Store build information in the APEX.
This allows re-packing an APEX even if the original metadata such as
selinux file_contexts and canned_fs_config, and the original
AndroidManifest.xml, before aapt2 compiles it in binary format.
The flags that are relevant to the output are not automatically
restored, but the command_line debug field makes them all visible.
With this information, it is possible to repack an APEX to an identical
version (sha1sum verifiable) of itself.
Bug: 144477678
Test: Manual invocations of apexer with full parameters +
include_build_info, and subsequently with build_info parameter using
only data available in the apex given in input + private keys for
signing. Example:
1.
m com.android.conscrypt
2.
mkdir ${TMP_APEX_OUTPUT_WORKDIR}
unzip -d ${TMP_APEX_OUTPUT_WORKDIR} com.android.conscrypt.apex
mkdir ${TMP_APEX_OUTPUT_WORKDIR}/payload
deapexer extract ${OUTPUT_APEX_1_A} ${TMP_APEX_OUTPUT_WORKDIR}/payload
rm ${TMP_APEX_OUTPUT_WORKDIR}/payload/apex_manifest.{json,pb}
rmdir ${TMP_APEX_OUTPUT_WORKDIR}/payload/lost+found
3.
APEXER_TOOL_PATH=out/soong/host/linux-x86/bin:prebuilts/sdk/tools/linux/bin
\
out/soong/host/linux-x86/bin/apexer \
--force \
--manifest ${TMP_APEX_OUTPUT_WORKDIR}/apex_manifest.pb \
--build_info ${TMP_APEX_OUTPUT_WORKDIR}/apex_build_info.pb \
--include_build_info \
--payload_type image \
--key external/conscrypt/apex/com.android.conscrypt.pem \
--pubkey ${TMP_APEX_OUTPUT_WORKDIR}/apex_pubkey \
--assets_dir ${TMP_APEX_OUTPUT_WORKDIR}/assets \
--no_hashtree \
--manifest_json ${TMP_APEX_OUTPUT_WORKDIR}/apex_manifest.json \
${TMP_APEX_OUTPUT_WORKDIR}/payload \
${TMP_APEX_OUTPUT}
4. verified that the two apexes are identical (modulo the command_line
string in the build_info proto
Change-Id: Ibe5833d9d11b9c35ec4b929f4ae693d65fdd26d5
4 files changed