Commit graph

67 commits

Author SHA1 Message Date
Colin Cross
bbc94b0d83 Use jni_libs instead of required for signapk conscrypt JNI
Using jni_libs tells Soong to install the JNI library into
a genrule sandbox alongside the java binary.

Bug: 124313442
Test: m checkbuild
Change-Id: Ia550102c7aa483497f95ac2ea8bb01bce89ae9c1
2020-12-02 11:37:21 -08:00
Felka Chang
b511e7f33a Let genrule have the entrance depend on signapk
Currently, it may be a good idea to let genrule module depend on
java_library_host by changing soong. To change signapk module type from
java_library_host to java_binary_host makes the genrule can depend on the
signapk module directly and generate the signapk.jar at the same time.

Test: for i in `seq 1 10` ; \
        do\
            make clean; \
            make -j64 apexer_test_host_tools; \
        done
Bug: 160632228
Bug: 157878202
Change-Id: I63ae661b9b419ddc6e69ccfc9a29fd28b116c0b5
Merged-In: I63ae661b9b419ddc6e69ccfc9a29fd28b116c0b5
(cherry picked from commit d8442b4c88)
2020-10-27 14:50:39 +00:00
Jaewoong Jung
e2348338e4 Add signing certificate lineage file support.
Also add multi-cert support to prebuilt apps so that they can benefit
from the new lineage feature.

Test: m GoogleServicesFramework w/ modified build rules
Test: m PrebuiltGmsCore w/ modified build rules
Test: apksigner lineage -v --print-certs -in <built_module_path>
Fixes: 152897457
Change-Id: If7d5d4bd308629c8340231520214c76c8a568a65
2020-04-06 10:19:15 -07:00
Songchun Fan
ce42b253b7 [signapk] new flag to request v4 signing
If this flag is enabled, the v4 signature file, named [outputApkFile].idsig
will be generated along side the outputApkFile.

Test: atest PackageManagerShellCommandIncrementalTest
BUG: 149354175
Change-Id: I5bc78bbc8b666a490f3ab05e781bfd859575af58
2020-03-25 17:15:28 -07:00
Paul Duffin
ebbcc1bb78 Replace use of conscrypt-nojarjar with conscrypt-unbundled
Bug: 141346785
Test: m checkbuild
Change-Id: Ibcd4aac938e0fdf5765ad8426fe64c6d053f3529
2019-09-23 14:30:07 +01:00
Vic Yang
baa9f50cb2 Implement range-based pin list
This extends the original pin list generation to support specifying a
range within a file.  If any part of a file is pinned, its local file
header in the APK file is pinned as well.

Test: Build cuttlefish.
Bug: 136040313
Bug: 135953430
Change-Id: I6de8c2b4c2f35c6bf257f61414c6bce761233e51
2019-07-09 10:37:19 -07:00
Dan Willemsen
ef45381221 Remove more Android.mk files from build/make
soong_ui is passing the Android.mk file list to Kati, and it ignores
Android.mk files found via symlinks, so we don't need the workarounds
for build/make/target/board/Android.mk and build/target/board/Android.mk
both existing.

We've got dist support in Soong now, so we can remove the signapk
Android.mk

Bug: 122332221
Test: m dist out/dist/signapk.jar out/dist/libconscrypt_openjdk_jni.so
Change-Id: I2ac9016b04146340c5ac80f7090d00e186023574
2019-01-05 02:40:45 +00:00
Neil Fuller
7229817457 Move signapk to a dedicated "host" target
Migrate off of one target onto another that should be identical.
"conscrypt" is about to be refactored for on-device use and signapk
needs to be unaffected.

Bug: 113148576
Test: make checkbuild
Change-Id: I3cecb4cc8fb8349383a82c8e430c936651e0835a
2018-09-12 08:19:49 +01:00
Neil Fuller
35f744966b Make host targets use non-repackaged targets
A host build target was depending on a target that is intended for
on-device, repackaged (com.android.) use. This switches to using the
unbundled target instead.

Test: Build
Bug: 111055375
Bug: 111734251
Change-Id: Ie81dd7257a14756fc21fa6f956175e5bd2ff80c1
2018-07-23 13:00:32 +01:00
Daniel Colascione
334ece99dd Add zip hint generation support to signapk tool
Test: unzip -q -c myapp.apk.signed pinlist.meta | od --endian=big -w8 -tx4
Bug: 79259761
Bug: 65316207
Change-Id: I71c01ac24e93afe75f60697a9849e1dd35e1b49d
2018-05-10 14:39:20 -07:00
Colin Cross
ad44dd4f3c Convert signapk to Android.bp
See build/soong/README.md for more information

Test: m checkbuild
Change-Id: I89a7fa7647e7081ca49720fae3be23ce84ab38e5
2017-11-09 15:11:34 -08:00
Treehugger Robot
9a04e12eba Merge "Add OWNERS for SignApk" 2017-10-31 21:53:45 +00:00
Alex Klyubin
c6c6dfe742 Add OWNERS for SignApk
Test: build/make/tools/checkowners.py -c -v OWNERS
Bug: 30972906
Change-Id: I7a2c9301376e24239924ffbedcb2b97727da700a
2017-10-31 12:36:04 -07:00
Victor Hsieh
d50662502f Migrate to the new apksig API
Following the new API contract, this effectively add extra padding
before central dir to make it 4KB aligned.

Test: build succeeded
Bug: 30972906
Change-Id: I7cac9d2c4371b473c88df867b3b2ae906443db10
2017-10-31 08:24:02 -07:00
Colin Cross
b34d45ad65 Follow renames of conscrypt and bouncycastle to remove -host suffix
Test: m checkbuild
Change-Id: I72bd7249cf6bdc4a2251f6877c776f439649da81
2017-10-17 15:27:52 -07:00
Alex Deymo
cec578c916 Don't include the dev-key on IOT products.
This patch updates the logic to use the PRODUCT_IOT variable instead of
BRILLO.

Bug: 36702887
Test: `make`; Image doesn't have the dev key.
Change-Id: I1751e97d8cdfeba83c7e4720a017a5f4dcfd49da
2017-04-03 15:04:35 -07:00
Alex Klyubin
9b75e272b6 Faster auto-detection of APK's minSdkVersion
Prior to this change, when signing APKs, the build system invoked
'aapt dump badging' on each APK, to detect the value to pass into
signapk as --min-sdk-version. Now that signapk uses the apksig
library, it can auto-detect that value on its own, thus avoiding the
need to invoke 'aapt dump badging' and thus speeding up the build
process.

The semantics of signapk's --min-sdk-version flag is changed by this
commit from having the default value of 0 to having the default value
of "auto-detect from APK".

P.S. The get-package-min-sdk-version-int is not removed from
core/definitions.mk in this commnit, because this function is used in
another project's .mk file and thus that .mk file needs to be modified
first.

Test: rm -Rf out/ && make
Change-Id: I0972fcf0abbde9cbf6794e6c05c743c77c8a78f9
2016-12-14 12:53:44 -08:00
Alex Klyubin
969e354b1f "SignApk" in Created-By header
The switch to apksig changed the Created-By header value in .SF file
from "1.0 (Android SignApk)" to "1.0 (Android apksigner)". This commit
reverts the value back to "1.0 (Android SignApk)".

Change-Id: I2fc462cade40a5b31bb6191996fd6f18fabbf08f
2016-09-07 13:21:00 -07:00
Alex Klyubin
1b09a508ba Move apksigner library to tools/apksig.
This moves build/tools/apksigner/core to its own project tools/apksig.
The move also renames the moved Java packages from
com.android.apksigner.core.* to com.android.apksig.* to reflect the
new name of the library.

Bug: 27461702
Change-Id: Iab812ae2b8f0a741014f842460c78e35bc249d43
2016-07-07 10:53:14 -07:00
Alex Klyubin
d4761a19b8 Faster and cleaner way to obtain UTF-8 encoded form.
Instead of specifying character encoding by name, the faster, cleaner,
and safer way is to use StandardCharsets.UTF_8.

Bug: 27461702
Change-Id: I897284d3ceeb44a21cc74de09a9b25f6aec8c205
2016-06-14 14:18:21 -07:00
Alex Klyubin
ab2a3b0061 Fix inefficiency in APK entry data alignment.
26f00cda4b introduced a bug where an
APK entry's extra field is padded for alignment purposes when no
padding is necessary because the entry is aligned without any padding
bytes.

Bug: 27461702
Change-Id: Icb164dbaa26d9686412e2920318a9f40c5ce9751
2016-06-11 17:47:20 -07:00
Alex Klyubin
fa1da6c311 Switch signapk to apksigner-core.
This switches signapk's APK signing from its own signing logic to that
offered by apksigner-core library. OTA update package signing logic
remains inside signapk codebase.

Bug: 27461702
Change-Id: Ibf8435c555fe3f2b621d5189e7ae44f79082c810
2016-05-27 14:45:51 -07:00
Alex Klyubin
26f00cda4b Store entry alignment information in APK.
Data of uncompressed APK entries is often aligned to a multiple of 4
or 4096 in the APK to make it easier to mmap the data. Unfortunately,
the current method for achieving alignment suffers from two issues:
(1) the way it uses the Local File Header extra field is not compliant
with ZIP format (for example, this prevents older versions of Python's
zipfile from reading APKs: https://bugs.python.org/issue14315), and
(2) it does not store information about the alignment multiple in the
APK, making it harder/impossible to preserve the intended alignment
when rearranging entries in the APK.

This change solves these issues by switching to a different method for
aligning data of uncompressed APK entries. Same as before, alignment
is achieved using Local File Header entry field. What's different is
that alignment is achieved by placing a well-formed extensible data
field/block into the extra field. The new field/block contains the
alignment multiple (e.g., 4 or 4096) as well as the necessary padding
(if any). Compared to the original alignment method, the new method
uses 6 more bytes for each uncompressed entry.

Bug: 27461702
Change-Id: I8cffbecc50bf634b28fca5bc39eb23f671961cf9
2016-05-23 17:46:18 -07:00
Alex Klyubin
0caa16a6d1 No need to JAR-sign OTA update packages.
This removes the logic for JAR signing from -w (whole-file signing)
mode. This mode is designed specifically for OTA update packages. When
such packages are verified, their JAR signatures are ignored. Thus,
there is no need to JAR-sign in -w mode.

For context, OTA update packages are protected by a special signature
residing in the ZIP End of Central Directory record (at the very end
of the file). This is the signature verified when update packages are
being applied to Android.

Change-Id: Ia852a11ed6774ce746087cdd7f028b191ef6bc8b
2016-05-12 11:32:43 -07:00
Alex Klyubin
b141ded82b SHA-256 with ECDSA supported only on API Level 21 and higher.
Turns out APK signatures using SHA-256 with ECDSA are accepted only by
platforms with API Level 21 and higher, not 18 and higher.

Bug: 28296599

Change-Id: I3fab5be17bf3a9bdbf4d84d90d51448027c7e761
2016-05-03 18:15:39 -07:00
Alex Klyubin
3f52653abf Separate logic for alg selection for OTA and APK signing.
The rules for which digest algorithms are accepted by the Android
platform for APK signatures and OTA update package signatures are
different. For example, the set of digest algorithms accepted for APK
signatures depends on the signing key algorithm and the platform's
API Level. Whereas the set of digest algorithms accepted for OTA
update package signatures by Recovery depends on the list produced
by the build system, which in turn produces the list based on the
key algorithm and digest used in the signing certificate.

To reflect this reality, this refactoring CL explicitly separates
signapk's logic for choosing the digest algorithm to use for v1
signing from its logic for choosing the digest algorithm to use for
OTA update package signing.

Bug: 28296599
Change-Id: Ic7aa77e89622d727e985f8749071284746be7f45
2016-04-25 11:15:27 -07:00
Alex Klyubin
60817689fa Remove support for DSA with SHA-512 from v2 signing.
Android platform does not support DSA with SHA-512. Thus, it does not
make sense to support this unsupported algorithm in APK Signature
Scheme v2.

Bug: 24331392
Change-Id: Ifba90ad5b11188bb968c28d9e0ed3f9cb13ce2e7
2016-04-07 10:24:56 -07:00
Alex Klyubin
37a0ecd329 Fix bug in APK entry alignment.
APK entry alignment logic assumes that input entries have zero-length
comment and extra fields. When the assumption is broken, the logic
silently breaks alignment of output entries. This happens, for
example, when the APK to be signed is already aligned and thus may
contain entries with non-empty extra fields.

Given that APKs are not supposed to use comment and extra fields for
anything useful and given that this signer already discards comment
and extra fields of compressed entries, this change makes the signer
discard comment and extra fields of STORED input entries as well.
This unbreaks the existing alignment logic.

Bug: 27814973
Change-Id: I8242b037e21ba7bcf45d0fe2afc8bfc47f1ec314
2016-03-23 13:09:42 -07:00
Alex Klyubin
82bf99bb4e Fix two cosmetic issues in signapk.
* Zip EoCD record comment length was referred to as 32-bit whereas it
  is a 16-bit field. The implementation was fine, but the comment and
  the naming of a constant were wrong.
* System.out.println was left over from early prototyping days.
  Removed.

Bug: 25794543
Change-Id: I97199310d4b4451271a75bb6c6d0463e0b788be9
2016-03-14 13:33:26 -07:00
Alex Klyubin
97dd58a071 Switch to production constant for v2 signing scheme ID.
Bug: 25794543
Change-Id: I0e06f31ea3117c6865d18f853f99304964b323b4
2016-02-16 12:42:37 -08:00
Alex Klyubin
f735851fa9 Use Jan 1 2009 as timestamp in OTA update ZIPs.
This is a follow-up to 6c41036bcf where
I forgot to update a section of OTA update ZIP code.

Bug: 26864066
Change-Id: Idbcde71d6377a16807e41c999120eeddd5b4d8a4
2016-02-09 13:09:57 -08:00
Dan Willemsen
0d85dab09a Merge "Use Jan 1 2009 as timestamp in APKs and OTA update ZIPs." 2016-01-30 02:44:27 +00:00
Lee Campbell
3d8bf2994c brillo: Remove dependency on java for Brillo
Brillo does not require Java. Add a JAVA_NOT_REQUIRED
flag to the build system to make the jdk requirment optional

Also don't build signapk for Brillo

BUG: 25281898
Change-Id: I31e68cc7d076bf6c234699c77c0ea1ea428be4f5
2016-01-29 15:38:53 -08:00
Alex Klyubin
6c41036bcf Use Jan 1 2009 as timestamp in APKs and OTA update ZIPs.
Previously, the timestamp was one hour ahead of NotBefore of the
signer's certificate, adjusted for the current timezone. With this
change the MS-DOS timestamp in output APK/ZIP files is
Jan 1 2009 00:00:00.

Bug: 26864066
Change-Id: Id6263c38ac7042489ab695454f8e0fb2d85a3958
2016-01-29 13:10:03 -08:00
Alex Klyubin
dd910c5945 Make signapk sign using APK Signature Scheme v2.
APKs are now signed with the usual JAR signature scheme and then
with the APK Signature Scheme v2.

APK Signature Scheme v2 is a whole-file signature scheme which aims
to protect every single bit of the APK as opposed to the JAR signature
scheme which protects only the names and uncompressed contents of ZIP
entries.

The two main goals of APK Signature Scheme v2 are:
1. Detect any unauthorized modifications to the APK. This is achieved
   by making the signature cover every byte of the APK being signed.
2. Enable much faster signature and integrity verification. This is
   achieved by requiring only a minimal amount of APK parsing before
   the signature is verified, thus completely bypassing ZIP entry
   decompression and by making integrity verification parallelizable
   by employing a hash tree.

Bug: 25794543
Change-Id: I275d2a6d0a98504891985309b9dfff2e0e44b878
2016-01-20 13:35:21 -08:00
Alex Klyubin
9b54a565c9 Command-line flag to disable signing with APK Signature Scheme v2.
This change makes signapk not reject the --disable-v2 command-line
flag which may be used by build scripts in some branches. The flag
is currently ignored.

This change is landed separately from the actual support for APK
Signature Scheme v2 because of unbundled branches which use prebuilt
versions of signapk.

Bug: 25794543
Change-Id: I900966244b8b6296b1f443bf98830cc7f7cc81a8
2016-01-20 12:55:16 -08:00
Alex Klyubin
c2c49ed0c1 Unconditionally use SHA-256 when minSdkVersion is 18 or higher.
SHA-1 is deprecated, but the replacement SHA-256 is only supported
for JAR/APK and OTA update package signatures on API Level 18 and
newer. This change thus adds a --min-sdk-version command-line
parameter to signapk. When this parameter is set to 18 or higher,
SHA-256 is used instead of SHA-1. When the parameter is not provided,
SHA-1 is used same as before.

This change also removes any other digests from the MANIFEST.MF.
This is to ignore any MANIFEST.MF digests already there in the APK,
such as when re-signing an already signed APK.

Build scripts will be modified to provide the --min-sdk-version
parameter in a follow-up change. This is not done in this change
because of prebuilts which require a prebuilt version of signapk
to support this parameter before the build scripts can be modified.

Bug: 25643280
Change-Id: I6a2782e465600fe2a3ad0c10bd80db2b80a6fb76
2016-01-12 13:31:59 -08:00
Alex Klyubin
8502937cff List SHA-1 digests of APK entries' contents in .SF files.
Due to a bug introduced in 8562fd478d
SHA-1 digests of APK entries' contents were listed under wrong
attribute name. The effect is equivalent to not listing SHA-1
digests.

This change fix the issue by listing SHA-1 digests under the correct
attribute name. However, these digests are not that useful because:
(1) typically the digest of the MANIFEST.MF verifies and thus the
per-entry digests are ignored, and (2) per-entry digests of entries
with names longer than 64 characters are wrong in any case because the
digest generation code does not take into account that such names are
split over multiple lines.

An alternative to this change would be to completely omit outputting
per-entry sections of .SF files, thus saving space and speeding up APK
verification (.SF files would decompress faster).

Bug: 26513901
Change-Id: If95d58e9baa62b1113639fe70724e1e9c9f4e15c
2016-01-12 12:36:46 -08:00
Alex Klyubin
fe7c1e59d1 Move signapk sources to src dir.
This also makes source files follow the standard directory structure
based on Java package names.

Bug: 25794543
Change-Id: Ie0b568057f836e56407f76d29eeacd28ab907ba8
2015-12-15 09:08:45 -08:00
Alex Klyubin
9667b18f23 Make signapk use Conscrypt.
This makes the signapk tool use Conscrypt (where possible) instead of
the platform-default JCA providers and the Bouncy Castle JCA provider.
This speeds up (by 10-30%) APK and OTA update signing because
Conscrypt's crypto primitives are backed by BoringSSL.

Previously, the signapk tool consisted only of the signapk.jar.
Because Conscrypt is backed by native code, signapk now consists of
signapk.jar and crypto_openjdk_jni shared library. This requires that
users of the tool be updated to provide a suitable -Djava.library.path
argument to the Java runtime. This change updates all known users of
the tool inside the Android source tree to do so.

Bug: 26097626
Change-Id: I8411b37d7f771ed99269751a3007dff103083552
2015-12-11 08:36:42 -08:00
Alex Klyubin
924a683760 Make signapk align .so entries to 4096 bytes.
This makes signapk align uncompressed .so entries to memory page
boundary (4096 bytes) to enable such libraries to be loaded at runtime
through memory-mapping the APK.

With this change in place, there should no longer be a need to run
zipalign after (or before) signapk.

Bug: 25794543
Change-Id: I74775af15a683791f57fcbd3497a79951b3f63a1
2015-12-02 19:02:01 -08:00
Alex Klyubin
c218d3eca3 Clean up compiler warnings in signapk.
Bug: 25794543
Change-Id: Ia7da4fbaed77af4020e5aa0b14fe5e1bd8521edb
2015-11-24 09:27:55 -08:00
adattatr
50c7c5a722 If a console doesn't exist, read password from stdin.
When signapk.jar is invoked by scripts like
sign_target_files_apks.py, there is no console as signapk is
invoked using popen(). To support signing of APKs using
software keys with passwords, we need to read
the password from stdin if there is no console.

Change-Id: Icf69ba1e58bf1f91979eaf1d3b91cb202782e8fd
Signed-off-by: adattatr <anisha.dattatraya.kulkarni@intel.com>
Signed-off-by: Brad Geltz <brad.geltz@intel.com>
2015-09-28 11:44:27 -07:00
Ying Wang
fafe5ac819 Merge "Signapk.java: hide the password" 2015-03-11 16:46:00 +00:00
Kenny Root
bda807d3a1 Track bouncycastle upgrade to 1.51
The new API in 1.51 will allow null return values.

Change-Id: I583690bf0740b2d0962f02edea3896e18626e548
2014-08-07 12:11:47 -07:00
zhang jun
22717f9f9e Signapk.java: hide the password
Reads the password through console instead of stdin directly and returns it as a string.

Change-Id: I52e525680b93e9729158f4902b22f985245dbf2f
Signed-off-by: zhang jun <jun.zhang@intel.com>
Signed-off-by: Mingwei Shi <mingwei.shi@intel.com>
2014-07-17 18:13:51 +08:00
Doug Zongker
1d67eec191 make SignApk do zip alignment
When signing an APK, make the SignApk tool align the stored entries to
(by default) 4-byte boundaries.  This obviates the need to run the
separate zipalign tool, which currently does this job.

The alignment byte count can be specified with the -a option.  OTA
package signing (with -w) never does alignment.

The order of files in the output APK is changed so that all stored
files come first in the output, followed by all non-stored files.
This is not expected to have any impact in practice.

Change-Id: Iaeef89b2a7283e25fadb99c0a0f0641f682d76b8
2014-05-15 09:54:26 -07:00
Kenny Root
01ed66d2ba Allow ECDSA signing OTA files
ECDSA works in the recovery verifier, so we can allow OTA updates to be
signed with EC keys.

Change-Id: If8f2be028843fbfd6c8c9c41b492605d9b5cbeb0
2013-10-09 15:00:24 -07:00
Kenny Root
89c961aa11 SignApk: add argument for loading a Provider
For supporting loading a custom key type provider, add a -providerClass
argument that loads the selected JCE at the front of the provider list.

Change-Id: I3df16f7c570d36e08806b614d6f30c41cb117565
2013-09-25 11:37:52 -07:00
Kenny Root
62ea4a5c3c Read algorithm OID directly from PKCS#8 container
The PKCS#8 PrivateKeyInfo structure has the algorithm OID encoded right
before the actual key octet stream is encoded. Use Bouncycastle to read
the OID for creation with the key factory.

This aids in the creation of custom key types that are backed by
hardware devices (e.g., HSMs) and have their own assigned OIDs.

Change-Id: If5d8fe07bc157e9bb5a3fb5f99091e924143105f
2013-09-25 09:59:10 -07:00