From 3ef4f718f24fa593638a6001fba6aa4e3cad4374 Mon Sep 17 00:00:00 2001 From: Jiyong Park Date: Mon, 11 Feb 2019 11:00:31 +0900 Subject: [PATCH 1/2] Sign each APEX with different container certificate Each APEX is signed with different certificate. The test certificate (along with the private key) is com.android..x509.pem and com.android..pk8. The files are in the same directory as the APEX is defined and is referenced via android_app_certificate module named com.android..certificate. The test certificate could then be overridden via PRODUCT_CERTIFICATE_OVERRIDES := : Test: jarsigner -verify -verbose -certs out/target/product/blueline/system/apex/com.android.media.apex shows ... X.509, CN=com.android.media, OU=Android, O=Android, L=Mountain View, ST=California, C=US Change-Id: Ic61a7d2ca41254bda79ee5bdd3faf6d429a24e39 --- apex/Android.bp | 6 ++++++ apex/com.android.media.pk8 | Bin 0 -> 2374 bytes apex/com.android.media.x509.pem | 33 ++++++++++++++++++++++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 apex/com.android.media.pk8 create mode 100644 apex/com.android.media.x509.pem diff --git a/apex/Android.bp b/apex/Android.bp index c077a77e25..6e0a908075 100644 --- a/apex/Android.bp +++ b/apex/Android.bp @@ -42,6 +42,7 @@ apex { }, }, key: "com.android.media.key", + certificate: ":com.android.media.certificate", } apex { @@ -65,3 +66,8 @@ apex_key { public_key: "com.android.media.swcodec.avbpubkey", private_key: "com.android.media.swcodec.pem", } + +android_app_certificate { + name: "com.android.media.certificate", + certificate: "com.android.media", +} diff --git a/apex/com.android.media.pk8 b/apex/com.android.media.pk8 new file mode 100644 index 0000000000000000000000000000000000000000..6df741e917e2d26397402d812bd9fe64bcdc8b1f GIT binary patch literal 2374 zcmV-M3Ay$#f(b$b0RS)!1_>&LNQUwEHHuzC;|Zh0)heo0GQbo#YXA< zvfFrO?<%Gj&j509AnBOsVgLW-G-eR|0~8NRx)G*xQ)b=aqV%lcs(ywggr{_n#bz-{ zpL9=73$^7q5ZH_GY0=jfBeh zrAF7VIz-+dC62fk9?~Fg9_W3$-FCaM1zjaeSv@(QV?9x!5UB~C7!Yf&+`(D)i+_}=g?SGG=e z^K27z${cga_RNLb&AHNCYvXX%VsCTbyPjB5b^3WanbaI*CqYMK3j*S+g%xG-U={-` zBxp3zM6`g=rt9t;U4yuDLr}UvLOiz1ue*ASbSO&|pgEb~e*vc86;|z%#e-Xchvi4q zrZY=sVc;A^K0K>@YoWoi5OXTN1QAk`-@VI!@?SAk!1Fkd>?Kg@nT*W4K%?FH63UT- zB;y7B>jg?>Z=j7ewJzjn)VaRy#fOP009Dm0swtOBUxI7 zcKNn#RR&s6W+18nAOKbnj~R(zV5#w+r?{#f;vwBfDJn;rJxP1@mbXwFh4In;aEhh& zY@D_TEHNd`qkyBjqB6Yt9XGMIz_x^jRS~*H(HBMGGR>VT5m8AjwSaWM3qK3m(fv2S z)5texnlKi!W|}koU`Ysm>MLt2o;8y^e+VdlmR$Y&ILZa%3K};RF&Zb8 zcKnsVL`QGDnOM{nNpC-+;W_rl!z`wPf`{nUvjOlaJQ$npU`cE7pOzzpGx6BjPU}y3 z)NyVnN6)*DN(MhVLzXbY5Bpj28KR6*br5)$^CqMDvwzDw!b>#K{1g?Fg9PWIFt`w? zQNw%={}nF3XGcZN*jNUUN!rVe9V)!FmO7QGpsvZLiHU*>k`fY*EoC${OXc0^ZW<(H zh?}7x7519vpL8SIJW=ij7aX^(RsO__sDpa^@7{ zf~7E>3%}7*aAdovU?&o*BJ(Vn?)V*QqB%#s#BcL{jWgp^J@1SfE?Z&cR?-j$({px3 zr>1YSPhzqAw!<*JpPHq*Bxy3Pi^0QhbW%MQ|tD|ZvjrpLC36aDJYAYvG7v#|jsciy+0RaHVdga=R4eYF$ z$T8<)@}EXdLD{Iturhdcrx0kicjT!&#D8Ype&#slw`fYdI1;U59sVhnIyq`Lio8~< zb(W{pw36r^CT8r{mGYnHF+US&{9>@;`xSQi9V4hWrBGWN%R zKC^QgRU_!-FC-%;SNAumTHinZb)S}u*0xC^GQ>MKaa??xl#3#kK{SVwJ zPjCoEsHPJ2K!In7pI~_~A*i6r-1#A=!&6hu*h^Yru7c=Rr^3D=xlhJB$(ECUhRatz3x?3M1e19sk96LsqYkJrAYyXVovgq%~G z^%z6Cp)NN)AAfUBh$xaOVUaA&jP4QkpEngh40u|k%+k5+e}zN3kgG_1wY~U6p*+qu zG|hXXhG)#0X~%P2%tfn{>Am;7A+W`&%=w*MUL}c%S+fMlcYkyAi&mTZ=wsZn1$fYR z2{^T25|mieoW=x+D_kO2=$6YU=)F0*Wv#1zsst*E$ERL@zO(te0)hbm8T{Va8^<`H zJK&=4yed2?X7rmawzI0%+`enTX+qX zRQ(#oex{Gb0TsF+m%ipDQE>mb5u!n)rh(&!G^N9t<5N=Wr1vDjw$8s_yRT4~=< znmIP}wdjSXAH;@swfA+?ppu{`93_Is08TKiQgJ@BU_-is*<@9`1E6I8BJ@dZZ%DBs zYLd)Y3jz2cZrhziR{eSz2WtqUDJTp8N@^8vP&h=2;oB|U3Md=lK4or3vMNR@=G6m# zjCL&rc(xP`opbwT`>au@*e?9GMYB^Sl^#f7A|0a%_OYjd@D7aK0)hbmG}vM^2SHYr z>W9oS{S1KL0omIEyRAw1<(PnZCchVo65U81l)m^vh`LeVnE>)QB6wS7yU@>ZNvLQR zc}wUI{V(vA0uTn|fHF=sza{BqfHm`hUTA|v4T$$1q99BcO-|ogzE0^@5*dmyns8$_ z2>IBBR~Hmot2wgX-Cxkb3OEW;_C3uh91Ftrk#2iE8qrF%q(w^6;8(=gls@sh%ao28 zoNym^7N)R3iEip`!m^@X-vS2H@L#84G>5AdPiNhI+hmtbN~BYu_DKf}xxVe5C`&vZ zRi&wSkcrmBYv2ti$33$nFvc%Mel9$BGaYWOSub`bol`;TIDS+y0)hbn0E441c746U zK3W}I*N|L9-Lb+kmT^`Lhm^*uEBBPCrppQ4Fs`iSXIUYf(w;_c;0dfihuMJK%;U`I zb^=O4g(RHhwF#40dIS%6S59w}bEXKrvA|droM!8maqB^O;#T-Fcc!)p@O{(WF@j=> z3J_1wVe3F2)jYa2bIhZE0i7o_4DY8*FtxYR$P|~e%%br0Fh8n$oIuY-F2ZyfP%0Z` zhp;5GItwq4W1HL+#0)N~pW8$dVOe`9*nv@;KpeE+s?WogUk|0!1IAGmKGrk%HJ&#W stuvke_}g8HijwYYQ Date: Mon, 11 Feb 2019 12:30:20 +0900 Subject: [PATCH 2/2] Sign each APEX with different container certificate Each APEX is signed with different certificate. The test certificate (along with the private key) is com.android..x509.pem and com.android..pk8. The files are in the same directory as the APEX is defined and is referenced via android_app_certificate module named com.android..certificate. The test certificate could then be overridden via PRODUCT_CERTIFICATE_OVERRIDES := : Test: jarsigner -verify -verbose -certs out/target/product/blueline/system/apex/com.android.media.swcodec.apex shows ... X.509, CN=com.android.media.swcodec, OU=Android, O=Android, L=Mountain View, ST=California, C=US Change-Id: I3a967fa640ce77177763b78a34a2df05f70ce60f --- apex/Android.bp | 6 +++++ apex/com.android.media.swcodec.pk8 | Bin 0 -> 2374 bytes apex/com.android.media.swcodec.x509.pem | 34 ++++++++++++++++++++++++ 3 files changed, 40 insertions(+) create mode 100644 apex/com.android.media.swcodec.pk8 create mode 100644 apex/com.android.media.swcodec.x509.pem diff --git a/apex/Android.bp b/apex/Android.bp index 6e0a908075..88b519a3c9 100644 --- a/apex/Android.bp +++ b/apex/Android.bp @@ -53,6 +53,7 @@ apex { ], use_vendor: true, key: "com.android.media.swcodec.key", + certificate: ":com.android.media.swcodec.certificate", } apex_key { @@ -71,3 +72,8 @@ android_app_certificate { name: "com.android.media.certificate", certificate: "com.android.media", } + +android_app_certificate { + name: "com.android.media.swcodec.certificate", + certificate: "com.android.media.swcodec", +} diff --git a/apex/com.android.media.swcodec.pk8 b/apex/com.android.media.swcodec.pk8 new file mode 100644 index 0000000000000000000000000000000000000000..05a4216fef4d286d4bc3e7197be4a8c28c4a3640 GIT binary patch literal 2374 zcmV-M3Ay$#f(b$b0RS)!1_>&LNQUwEHHuzC;|Zh0)heo0J5dT&;k~u zwY^RXww(c~hq9UIy^!{dZ;GIm9}*fqr{ObXuuZ(205TAIs_T^;VRhAHjJu3dLR#); zuY5#if|!nebI6opx;;BKf>^?m$r*%Q+kyA8xO;TA#t!*Ljqt^2WIq2v*o5P(HaNh- zlx> zh1nnGacyxD14BMpa-c-37*0KgV$I%?jcXPz80z8GFCIC`suSk#;!6|6l7})dBCi;g zuHku7Io-sKBaCXGj$vGeFBfH<1&~v-*$$vmCq%NbXektWK_gyV+Bi{lbAo*jS+qCL zWW=qD{M?}d}2=1H}GdaHqdT$y;-pC!Z6GC`Y*fF)(ibgxg9o8?`+?Jz9Z zkInWXjwuwdtxFj*U%qYC>9^?H^qAUuHq?^Kq=ibaCG3kAS7A-bNU|MlQvF0G@|Gaw z4qaG##1LNmKdDvI1X}1+B?J_prli0lPj)DX!w%4U833SHkpcq&009Dm0svfcKnTn$ z-;7kOAPXb#ibObmK-_3K&90*KI(FNwO(P!svurS~8>Ci51lE!km76h`{qcR&J#{S& z76#9)t;T~Nsr*cx%>hSJZvepI--pF^qyt5qVwLFq8sHy0i}6F*L=G%7cV&)GD*W6X zloPKA68&uGo>|D-T?JcFIs?z0b{6yeS`%4-BsT+vKt7~|kZBs*00GURxp#w{lqj2} z+cD~l0eVdWC@LHf6~(1~BXjO~6eH;v_KD0AtVATZJkzH(j88!UPQ9_vM)vfRS}Ay@ zras$SCfnZ;DPV2)ccOM{q}-LH^}fARGfZu-H54%pual8Jk&Q>XI~}Wqj>gbFqU}nw zCnh!RIhU{p905{sH@ZBMPz#Nz?a(R+E5>aiVF!6qu?iQ!2j!JH%j@H|BKYY*c-h@= zXehzG6Vi#}ca#GR@uQM2(p++Kkbxer!QJS~EJZN0ey)kuSD{9)!^zF2VK06u9nqwW z?He*Za@RZ~<KhA=8S_wtgQ(^md(jb5W+F2JjH2Q(=el6x(IGx!9&$8ZhU-@`w9%Ku+f7l!R0eS=%>U7 z%BeZLe;w7_2#N!8Y@S@!!|94%j|`m%iXHC)$iTV&df(R^zC)_!U?8I3WX!nEDj$Uv zRYwCJv4wyjE%gT7S?1%!_z;0l70}6V{5Mb5tlAH+7@%+zqEU%-jlP+@V1Wf@?lU5{{J64zLJyLQ70)hbn0Eqt&`C<7f z9t1XsR>-(jcG86R>V*%C=bY92A@$vB7ZF{o&t-R6+f3R!d~Pv zSD2bdb8*^pu06_Yg$?dsA zWyKO7NhB$4Ah58>HK^i%<=}=aaQl{i}L1 zv}%UP(cyMB@e$R!zBQq~6-9XJjNxZu?w2SVt?Y2qnvg)BS%fSWrzI_0UESWxImL^o zELZm}(o~;mx_;u5wT~&g0flz?p#&{iF+FZNu~<}e8%8FBB`;Th*YuNUg@`4yrgld& zY!L80hp&W74#qtHJY-ur#od|2BMotfk!+dtTZVfW_z~En6q|>mm(O^_4Kg-@9X*N# zR>%!YE08;B*YjKZ0F5d;rJh-P`VoQH=;mByPF+tDCVoUu*Fz4yEdqi80BJ2%YrAaJ zcj*?eyqTJYcR`DDPAA!Pwjf=={>y7_SR8xsHMK=n`taEjWqjURYnI6a+X!JhAA0P* zLpf3prvVV7CTX!{REdQi0tZpbGY$aIq>9veT!Vhi4%xh+9S|089Ea)gH~XD8!f#UM z>WI1uJip2mo<7ZM)rQ`IGw-kn*C;sFN$*=v1-)^SZjS+&b3LwEej}lF&kq7`!|#Q; z%s^$L(kl~H!VwpT>RH{3djvPfw