// Copyright (C) 2019 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Build rules to build shim apexes.
package {
default_applicable_licenses: ["Android-Apache-2.0"],
}
genrule {
name: "com.android.apex.cts.shim.pem",
out: ["com.android.apex.cts.shim.pem"],
cmd: "openssl genrsa -out $(out) 4096",
}
genrule {
name: "com.android.apex.cts.shim.pubkey",
srcs: [":com.android.apex.cts.shim.pem"],
out: ["com.android.apex.cts.shim.pubkey"],
tools: ["avbtool"],
cmd: "$(location avbtool) extract_public_key --key $(in) --output $(out)",
}
apex_key {
name: "com.android.apex.cts.shim.key",
private_key: ":com.android.apex.cts.shim.pem",
public_key: ":com.android.apex.cts.shim.pubkey",
installable: false,
}
genrule {
name: "com.android.apex.cts.shim.debug.pem",
out: ["com.android.apex.cts.shim.debug.pem"],
cmd: "openssl genrsa -out $(out) 4096",
}
genrule {
name: "com.android.apex.cts.shim.debug.pubkey",
srcs: [":com.android.apex.cts.shim.debug.pem"],
out: ["com.android.apex.cts.shim.debug.pubkey"],
tools: ["avbtool"],
cmd: "$(location avbtool) extract_public_key --key $(in) --output $(out)",
}
apex_key {
name: "com.android.apex.cts.shim.debug.key",
private_key: ":com.android.apex.cts.shim.debug.pem",
public_key: ":com.android.apex.cts.shim.debug.pubkey",
installable: false,
}
genrule {
name: "generate_hash_of_dev_null",
out: ["hash.txt"],
cmd: "sha512sum -b /dev/null | cut -d' ' -f1 | tee $(out)",
}
prebuilt_etc {
name: "hash_of_dev_null",
src: ":generate_hash_of_dev_null",
filename: "hash.txt",
installable: false,
}
apex {
name: "com.android.apex.cts.shim.v3",
manifest: "manifest_v3.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
apps: ["CtsShim", "CtsShimPriv"],
installable: false,
allowed_files: "default_shim_allowed_list.txt",
updatable: false,
}
apex {
name: "com.android.apex.cts.shim.v2",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
apps: ["CtsShim", "CtsShimPriv"],
installable: false,
allowed_files: "default_shim_allowed_list.txt",
updatable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_sign_payload_with_different_key",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.debug.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
allowed_files: "default_shim_allowed_list.txt",
updatable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_without_apk_in_apex",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
allowed_files: "default_shim_allowed_list.txt",
updatable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_no_hashtree",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
apps: ["CtsShim", "CtsShimPriv"],
installable: false,
allowed_files: "default_shim_allowed_list.txt",
generate_hashtree: false,
updatable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_unsigned_payload",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
apps: ["CtsShim", "CtsShimPriv"],
installable: false,
allowed_files: "default_shim_allowed_list.txt",
test_only_unsigned_payload: true,
updatable: false,
}
override_apex {
name: "com.android.apex.cts.shim.v2_different_package_name",
package_name: "com.android.apex.cts.shim.different",
// Use rebootless APEX to re-use this APEX in the rebootless update test case.
base: "com.android.apex.cts.shim.v2_rebootless",
}
genrule {
name: "generate_empty_hash",
out: ["hash.txt"],
cmd: "touch $(out)",
}
prebuilt_etc {
name: "empty_hash",
src: ":generate_empty_hash",
filename: "hash.txt",
installable: false,
}
// Use empty hash.txt to make sure that this apex has wrong SHA512, hence trying
// to stage it should fail.
apex {
name: "com.android.apex.cts.shim.v2_wrong_sha",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["empty_hash"],
installable: false,
updatable: false,
}
prebuilt_etc {
name: "apex_shim_additional_file",
src: "additional_file",
filename: "additional_file",
installable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_additional_file",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null", "apex_shim_additional_file"],
installable: false,
updatable: false,
}
prebuilt_etc {
name: "apex_shim_additional_folder",
src: "additional_file",
filename: "additional_file",
sub_dir: "additional_folder",
installable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_additional_folder",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null", "apex_shim_additional_folder"],
installable: false,
updatable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_with_pre_install_hook",
manifest: "manifest_v2_with_pre_install_hook.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
updatable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_with_post_install_hook",
manifest: "manifest_v2_with_post_install_hook.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
updatable: false,
}
genrule {
name: "generate_hash_v1",
srcs: [
":com.android.apex.cts.shim.v2",
":com.android.apex.cts.shim.v2_without_apk_in_apex",
":com.android.apex.cts.shim.v2_additional_file",
":com.android.apex.cts.shim.v2_additional_folder",
":com.android.apex.cts.shim.v2_different_certificate",
":com.android.apex.cts.shim.v2_different_package_name",
":com.android.apex.cts.shim.v2_no_hashtree",
":com.android.apex.cts.shim.v2_signed_bob",
":com.android.apex.cts.shim.v2_signed_bob_rot",
":com.android.apex.cts.shim.v2_signed_bob_rot_rollback",
":com.android.apex.cts.shim.v2_with_pre_install_hook",
":com.android.apex.cts.shim.v2_with_post_install_hook",
":com.android.apex.cts.shim.v2_sdk_target_p",
":com.android.apex.cts.shim.v2_apk_in_apex_sdk_target_p",
":com.android.apex.cts.shim.v2_rebootless",
":com.android.apex.cts.shim.v3",
":com.android.apex.cts.shim.v3_rebootless",
":com.android.apex.cts.shim.v3_signed_bob",
":com.android.apex.cts.shim.v3_signed_bob_rot",
],
out: ["hash.txt"],
cmd: "sha512sum -b $(in) | cut -d' ' -f1 | tee $(out)",
}
prebuilt_etc {
name: "hash_v1",
src: ":generate_hash_v1",
filename: "hash.txt",
installable: false,
}
apex {
name: "com.android.apex.cts.shim.v1",
manifest: "manifest.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_v1"],
apps: ["CtsShim", "CtsShimPriv"],
allowed_files: "default_shim_allowed_list.txt",
updatable: false,
}
// This is to install the flattened version of com.android.apex.cts.shim.
// Because com.android.apex.cts.shim is provided as prebuilt and the build system
// doesn't support install "flattened" version from "prebult" yet, GSI, which should
// have both "flatttened" and "unflattened" APEXes, is missing the flattened version
// of com.android.apex.cts.shim.
// TODO(b/159426728): When the build system can install "flattened" from "prebuilts",
// this can be removed.
override_apex {
name: "com.android.apex.cts.shim.v1_with_prebuilts",
base: "com.android.apex.cts.shim.v1",
apps: ["CtsShimPrebuilt", "CtsShimPrivPrebuilt"],
allowed_files: "prebuilts_shim_allowed_list.txt",
}
genrule {
name: "com.android.apex.cts.shim_not_pre_installed.pem",
out: ["com.android.apex.cts.shim_not_pre_installed.pem"],
cmd: "openssl genrsa -out $(out) 4096",
}
genrule {
name: "com.android.apex.cts.shim_not_pre_installed.pubkey",
srcs: [":com.android.apex.cts.shim_not_pre_installed.pem"],
out: ["com.android.apex.cts.shim_not_pre_installed.pubkey"],
tools: ["avbtool"],
cmd: "$(location avbtool) extract_public_key --key $(in) --output $(out)",
}
apex_key {
name: "com.android.apex.cts.shim_not_pre_installed.key",
private_key: ":com.android.apex.cts.shim_not_pre_installed.pem",
public_key: ":com.android.apex.cts.shim_not_pre_installed.pubkey",
installable: false,
}
apex {
name: "com.android.apex.cts.shim_not_pre_installed",
manifest: "manifest_not_pre_installed.json",
androidManifest: "AndroidManifestNotPreInstalled.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim_not_pre_installed.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
updatable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_different_certificate",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
certificate: ":com.android.apex.cts.shim.debug.cert",
updatable: false,
}
android_app_certificate {
name: "com.android.apex.cts.shim.debug.cert",
certificate: "com.android.apex.cts.shim.debug.cert",
}
// Build rules to build shim apex with rotated keys
// We name the original key used to sign cts.shim.v1 package as alice.
// We then create a second key called bob. The second key bob is used to rotate the
// original key alice.
// Create private key bob in pem format
genrule {
name: "com.android.apex.rotation.key.bob.pem",
out: ["bob.pem"],
cmd: "openssl req -x509 -newkey rsa:4096 -nodes -days 999999 -subj '/DN=/EMAILADDRESS=android@android.com/CN=Android/OU=Android/O=Android/L=Mountain View/ST=California/C=US' -keyout $(out)",
}
// Converts bob's private key to pk8 format
genrule {
name: "com.android.apex.rotation.key.bob.pk8",
srcs: [":com.android.apex.rotation.key.bob.pem"],
out: ["bob.pk8"],
cmd: "openssl pkcs8 -topk8 -inform PEM -outform DER -in $(in) -out $(out) -nocrypt",
}
// Extract bob's public key from its private key
genrule {
name: "com.android.apex.rotation.key.bob.x509.pem",
srcs: [":com.android.apex.rotation.key.bob.pem"],
out: ["bob.x509.pem"],
cmd: "openssl req -x509 -key $(in) -newkey rsa:4096 -nodes -days 999999 -subj '/DN=/EMAILADDRESS=android@android.com/CN=Android/OU=Android/O=Android/L=Mountain View/ST=California/C=US' -out $(out)",
}
// Create lineage file for rotating alice to bob
genrule {
name: "com.android.apex.rotation.key.bob.rot",
srcs: [
"alice.pk8",
"alice.x509.pem",
":com.android.apex.rotation.key.bob.pk8",
":com.android.apex.rotation.key.bob.x509.pem",
],
out: ["bob.rot"],
tools: [":apksigner"],
cmd: "$(location :apksigner) rotate --out $(out) --old-signer --key $(location alice.pk8) --cert $(location alice.x509.pem) --new-signer --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem)",
}
// Create lineage file for rotating alice to bob with rollback capability
genrule {
name: "com.android.apex.rotation.key.bob.rot.rollback",
srcs: [
"alice.pk8",
"alice.x509.pem",
":com.android.apex.rotation.key.bob.pk8",
":com.android.apex.rotation.key.bob.x509.pem",
],
out: ["bob.rot"],
tools: [":apksigner"],
cmd: "$(location :apksigner) rotate --out $(out) --old-signer --key $(location alice.pk8) --cert $(location alice.x509.pem) --set-rollback true --new-signer --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem)",
}
// v2 cts shim package signed by bob, without lineage
genrule {
name: "com.android.apex.cts.shim.v2_signed_bob",
out: ["com.android.apex.cts.shim.v2_signed_bob"],
tools: [":apksigner"],
srcs: [
":com.android.apex.cts.shim.v2",
":com.android.apex.rotation.key.bob.x509.pem",
":com.android.apex.rotation.key.bob.pk8",
],
dist: {
targets: ["com.android.apex.cts.shim.v2_signed_bob"],
dest: "com.android.apex.cts.shim.v2_signed_bob.apex",
},
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --out $(out) $(location :com.android.apex.cts.shim.v2)",
}
// v2 cts shim package signed by bob + lineage
genrule {
name: "com.android.apex.cts.shim.v2_signed_bob_rot",
out: ["com.android.apex.cts.shim.v2_signed_bob_rot"],
tools: [":apksigner"],
srcs: [
":com.android.apex.cts.shim.v2",
":com.android.apex.rotation.key.bob.x509.pem",
":com.android.apex.rotation.key.bob.pk8",
":com.android.apex.rotation.key.bob.rot",
],
dist: {
targets: ["com.android.apex.cts.shim.v2_signed_bob_rot"],
dest: "com.android.apex.cts.shim.v2_signed_bob_rot.apex",
},
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --lineage $(location :com.android.apex.rotation.key.bob.rot) --out $(out) $(location :com.android.apex.cts.shim.v2)",
}
// v2 cts shim package signed by bob + lineage + rollback capability
genrule {
name: "com.android.apex.cts.shim.v2_signed_bob_rot_rollback",
out: ["com.android.apex.cts.shim.v2_signed_bob_rot_rollback"],
tools: [":apksigner"],
srcs: [
":com.android.apex.cts.shim.v2",
":com.android.apex.rotation.key.bob.x509.pem",
":com.android.apex.rotation.key.bob.pk8",
":com.android.apex.rotation.key.bob.rot.rollback",
],
dist: {
targets: ["com.android.apex.cts.shim.v2_signed_bob_rot_rollback"],
dest: "com.android.apex.cts.shim.v2_signed_bob_rot_rollback.apex",
},
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --lineage $(location :com.android.apex.rotation.key.bob.rot.rollback) --out $(out) $(location :com.android.apex.cts.shim.v2)",
}
// v3 cts shim package signed by bob
genrule {
name: "com.android.apex.cts.shim.v3_signed_bob",
out: ["com.android.apex.cts.shim.v3_signed_bob"],
tools: [":apksigner"],
srcs: [
":com.android.apex.cts.shim.v3",
":com.android.apex.rotation.key.bob.x509.pem",
":com.android.apex.rotation.key.bob.pk8",
],
dist: {
targets: ["com.android.apex.cts.shim.v3_signed_bob"],
dest: "com.android.apex.cts.shim.v3_signed_bob.apex",
},
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --out $(out) $(location :com.android.apex.cts.shim.v3)",
}
// v3 cts shim package signed by bob + lineage
genrule {
name: "com.android.apex.cts.shim.v3_signed_bob_rot",
out: ["com.android.apex.cts.shim.v3_signed_bob_rot"],
tools: [":apksigner"],
srcs: [
":com.android.apex.cts.shim.v3",
":com.android.apex.rotation.key.bob.x509.pem",
":com.android.apex.rotation.key.bob.pk8",
":com.android.apex.rotation.key.bob.rot",
],
dist: {
targets: ["com.android.apex.cts.shim.v3_signed_bob_rot"],
dest: "com.android.apex.cts.shim.v3_signed_bob_rot.apex",
},
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --lineage $(location :com.android.apex.rotation.key.bob.rot) --out $(out) $(location :com.android.apex.cts.shim.v3)",
}
// This one is only used in ApexdHostTest and not meant to be installed
// and hence shouldn't be allowed in hash.txt of v1 shim APEX.
apex {
name: "com.android.apex.cts.shim.v2_legacy",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
apps: ["CtsShim", "CtsShimPriv"],
installable: false,
min_sdk_version: "29",
updatable: false,
}
genrule {
name: "com.android.apex.cts.shim.v2_no_pb",
srcs: [":com.android.apex.cts.shim.v2_legacy"],
out: ["com.android.apex.cts.shim.v2_no_pb.apex"],
tools: ["zip2zip"],
cmd: "$(location zip2zip) -i $(in) -x apex_manifest.pb -o $(out)",
}
// Apex shim that targets an old sdk (P)
apex {
name: "com.android.apex.cts.shim.v2_sdk_target_p",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifestSdkTargetP.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
apps: ["CtsShim", "CtsShimPriv"],
updatable: false,
}
// Apex shim with apk-in-apex that targets sdk P
apex {
name: "com.android.apex.cts.shim.v2_apk_in_apex_sdk_target_p",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
apps: ["CtsShimTargetPSdk"],
installable: false,
updatable: false,
}
// Apex shim with unsigned apk
genrule {
name: "com.android.apex.cts.shim.v2_unsigned_apk_container",
// Use shim.v2_rebootless to re-use same APEX in the rebootless update test case.
srcs: [":com.android.apex.cts.shim.v2_rebootless"],
out: ["com.android.apex.cts.shim.v2_unsigned_apk_container.apex"],
cmd: "cp -v $(in) $(out) && zip -d $(out) META-INF*",
}
// Apex shim for testing rebootless updates
apex {
name: "com.android.apex.cts.shim.v2_rebootless",
manifest: "manifest_v2_rebootless.json",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
updatable: false,
}
apex {
name: "com.android.apex.cts.shim.v3_rebootless",
manifest: "manifest_v3_rebootless.json",
file_contexts: ":apex.test-file_contexts",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
updatable: false,
}