1How the test works
2==================
3ApkVerityTestApp is a test helper app to be installed with fs-verity signature
4file (.fsv\_sig). In order for this CTS test to run on a release build across
5vendors, the signature needs to be verified against a release certificate loaded
6to kernel.
7
8How to modify the test helper app
9=================================
10Modifying the test helper app will also require to sign the apk with a local debug
11key. You will also need to point the test to use your local build.
12
13How to load debug key
14---------------------
15On debuggable build, it can be done by:
16
17```
18adb root
19adb shell 'mini-keyctl padd asymmetric fsv-play .fs-verity' < fsverity-debug.x509.der
20```
21
22On user build, the keyring is closed and doesn't accept extra key. A workaround
23is to copy the .der file to /system/etc/security/fsverity. Upon reboot, the
24certificate will be loaded to kernel as usual.
25
26How to use the app built locally
27--------------------------------
28You need to override the prebuilts with the debug build.
29
301. Build the debug artifacts by `m CtsApkVerityTestDebugFiles`. Copy the output
31   to a temporary directory, e.g.
32
33```
34(cd $ANDROID_BUILD_TOP && cp `cat
35out/soong/.intermediates/cts/hostsidetests/appsecurity/test-apps/ApkVerityTestApp/testdata/CtsApkVerityTestDebugFiles/gen/CtsApkVerityTestDebugFiles.txt`
36/tmp/prebuilts/)
37```
38
392. Copy files to create bad app, e.g. in /tmp/prebuilts,
40
41```
42cp CtsApkVerityTestApp.apk CtsApkVerityTestApp2.apk
43cp CtsApkVerityTestAppSplit.apk.fsv_sig CtsApkVerityTestApp2.apk.fsv_sig
44```
45
463. Rename file names to match the test expectation.
47```
48for f in CtsApkVerityTestApp*; do echo $f | sed -E 's/([^.]+)\.(.+)/mv & \1Prebuilt.\2/'; done | sh
49```
50
514. Run the test.
52
53```
54atest CtsAppSecurityHostTestCases:android.appsecurity.cts.ApkVerityInstallTest
55```
56
57How to update the prebuilts
58===========================
59
601. Download android-cts.zip. The current prebuilts are downloaded from the links below.
61   TODO(157658439): update the links once we have the correct build target.
62
63```
64https://android-build.googleplex.com/builds/submitted/6472922/test_suites_arm64/latest/android-cts.zip
65https://android-build.googleplex.com/builds/submitted/6472922/test_suites_x86_64/latest/android-cts.zip
66```
67
682. Extract CtsApkVerityTestApp\*.{apk,dm} and ask the key owner to sign
69   (example: b/152753442).
703. Receive the release signature .fsv\_sig.
714. Extract CtsApkVerityTestApp\*.idsig.
725. Override CtsApkVerityTestApp2 to create a bad signature.
73
74```
75cp CtsApkVerityTestApp.apk CtsApkVerityTestApp2.apk
76cp CtsApkVerityTestAppSplit.apk.fsv_sig CtsApkVerityTestApp2.apk.fsv_sig
77```
78
796. Rename to "Prebuilt".
80
81```
82for f in CtsApkVerityTestApp*; do echo $f | sed -E 's/([^.]+)\.(.+)/mv & \1Prebuilt.\2/'; done | sh
83```
84
857. Duplicate arm64 prebuilts into arm and arm64, x86\_64 into x86 and x86\_64.
86