sign non-PRESIGNED prebuilt apks
Since dev keys can now vary per device, we can't assume they are
checked in with the correct signature.
Change-Id: I7577a3a6bd98d005c15936c99b2944acc4412798
diff --git a/core/prebuilt.mk b/core/prebuilt.mk
index 8c03341..54a7fa9 100644
--- a/core/prebuilt.mk
+++ b/core/prebuilt.mk
@@ -54,11 +54,61 @@
PACKAGES.$(LOCAL_MODULE).OVERRIDES := $(strip $(LOCAL_OVERRIDES_PACKAGES))
-# Ensure that prebuilt .apks have been aligned.
+ifeq ($(LOCAL_CERTIFICATE),EXTERNAL)
+ # The magic string "EXTERNAL" means this package will be signed with
+ # the default dev key throughout the build process, but we expect
+ # the final package to be signed with a different key.
+ #
+ # This can be used for packages where we don't have access to the
+ # keys, but want the package to be predexopt'ed.
+ LOCAL_CERTIFICATE := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
+ PACKAGES.$(LOCAL_MODULE).EXTERNAL_KEY := 1
+
+ $(built_module) : PRIVATE_PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8
+ $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
+endif
+ifeq ($(LOCAL_CERTIFICATE),)
+ ifneq ($(filter APPS,$(LOCAL_MODULE_CLASS)),)
+ # It is now a build error to add a prebuilt .apk without
+ # specifying a key for it.
+ $(error No LOCAL_CERTIFICATE specified for prebuilt "$(LOCAL_SRC_FILES)")
+ endif
+else ifeq ($(LOCAL_CERTIFICATE),PRESIGNED)
+ # The magic string "PRESIGNED" means this package is already checked
+ # signed with its release key.
+ #
+ # By setting .CERTIFICATE but not .PRIVATE_KEY, this package will be
+ # mentioned in apkcerts.txt (with certificate set to "PRESIGNED")
+ # but the dexpreopt process will not try to re-sign the app.
+ PACKAGES.$(LOCAL_MODULE).CERTIFICATE := PRESIGNED
+ PACKAGES := $(PACKAGES) $(LOCAL_MODULE)
+else
+ # If this is not an absolute certificate, assign it to a generic one.
+ ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./)
+ LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE)
+ endif
+
+ PACKAGES.$(LOCAL_MODULE).PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8
+ PACKAGES.$(LOCAL_MODULE).CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
+ PACKAGES := $(PACKAGES) $(LOCAL_MODULE)
+
+ $(built_module) : PRIVATE_PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8
+ $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
+endif
+
ifneq ($(filter APPS,$(LOCAL_MODULE_CLASS)),)
+ifeq ($(LOCAL_CERTIFICATE),PRESIGNED)
+# Ensure that presigned .apks have been aligned.
$(built_module) : $(LOCAL_PATH)/$(LOCAL_SRC_FILES) | $(ZIPALIGN)
$(transform-prebuilt-to-target-with-zipalign)
else
+# Sign and align non-presigned .apks.
+$(built_module) : $(LOCAL_PATH)/$(LOCAL_SRC_FILES) | $(ACP) $(ZIPALIGN) $(SIGNAPK_JAR)
+ $(transform-prebuilt-to-target)
+ $(sign-package)
+ $(align-package)
+endif
+else
ifneq ($(LOCAL_PREBUILT_STRIP_COMMENTS),)
$(built_module) : $(LOCAL_PATH)/$(LOCAL_SRC_FILES)
$(transform-prebuilt-to-target-strip-comments)
@@ -86,42 +136,6 @@
$(built_module) : $(common_javalib_jar)
endif # TARGET JAVA_LIBRARIES
-ifeq ($(LOCAL_CERTIFICATE),EXTERNAL)
- # The magic string "EXTERNAL" means this package will be signed with
- # the test key throughout the build process, but we expect the final
- # package to be signed with a different key.
- #
- # This can be used for packages where we don't have access to the
- # keys, but want the package to be predexopt'ed.
- LOCAL_CERTIFICATE := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
- PACKAGES.$(LOCAL_MODULE).EXTERNAL_KEY := 1
-endif
-ifeq ($(LOCAL_CERTIFICATE),)
- ifneq ($(filter APPS,$(LOCAL_MODULE_CLASS)),)
- # It is now a build error to add a prebuilt .apk without
- # specifying a key for it.
- $(error No LOCAL_CERTIFICATE specified for prebuilt "$(LOCAL_SRC_FILES)")
- endif
-else ifeq ($(LOCAL_CERTIFICATE),PRESIGNED)
- # The magic string "PRESIGNED" means this package is already checked
- # signed with its release key.
- #
- # By setting .CERTIFICATE but not .PRIVATE_KEY, this package will be
- # mentioned in apkcerts.txt (with certificate set to "PRESIGNED")
- # but the dexpreopt process will not try to re-sign the app.
- PACKAGES.$(LOCAL_MODULE).CERTIFICATE := PRESIGNED
- PACKAGES := $(PACKAGES) $(LOCAL_MODULE)
-else
- # If this is not an absolute certificate, assign it to a generic one.
- ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./)
- LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE)
- endif
-
- PACKAGES.$(LOCAL_MODULE).PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8
- PACKAGES.$(LOCAL_MODULE).CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
- PACKAGES := $(PACKAGES) $(LOCAL_MODULE)
-endif
-
ifneq ($(prebuilt_module_is_a_library),)
ifneq ($(LOCAL_IS_HOST_MODULE),)
$(transform-host-ranlib-copy-hack)