You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
296 lines
14 KiB
296 lines
14 KiB
#
|
|
# Copyright (C) 2020 The Android Open Source Project
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
LOCAL_PATH := $(call my-dir)
|
|
|
|
cert_dir := cts/hostsidetests/appsecurity/certs/pkgsigverify
|
|
|
|
# This is the default test package signed with the default key.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := CtsPkgInstallTinyApp
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is the test package v2 signed with the default key.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-v2.xml
|
|
LOCAL_PACKAGE_NAME := CtsPkgInstallTinyAppV2
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is the test package signed using the V1/V2 signature schemes with
|
|
# two signers targeting SDK version 30 with sandbox version 1. From this
|
|
# package the v1-ec-p256-two-signers-targetSdk-30.apk is created with the
|
|
# following command:
|
|
# apksigner sign --in v1v2-ec-p256-two-signers-targetSdk-30.apk --out
|
|
# v1-ec-p256-two-signers-targetSdk-30.apk --cert ec-p256.x509.pem --key
|
|
# ec-p256.pk8 --next-signer --cert ec-p256_2.x509.pem --key ec-p256_2.pk8
|
|
# --v2-signing-enabled false --v3-signing-enabled false --v4-signing-enabled false
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_SDK_VERSION := 30
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-sandbox-v1.xml
|
|
LOCAL_PACKAGE_NAME := v1v2-ec-p256-two-signers-targetSdk-30
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256
|
|
LOCAL_ADDITIONAL_CERTIFICATES := $(cert_dir)/ec-p256_2
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is the test package signed using the V3 signature scheme
|
|
# with the previous key in the lineage and part of a sharedUid.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-ec-p256-1-sharedUid
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-shareduid.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is the test package signed using the V3 signature scheme with
|
|
# a rotated key and one signer in the lineage with default capabilities.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-ec-p256-with-por_1_2-default-caps
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256_2
|
|
LOCAL_ADDITIONAL_CERTIFICATES := $(cert_dir)/ec-p256
|
|
LOCAL_CERTIFICATE_LINEAGE := $(cert_dir)/ec-p256-por_1_2-default-caps
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is the test package signed using the V3 signature scheme with
|
|
# a rotated key and part of a shareduid. The capabilities of this lineage
|
|
# grant access to the previous key in the lineage to join the sharedUid.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-ec-p256-with-por_1_2-default-caps-sharedUid
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-shareduid.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256_2
|
|
LOCAL_ADDITIONAL_CERTIFICATES := $(cert_dir)/ec-p256
|
|
LOCAL_CERTIFICATE_LINEAGE := $(cert_dir)/ec-p256-por_1_2-default-caps
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is the test package signed using the V3 signature scheme with
|
|
# a rotated key and part of a shareduid. The signing lineage begins
|
|
# with a key that is not in any of the other lineages and is intended
|
|
# to verify that two packages signed with lineages that have diverged
|
|
# ancestors are not allowed to be installed in the same sharedUserId.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-por_Y_1_2-default-caps-sharedUid
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-shareduid.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256_2
|
|
LOCAL_ADDITIONAL_CERTIFICATES := $(cert_dir)/rsa-2048 $(cert_dir)/ec-p256
|
|
LOCAL_CERTIFICATE_LINEAGE := $(cert_dir)/por_Y_1_2-default-caps
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is the test package signed using the V3 signature scheme with
|
|
# a rotated key and part of a shareduid. The capabilities of this lineage
|
|
# prevent the previous key in the lineage from joining the sharedUid.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-ec-p256-with-por_1_2-no-shUid-cap-sharedUid
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-shareduid.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256_2
|
|
LOCAL_ADDITIONAL_CERTIFICATES := $(cert_dir)/ec-p256
|
|
LOCAL_CERTIFICATE_LINEAGE := $(cert_dir)/ec-p256-por_1_2-no-shUid-cap
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is the first companion package signed using the V3 signature scheme
|
|
# with a rotated key and part of a sharedUid. The capabilities of this lineage
|
|
# grant access to the previous key in the lineage to join the sharedUid.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-ec-p256-with-por_1_2-default-caps-sharedUid-companion
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-companion-shareduid.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256_2
|
|
LOCAL_ADDITIONAL_CERTIFICATES := $(cert_dir)/ec-p256
|
|
LOCAL_CERTIFICATE_LINEAGE := $(cert_dir)/ec-p256-por_1_2-default-caps
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is the companion package signed using the V3 signature scheme with
|
|
# a rotated key and part of a shareduid. The signing lineage begins
|
|
# with a key that is not in any of the other lineages and is intended
|
|
# to verify that two packages signed with lineages that have diverged
|
|
# ancestors are not allowed to be installed in the same sharedUserId.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-por_Z_1_2-default-caps-sharedUid-companion
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-shareduid.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256_2
|
|
LOCAL_ADDITIONAL_CERTIFICATES := $(cert_dir)/dsa-2048 $(cert_dir)/ec-p256
|
|
LOCAL_CERTIFICATE_LINEAGE := $(cert_dir)/por_Z_1_2-default-caps
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is the first companion package signed using the V3 signature scheme
|
|
# with a rotated key and part of a sharedUid but without the signing lineage.
|
|
# This app is intended to test lineage scenarios where an app is only signed
|
|
# with the latest key in the lineage.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-ec-p256-2-sharedUid-companion
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-companion-shareduid.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256_2
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is the second companion package signed using the V3 signature scheme
|
|
# with the previous key in the lineage and part of a sharedUid.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-ec-p256-1-sharedUid-companion2
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-companion2-shareduid.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is a version of the test package that declares a signature permission.
|
|
# The lineage used to sign this test package does not trust the first signing
|
|
# key but grants default capabilities to the second signing key.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-ec-p256-with-por_1_2_3-1-no-caps-2-default-declperm
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-declperm.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256_3
|
|
LOCAL_ADDITIONAL_CERTIFICATES := $(cert_dir)/ec-p256
|
|
LOCAL_CERTIFICATE_LINEAGE := $(cert_dir)/ec-p256-por-1_2_3-1-no-caps-2-default
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is a version of the test package that declares a signature permission.
|
|
# The lineage used to sign this test package does not trust either of the signing
|
|
# keys so an app with only common signers in the lineage should not be granted the
|
|
# permission.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-ec-p256-with-por_1_2_3-no-caps-declperm
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-declperm.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256_3
|
|
LOCAL_ADDITIONAL_CERTIFICATES := $(cert_dir)/ec-p256
|
|
LOCAL_CERTIFICATE_LINEAGE := $(cert_dir)/ec-p256-por-1_2_3-no-caps
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is a version of the companion package that requests the signature permission
|
|
# declared by the test package above. This package is signed with a signing key that
|
|
# diverges from the package above and is intended to verify that a common signing
|
|
# key in the lineage that is still granted the permission capability is sufficient
|
|
# to be granted a signature permission.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-ec-p256-with-por_1_2_4-companion-usesperm
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-companion-usesperm.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256_4
|
|
LOCAL_ADDITIONAL_CERTIFICATES := $(cert_dir)/ec-p256
|
|
LOCAL_CERTIFICATE_LINEAGE := $(cert_dir)/ec-p256-por-1_2_4-default-caps
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is a version of the test package that declares a signature permission
|
|
# with the knownSigner protection flag. This app is signed with the rsa-2048
|
|
# signing key with the trusted certificates being ec-p256 and ec-p256_3.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-rsa-2048-decl-knownSigner-ec-p256-1-3
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-decl-knownSigner.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/rsa-2048
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is a version of the test package that declares a signature permission
|
|
# without the knownSigner protection flag. This app is signed with the same
|
|
# rsa-2048 signing key to allow updates from the package above. This app can
|
|
# be used to verify behavior when an app initially uses the knownSigner flag
|
|
# and subsequently removes the flag from the permission declaration.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-rsa-2048-declperm
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-declperm.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/rsa-2048
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is a version of the test package that declares a signature permission
|
|
# with the knownSigner protection flag using a string resource instead of a
|
|
# string-array resource for the trusted certs.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-rsa-2048-decl-knownSigner-str-res-ec-p256-1
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-decl-knownSigner-str-res.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/rsa-2048
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is a version of the test package that declares a signature permission
|
|
# with the knownSigner protection flag using a string constant as the value
|
|
# of the knownCerts attribute.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-rsa-2048-decl-knownSigner-str-const-ec-p256-1
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-decl-knownSigner-str-const.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/rsa-2048
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is a version of the companion package that uses the permission
|
|
# declared with the knownSigner flag. This app's current signer is in
|
|
# the array of certificate digests as declared by the test package
|
|
# above.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-ec-p256_3-companion-uses-knownSigner
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-uses-knownSigner.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256_3
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is a version of the companion package that uses the permission
|
|
# declared with the knownSigner flag. This app's current signer is not
|
|
# in the array of certificate digests as declared by the test package
|
|
# above.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-ec-p256_2-companion-uses-knownSigner
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-uses-knownSigner.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256_2
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
# This is a version of the companion package that uses the permission
|
|
# declared with the knownSigner flag. This app is signed with a rotated
|
|
# signing key with the current signer not in the array of certificate
|
|
# digests as declared by the test package, but the previous signer in
|
|
# the lineage is. This app can be used to verify that knownSigner
|
|
# permissions are also granted if the app was previously signed with
|
|
# one of the declared digests.
|
|
include $(LOCAL_PATH)/base.mk
|
|
LOCAL_PACKAGE_NAME := v3-ec-p256-with-por_1_2-companion-uses-knownSigner
|
|
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
|
|
LOCAL_LICENSE_CONDITIONS := notice
|
|
LOCAL_MANIFEST_FILE := AndroidManifest-uses-knownSigner.xml
|
|
LOCAL_CERTIFICATE := $(cert_dir)/ec-p256_2
|
|
LOCAL_ADDITIONAL_CERTIFICATES := $(cert_dir)/ec-p256
|
|
LOCAL_CERTIFICATE_LINEAGE := $(cert_dir)/ec-p256-por_1_2-default-caps
|
|
include $(BUILD_CTS_SUPPORT_PACKAGE)
|
|
|
|
cert_dir :=
|