Skip to content
Commit cd4cb81f authored by Dan Cashman's avatar Dan Cashman
Browse files

APK Signature Scheme v3: require Proof-of-rotation and signing certs to match. 

Though not yet used, the Proof-of-rotation certificates are intended to be
used by the platform as equivalent to signing certificates, i.e. the presence
of a certificate in a Proof-of-rotation record should grant equivalent
capabilities as if the APK were signed by that certificate.  For this to work,
each certificate needs to be signed by the previous one indicating a transfer
of trust all the way to the signing certificate of the APK.  There is no case
in which the last certificate in the Proof-of-rotation record should not be
the one used to sign the APK, so enforce this during verification.

Bug: 64686581
Change-Id: Ia1b25a917a878fb378c8557b25a2bbfdd9da7d3d
Test: Builds, boots, passes
      android.appsecurity.cts.PkgInstallSignatureVerificationTest
parent 67096e08
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment