Google要求:
13.3.5 Valid V2+ signature for preloaded APKs
[GMS-13.3.5-001]?For PRODUCTs that launch with or upgrade to Android 11 or higher, if a preloaded APK file targets API level 30 or higher, it MUST be signed and verifiable with the APK Signature scheme v2 or higher. Any native libraries embedded in it MUST be uncompressed and page aligned before signing.
See?Valid V2+ signature guide?for more details about how to uncompress JNI libs and dex files and impact on the devices.
【解读】
| 示例? |
|---|
| ?include $(CLEAR_VARS) LOCAL_MODULE := BrowserHeytapProdOv LOCAL_MODULE_TAGS := optional LOCAL_MODULE_CLASS := APPS LOCAL_CERTIFICATE := PRESIGNED LOCAL_MODULE_PATH := $(TARGET_OUT)/app/ LOCAL_REPLACE_PREBUILT_APK_INSTALLED := $(LOCAL_PATH)/Browser_45.7.5.9_399635f_7fa16a1_210316_HeytapProdOv.apk LOCAL_DEX_PREOPT := false LOCAL_MULTILIB := 32 JNI_LIBS := $(foreach FILE,$(shell find $(LOCAL_PATH)/BrowserHeytapProdOv/armeabi-v7a/ -name *.so), $(eval JNI_LIBS += $(FILE))) LOCAL_PREBUILT_JNI_LIBS := $(subst $(LOCAL_PATH),,$(JNI_LIBS)) include $(BUILD_PREBUILT) |
Google Q&A:
Q:The requirement and What GTS tests
A:Requirements:?The preloaded apk must have a valid V2 or higher signature.
GTS tests if signature of the apk is valid or not. It actually runs the command?apksigner verify --in <YourAPK> -v, which you can run locally and check. (Before and after the build).
GTS does not check if JNI or Dex is compressed or not compressed. The main problem is "Android build system" has to repackage apks if JNI is compressed (and dex is compressed in case of privileged app). This repackages strips the signature. If this signature is stripped then it is not safe and that's why GTS fails.
If 3rd party apk with compressed JNI/Dex with proper signature (not gone through the Android build) are copied to system image, it is FINE. Because their signature will be still proper. In this case, the GTS will pass.
Q:JNI files
A:If apk has compressed JNI, then Android build MUST uncompress them, which will remove the signature. Hence, app Apk going in to Android build, MUST have uncompressed JNIs.
So if you are seeing any GTS failure, you can check unzip -v YourApp.apk 'lib/*.so for the apk before the build. If it has a compressed JNI files, then that is the issue. Those must be uncompressed in the apk.
Q:Dex files
A:It is ONLY applicable to privileged apps only.
If Dex files are compressed in the privilged apk, the build uncompresses them. This removes the signature. There are 2 ways to solve this
- Have Dex files uncompressed in the Apk before the build. Then Android build will not change it. There will be no issue
OR
- DONT_UNCOMPRESS_PRIV_APPS_DEXS=true. This flag means Android build will not uncompress any dex files. This is an easier way to avoid GTS failures for the DEX files.
Note:?For android build uncompressing Dex file is not mandatory, it is good to uncompresses DEX files but not REQUIRED. By using above flag, uncompression of the dex files can be stopped.
参考Google case ID:https://partnerissuetracker.corp.google.com/issues/202690309
?