Before a VM is started, the idsig file is created (or updated) by the
virtualization service. This is needed because the idsig file is usually
not available, especially when the APK is downloaded from the store.
Note that the generated idsig file is not a signed one. Therefore, the
APK is first verified using the APK signature scheme V3 (or V2) over a
dm-verity device backed by the APK and the merkle tree (and root hash)
from the idsig file. Only if the verification is successful, the root
hash stored to the instance.img and then used for the subsequent boots
of the VM.
Bug: 193504400
Test: atest MicrodroidHostTestCases
Test: run MicrodroidDemoApp without having the idsig file in
/data/local/tmp/virt.
Change-Id: I9fad05ca9562ae0666431102a8147d0f76f04e6a
This CL adds the `create` and `write_into` methods to `V4Signature` each
of which is used to construct V4Signature from an apk and to write it
into a file.
Next step will be modifying the virtualization service to create an
idsig file for a given apk, thus eliminating the need to provide the
idsig file separately.
Bug: 193504400
Test: m libidsig libidsig.test
Change-Id: I2be60fbb6ec40af12297e20b112318a032dd78f9
The library is the place where everything about the handling of
idsig format is. Move apksiv4.rs from apkdmverity to the library.
The behavior remains the same.
Bug: 193504400
Test: m apkdmverity libidsig
Change-Id: I7994fee83f5a8fcd7e8988ceeb9bbfe7a47a684f
Andrew Walbran
Joel Galenson
Jiyong Park