5 files changed, 24 insertions, 0 deletions

diff --git a/core/app_prebuilt_internal.mk b/core/app_prebuilt_internal.mk
index 05d900160d..61e13e9ff3 100644
--- a/core/app_prebuilt_internal.mk
+++ b/core/app_prebuilt_internal.mk
@@ -163,6 +163,13 @@ else
   $(built_module) : $(LOCAL_CERTIFICATE).pk8 $(LOCAL_CERTIFICATE).x509.pem
   $(built_module) : PRIVATE_PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8
   $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
+
+  additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8)
+  $(built_module): $(additional_certificates)
+  $(built_module): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates)
+
+  $(built_module): $(LOCAL_CERTIFICATE_LINEAGE)
+  $(built_module): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE)
 endif
 
 include $(BUILD_SYSTEM)/app_certificate_validate.mk
diff --git a/core/clear_vars.mk b/core/clear_vars.mk
index e27d91c27e..3d481df558 100644
--- a/core/clear_vars.mk
+++ b/core/clear_vars.mk
@@ -152,6 +152,7 @@ LOCAL_JAVA_RESOURCE_FILES:=
 LOCAL_JETIFIER_ENABLED:=
 LOCAL_JNI_SHARED_LIBRARIES:=
 LOCAL_JNI_SHARED_LIBRARIES_ABI:=
+LOCAL_CERTIFICATE_LINEAGE:=
 LOCAL_LDFLAGS:=
 LOCAL_LDLIBS:=
 LOCAL_LOGTAGS_FILES:=
diff --git a/core/definitions.mk b/core/definitions.mk
index 3499da9329..0558a38336 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -2285,6 +2285,7 @@ endef
 define sign-package-arg
 $(hide) mv $(1) $(1).unsigned
 $(hide) $(JAVA) -Djava.library.path=$$(dirname $(SIGNAPK_JNI_LIBRARY_PATH)) -jar $(SIGNAPK_JAR) \
+    $(if $(strip $(PRIVATE_CERTIFICATE_LINEAGE)), --lineage $(PRIVATE_CERTIFICATE_LINEAGE)) \
     $(PRIVATE_CERTIFICATE) $(PRIVATE_PRIVATE_KEY) \
     $(PRIVATE_ADDITIONAL_CERTIFICATES) $(1).unsigned $(1).signed
 $(hide) mv $(1).signed $(1)
diff --git a/core/package_internal.mk b/core/package_internal.mk
index c6c2cf55ce..59e0701e45 100644
--- a/core/package_internal.mk
+++ b/core/package_internal.mk
@@ -471,6 +471,9 @@ PACKAGES.$(LOCAL_PACKAGE_NAME).CERTIFICATE := $(certificate)
 $(LOCAL_BUILT_MODULE): $(additional_certificates)
 $(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CERTIFICATES := $(additional_certificates)
 
+$(LOCAL_BUILT_MODULE): $(LOCAL_CERTIFICATE_LINEAGE)
+$(LOCAL_BUILT_MODULE): PRIVATE_CERTIFICATE_LINEAGE := $(LOCAL_CERTIFICATE_LINEAGE)
+
 # Set a actual_partition_tag (calculated in base_rules.mk) for the package.
 PACKAGES.$(LOCAL_PACKAGE_NAME).PARTITION := $(actual_partition_tag)
 
diff --git a/tools/signapk/src/com/android/signapk/SignApk.java b/tools/signapk/src/com/android/signapk/SignApk.java
index 9809ed406b..95ef05f4dd 100644
--- a/tools/signapk/src/com/android/signapk/SignApk.java
+++ b/tools/signapk/src/com/android/signapk/SignApk.java
@@ -36,6 +36,7 @@ import org.conscrypt.OpenSSLProvider;
 
 import com.android.apksig.ApkSignerEngine;
 import com.android.apksig.DefaultApkSignerEngine;
+import com.android.apksig.SigningCertificateLineage;
 import com.android.apksig.Hints;
 import com.android.apksig.apk.ApkUtils;
 import com.android.apksig.apk.MinSdkVersionException;
@@ -1042,6 +1043,7 @@ class SignApk {
         int alignment = 4;
         Integer minSdkVersionOverride = null;
         boolean signUsingApkSignatureSchemeV2 = true;
+        SigningCertificateLineage certLineage = null;
 
         int argstart = 0;
         while (argstart < args.length && args[argstart].startsWith("-")) {
@@ -1069,6 +1071,15 @@ class SignApk {
             } else if ("--disable-v2".equals(args[argstart])) {
                 signUsingApkSignatureSchemeV2 = false;
                 ++argstart;
+            } else if ("--lineage".equals(args[argstart])) {
+                File lineageFile = new File(args[++argstart]);
+                try {
+                    certLineage = SigningCertificateLineage.readFromFile(lineageFile);
+                } catch (Exception e) {
+                    throw new IllegalArgumentException(
+                            "Error reading lineage file: " + e.getMessage());
+                }
+                ++argstart;
             } else {
                 usage();
             }
@@ -1149,6 +1160,7 @@ class SignApk {
                                 .setV2SigningEnabled(signUsingApkSignatureSchemeV2)
                                 .setOtherSignersSignaturesPreserved(false)
                                 .setCreatedBy("1.0 (Android SignApk)")
+                                .setSigningCertificateLineage(certLineage)
                                 .build()) {
                     // We don't preserve the input APK's APK Signing Block (which contains v2
                     // signatures)