Require APK Signature Scheme v2 for ephemeral APKs

This makes Package Manager require APK Signature Scheme v2 signatures
for ephemeral APKs. This part of the effort to deprecate the v1
signature scheme based on JAR signing.

Test: cts-tradefed run singleCommand cts --skip-device-info --skip-preconditions --skip-connectivity-check --abi arm64-v8a --module CtsAppSecurityHostTestCases -t android.appsecurity.cts.PkgInstallSignatureVerificationTest
Bug: 33700225
Change-Id: I3b408487c07085c0a7924d3eca495bdcb344b32d

1 files changed, 6 insertions, 1 deletions

diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
index 2236291fd248..ce8c4e328cc5 100644
--- a/core/java/android/content/pm/PackageParser.java
+++ b/core/java/android/content/pm/PackageParser.java
@@ -1344,6 +1344,11 @@ public class PackageParser {
                 verified = true;
             } catch (ApkSignatureSchemeV2Verifier.SignatureNotFoundException e) {
                 // No APK Signature Scheme v2 signature found
+                if ((parseFlags & PARSE_IS_EPHEMERAL) != 0) {
+                    throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,
+                        "No APK Signature Scheme v2 signature in ephemeral package " + apkPath,
+                        e);
+                }
             } catch (Exception e) {
                 // APK Signature Scheme v2 signature was found but did not verify
                 throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,
@@ -1519,7 +1524,7 @@ public class PackageParser {
                 final Package tempPkg = new Package(null);
                 Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "collectCertificates");
                 try {
-                    collectCertificates(tempPkg, apkFile, 0 /*parseFlags*/);
+                    collectCertificates(tempPkg, apkFile, flags);
                 } finally {
                     Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
                 }