diff options
3 files changed, 19 insertions, 13 deletions
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java index f54d9a76d02d..4ff26242dab2 100644 --- a/core/java/android/content/pm/PackageParser.java +++ b/core/java/android/content/pm/PackageParser.java @@ -1401,9 +1401,11 @@ public class PackageParser { } SigningDetails verified; if (skipVerify) { - // systemDir APKs are already trusted, save time by not verifying + // systemDir APKs are already trusted, save time by not verifying; since the signature + // is not verified and some system apps can have their V2+ signatures stripped allow + // pulling the certs from the jar signature. verified = ApkSignatureVerifier.unsafeGetCertsWithoutVerification( - apkPath, minSignatureScheme); + apkPath, SigningDetails.SignatureSchemeVersion.JAR); } else { verified = ApkSignatureVerifier.verify(apkPath, minSignatureScheme); } diff --git a/core/java/android/content/pm/parsing/ParsingPackageUtils.java b/core/java/android/content/pm/parsing/ParsingPackageUtils.java index e1d34dc3f622..dce242c9d87c 100644 --- a/core/java/android/content/pm/parsing/ParsingPackageUtils.java +++ b/core/java/android/content/pm/parsing/ParsingPackageUtils.java @@ -3038,9 +3038,11 @@ public class ParsingPackageUtils { SigningDetails verified; try { if (skipVerify) { - // systemDir APKs are already trusted, save time by not verifying + // systemDir APKs are already trusted, save time by not verifying; since the + // signature is not verified and some system apps can have their V2+ signatures + // stripped allow pulling the certs from the jar signature. verified = ApkSignatureVerifier.unsafeGetCertsWithoutVerification( - baseCodePath, minSignatureScheme); + baseCodePath, SigningDetails.SignatureSchemeVersion.JAR); } else { verified = ApkSignatureVerifier.verify(baseCodePath, minSignatureScheme); } diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index b5957052d5a8..c0486443b97e 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -15193,15 +15193,17 @@ public class PackageManagerService extends IPackageManager.Stub } } - // Ensure the package is signed with at least the minimum signature scheme version - // required for its target SDK. - int minSignatureSchemeVersion = - ApkSignatureVerifier.getMinimumSignatureSchemeVersionForTargetSdk( - pkg.getTargetSdkVersion()); - if (pkg.getSigningDetails().signatureSchemeVersion < minSignatureSchemeVersion) { - throw new PackageManagerException(INSTALL_PARSE_FAILED_NO_CERTIFICATES, - "No signature found in package of version " + minSignatureSchemeVersion - + " or newer for package " + pkg.getPackageName()); + // If the package is not on a system partition ensure it is signed with at least the + // minimum signature scheme version required for its target SDK. + if ((parseFlags & ParsingPackageUtils.PARSE_IS_SYSTEM_DIR) == 0) { + int minSignatureSchemeVersion = + ApkSignatureVerifier.getMinimumSignatureSchemeVersionForTargetSdk( + pkg.getTargetSdkVersion()); + if (pkg.getSigningDetails().signatureSchemeVersion < minSignatureSchemeVersion) { + throw new PackageManagerException(INSTALL_PARSE_FAILED_NO_CERTIFICATES, + "No signature found in package of version " + minSignatureSchemeVersion + + " or newer for package " + pkg.getPackageName()); + } } } } |