Enable apk packaging to accept a stamp signer.

PiperOrigin-RevId: 713793296 Change-Id: I0ab869f75a506df7686a493e666140e09414f052
bazelbuild · Jan 9, 2025 · 0802753 · 0802753
1 parent eb08200
commit 0802753
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 0 deletions.
diff --git a/rules/acls.bzl b/rules/acls.bzl
@@ -72,6 +72,7 @@ load("//rules/acls:proguard_apply_mapping.bzl", "ALLOW_PROGUARD_APPLY_MAPPING")
 load("//rules/acls:r8.bzl", "USE_R8")
 load("//rules/acls:record_desugaring.bzl", "RECORD_DESUGARING_FALLBACK", "RECORD_DESUGARING_ROLLOUT")
 load("//rules/acls:shared_library_resource_linking.bzl", "SHARED_LIBRARY_RESOURCE_LINKING_ALLOWLIST")
+load("//rules/acls:stamp_signing.bzl", "STAMP_SIGNING_FALLBACK", "STAMP_SIGNING_ROLLOUT")
 load("//rules/acls:test_to_instrument_test_rollout.bzl", "TEST_TO_INSTRUMENT_TEST_FALLBACK", "TEST_TO_INSTRUMENT_TEST_ROLLOUT")
 
 visibility(PROJECT_VISIBILITY)
@@ -207,6 +208,9 @@ def _in_record_desugaring_rollout(fqn):
 def _get_optimizer_execution_requirements(target_package):
     return OPTIMIZER_EXECUTION_REQUIREMENTS.get(target_package, None)
 
+def _in_stamp_signing_rollout(fqn):
+    return matches(fqn, STAMP_SIGNING_ROLLOUT_DICT) and not matches(fqn, STAMP_SIGNING_FALLBACK_DICT)
+
 def make_dict(lst):
     """Do not use this method outside of acls directory."""
     return {t: True for t in lst}
@@ -273,6 +277,8 @@ DISABLE_OPTIMIZING_DEXER_DICT = make_dict(DISABLE_OPTIMIZING_DEXER)
 FORCE_FINAL_ANDROID_BINARY_RESOURCES_DICT = make_dict(FORCE_FINAL_ANDROID_BINARY_RESOURCES)
 RECORD_DESUGARING_FALLBACK_DICT = make_dict(RECORD_DESUGARING_FALLBACK)
 RECORD_DESUGARING_ROLLOUT_DICT = make_dict(RECORD_DESUGARING_ROLLOUT)
+STAMP_SIGNING_ROLLOUT_DICT = make_dict(STAMP_SIGNING_ROLLOUT)
+STAMP_SIGNING_FALLBACK_DICT = make_dict(STAMP_SIGNING_FALLBACK)
 
 def matches(fqn, dct):
     # Labels with workspace names ("@workspace//pkg:target") are not supported.
@@ -367,6 +373,7 @@ acls = struct(
     in_force_final_android_binary_resources = _in_force_final_android_binary_resources,
     in_resource_shrinking_in_optimizer = _in_resource_shrinking_in_optimizer,
     in_record_desugaring_rollout = _in_record_desugaring_rollout,
+    in_stamp_signing_rollout = _in_stamp_signing_rollout,
 )
 
 # Visible for testing

diff --git a/rules/acls/stamp_signing.bzl b/rules/acls/stamp_signing.bzl
@@ -0,0 +1,25 @@
+# Copyright 2024 The Bazel Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Allow list for enabling stamp signing in android_binary."""
+
+load("//rules:visibility.bzl", "PROJECT_VISIBILITY")
+
+visibility(PROJECT_VISIBILITY)
+
+STAMP_SIGNING_ROLLOUT = [
+    "//:__subpackages__",
+]
+
+STAMP_SIGNING_FALLBACK = [
+]
diff --git a/rules/apk_packaging.bzl b/rules/apk_packaging.bzl
@@ -54,6 +54,7 @@ def _process(
         signing_keys = [],
         signing_lineage = None,
         signing_key_rotation_min_sdk = None,
+        stamp_signing_key = None,
         deterministic_signing = False,
         java_toolchain = None,
         deploy_info_writer = None,
@@ -83,6 +84,7 @@ def _process(
         signing_keys: Sequence of Files. The keystores to be used to sign the APK.
         signing_lineage: File. The signing lineage for signing_keys.
         signing_key_rotation_min_sdk: The minimum API version for signing the APK with key rotation.
+        stamp_signing_key: File. The keystore to be used to sign the APK with stamp signing.
         deterministic_signing: Boolean. Whether to enable deterministic DSA signing.
         java_toolchain: The JavaToolchain target.
         deploy_info_writer: FilesToRunProvider. The executable to write the deploy info proto file.
@@ -134,6 +136,7 @@ def _process(
         out_apk = signed_apk,
         in_apk = zipaligned_apk,
         signing_keys = signing_keys,
+        stamp_signing_key = stamp_signing_key,
         deterministic_signing = deterministic_signing,
         signing_lineage = signing_lineage,
         signing_key_rotation_min_sdk = signing_key_rotation_min_sdk,
@@ -314,6 +317,7 @@ def _sign_apk(
         out_apk,
         in_apk,
         signing_keys = [],
+        stamp_signing_key = None,
         deterministic_signing = True,
         signing_lineage = None,
         signing_key_rotation_min_sdk = None,
@@ -360,6 +364,12 @@ def _sign_apk(
     if signing_key_rotation_min_sdk:
         args.add("--rotation-min-sdk-version", signing_key_rotation_min_sdk)
 
+    if stamp_signing_key:
+        inputs.append(stamp_signing_key)
+        args.add("--stamp-signer")
+        args.add("--ks", stamp_signing_key)
+        args.add("--ks-pass", "pass:android")
+
     args.add("--out", out_apk)
     args.add(in_apk)