diff --git a/rules/acls.bzl b/rules/acls.bzl index 8e43ec50..5b1e5795 100644 --- a/rules/acls.bzl +++ b/rules/acls.bzl @@ -72,6 +72,7 @@ load("//rules/acls:proguard_apply_mapping.bzl", "ALLOW_PROGUARD_APPLY_MAPPING") load("//rules/acls:r8.bzl", "USE_R8") load("//rules/acls:record_desugaring.bzl", "RECORD_DESUGARING_FALLBACK", "RECORD_DESUGARING_ROLLOUT") load("//rules/acls:shared_library_resource_linking.bzl", "SHARED_LIBRARY_RESOURCE_LINKING_ALLOWLIST") +load("//rules/acls:stamp_signing.bzl", "STAMP_SIGNING_FALLBACK", "STAMP_SIGNING_ROLLOUT") load("//rules/acls:test_to_instrument_test_rollout.bzl", "TEST_TO_INSTRUMENT_TEST_FALLBACK", "TEST_TO_INSTRUMENT_TEST_ROLLOUT") visibility(PROJECT_VISIBILITY) @@ -207,6 +208,9 @@ def _in_record_desugaring_rollout(fqn): def _get_optimizer_execution_requirements(target_package): return OPTIMIZER_EXECUTION_REQUIREMENTS.get(target_package, None) +def _in_stamp_signing_rollout(fqn): + return matches(fqn, STAMP_SIGNING_ROLLOUT_DICT) and not matches(fqn, STAMP_SIGNING_FALLBACK_DICT) + def make_dict(lst): """Do not use this method outside of acls directory.""" return {t: True for t in lst} @@ -273,6 +277,8 @@ DISABLE_OPTIMIZING_DEXER_DICT = make_dict(DISABLE_OPTIMIZING_DEXER) FORCE_FINAL_ANDROID_BINARY_RESOURCES_DICT = make_dict(FORCE_FINAL_ANDROID_BINARY_RESOURCES) RECORD_DESUGARING_FALLBACK_DICT = make_dict(RECORD_DESUGARING_FALLBACK) RECORD_DESUGARING_ROLLOUT_DICT = make_dict(RECORD_DESUGARING_ROLLOUT) +STAMP_SIGNING_ROLLOUT_DICT = make_dict(STAMP_SIGNING_ROLLOUT) +STAMP_SIGNING_FALLBACK_DICT = make_dict(STAMP_SIGNING_FALLBACK) def matches(fqn, dct): # Labels with workspace names ("@workspace//pkg:target") are not supported. @@ -367,6 +373,7 @@ acls = struct( in_force_final_android_binary_resources = _in_force_final_android_binary_resources, in_resource_shrinking_in_optimizer = _in_resource_shrinking_in_optimizer, in_record_desugaring_rollout = _in_record_desugaring_rollout, + in_stamp_signing_rollout = _in_stamp_signing_rollout, ) # Visible for testing diff --git a/rules/acls/stamp_signing.bzl b/rules/acls/stamp_signing.bzl new file mode 100644 index 00000000..d5e87eb3 --- /dev/null +++ b/rules/acls/stamp_signing.bzl @@ -0,0 +1,25 @@ +# Copyright 2024 The Bazel Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Allow list for enabling stamp signing in android_binary.""" + +load("//rules:visibility.bzl", "PROJECT_VISIBILITY") + +visibility(PROJECT_VISIBILITY) + +STAMP_SIGNING_ROLLOUT = [ + "//:__subpackages__", +] + +STAMP_SIGNING_FALLBACK = [ +] diff --git a/rules/apk_packaging.bzl b/rules/apk_packaging.bzl index 5a01169c..acab48dd 100644 --- a/rules/apk_packaging.bzl +++ b/rules/apk_packaging.bzl @@ -54,6 +54,7 @@ def _process( signing_keys = [], signing_lineage = None, signing_key_rotation_min_sdk = None, + stamp_signing_key = None, deterministic_signing = False, java_toolchain = None, deploy_info_writer = None, @@ -83,6 +84,7 @@ def _process( signing_keys: Sequence of Files. The keystores to be used to sign the APK. signing_lineage: File. The signing lineage for signing_keys. signing_key_rotation_min_sdk: The minimum API version for signing the APK with key rotation. + stamp_signing_key: File. The keystore to be used to sign the APK with stamp signing. deterministic_signing: Boolean. Whether to enable deterministic DSA signing. java_toolchain: The JavaToolchain target. deploy_info_writer: FilesToRunProvider. The executable to write the deploy info proto file. @@ -134,6 +136,7 @@ def _process( out_apk = signed_apk, in_apk = zipaligned_apk, signing_keys = signing_keys, + stamp_signing_key = stamp_signing_key, deterministic_signing = deterministic_signing, signing_lineage = signing_lineage, signing_key_rotation_min_sdk = signing_key_rotation_min_sdk, @@ -314,6 +317,7 @@ def _sign_apk( out_apk, in_apk, signing_keys = [], + stamp_signing_key = None, deterministic_signing = True, signing_lineage = None, signing_key_rotation_min_sdk = None, @@ -360,6 +364,12 @@ def _sign_apk( if signing_key_rotation_min_sdk: args.add("--rotation-min-sdk-version", signing_key_rotation_min_sdk) + if stamp_signing_key: + inputs.append(stamp_signing_key) + args.add("--stamp-signer") + args.add("--ks", stamp_signing_key) + args.add("--ks-pass", "pass:android") + args.add("--out", out_apk) args.add(in_apk)