commit e4553e5847e1759e4b6c1245588c2a41d86c2cd8
author Cole Faust <colefaust@google.com> Mon Jun 02 21:17:06 2025 -0700
committer Cole Faust <colefaust@google.com> Tue Jun 03 12:38:52 2025 -0700
tree 39d2200f842a772f6a499beae1b9d0fbdffd66bd
parent cf9a2d26f303ebc006bc2849792430c6922582cf

Reapply "Build apkcerts.txt with soong"

This reverts commit e4e5103a590704e4688109fc9cf9631cd129f807.

Make will still handle building apkcerts.txt for make modules, but
soong will build it for soong modules and then make will combine
the make and soong apkcerts files.

This is for soong-only builds. In a followup change I'll make it so
that only soong dists the apkcerts.txt file on unbundled builds.

The difference in this reapplication from the origional cl is the
addition of soong_apkcerts_file_with_soong_and_make_modules_removed,
as make was seeing some modules that are in both make and soong as
make modules, and not including them in the soong doublecheck file.

Bug: 413145177
Test: Presubmits, make will doublecheck that the soong-built apkcerts.txt is correct
Change-Id: I4bf6304503951aa88c3d2573ffe99d24e54ae169

core/Makefile

diff --git a/core/Makefile b/core/Makefile
index e890afc..bbc7ffa 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -769,6 +769,21 @@
 
 endef
 
+define _apkcerts_build_for_packages
+$(1): $(sort $(foreach p,$(2),$(PACKAGES.$(p).APKCERTS_FILE)))
+	rm -f $$@
+	$$(foreach p,$(sort $(2)),\
+    $$(if $$(filter UNUSED-%,$$(PACKAGES.$$(p).STEM)),,\
+      $$(if $$(PACKAGES.$$(p).APKCERTS_FILE),\
+        $$(call _apkcerts_merge,$$(PACKAGES.$$(p).APKCERTS_FILE), $$@),\
+        $$(if $$(PACKAGES.$$(p).EXTERNAL_KEY),\
+          $$(call _apkcerts_write_line,$$(PACKAGES.$$(p).STEM),EXTERNAL,,$$(PACKAGES.$$(p).COMPRESSED),$$(PACKAGES.$$(p).PARTITION),$$@),\
+          $$(call _apkcerts_write_line,$$(PACKAGES.$$(p).STEM),$$(PACKAGES.$$(p).CERTIFICATE),$$(PACKAGES.$$(p).PRIVATE_KEY),$$(PACKAGES.$$(p).COMPRESSED),$$(PACKAGES.$$(p).PARTITION),$$@)))))
+	touch $$@
+	sort -u -o $$@ $$@
+
+endef
+
 name := $(TARGET_PRODUCT)
 ifeq ($(TARGET_BUILD_TYPE),debug)
   name := $(name)_debug
@@ -777,26 +792,35 @@
 intermediates := \
 	$(call intermediates-dir-for,PACKAGING,apkcerts)
 APKCERTS_FILE := $(intermediates)/$(name).txt
-ifeq ($(RELEASE_APKCERTS_INSTALL_ONLY), true)
-  all_apkcerts_packages := $(filter $(call product-installed-modules,$(INTERNAL_PRODUCT)),$(PACKAGES))
-else
-  all_apkcerts_packages := $(PACKAGES)
-endif
-all_apkcerts_files := $(sort $(foreach p,$(all_apkcerts_packages),$(PACKAGES.$(p).APKCERTS_FILE)))
 
-$(APKCERTS_FILE): $(all_apkcerts_files)
-# We don't need to really build all the modules.
-# TODO: rebuild APKCERTS_FILE if any app change its cert.
-$(APKCERTS_FILE):
+# remove duplicates
+PACKAGES := $(sort $(PACKAGES))
+
+make_apkcerts_packages := $(foreach p,$(PACKAGES),$(if $(ALL_MODULES.$(p).IS_SOONG_MODULE),,$(p)))
+make_apkcerts_file := $(intermediates)/$(name)-make.txt
+$(eval $(call _apkcerts_build_for_packages,$(make_apkcerts_file),$(make_apkcerts_packages)))
+
+soong_apkcerts_packages := $(foreach p,$(PACKAGES),$(if $(ALL_MODULES.$(p).IS_SOONG_MODULE),$(p)))
+soong_doublecheck_apkcerts_file := $(intermediates)/$(name)-soong-doublecheck.txt
+$(eval $(call _apkcerts_build_for_packages,$(soong_doublecheck_apkcerts_file),$(soong_apkcerts_packages)))
+
+soong_apkcerts_file_with_soong_and_make_modules_removed := $(intermediates)/$(name)-soong_apkcerts_file_with_soong_and_make_modules_removed.txt
+$(soong_apkcerts_file_with_soong_and_make_modules_removed): $(SOONG_APKCERTS_FILE)
+	rm -f $@ $@.tmp $@.tmp2
+	cp $(SOONG_APKCERTS_FILE) $@.tmp
+	$(foreach p,$(PACKAGES),$(if $(ALL_MODULES.$(p).IS_MAKE_AND_SOONG_MODULE),\
+		grep -v "^name=\"$(PACKAGES.$(p).STEM).apk\"" $@.tmp > $@.tmp2 && mv $@.tmp2 $@.tmp$(newline)))
+	mv $@.tmp $@
+
+soong_apkcerts_doublecheck_stamp := $(intermediates)/$(name)-soong-doublecheck-stamp.txt
+$(soong_apkcerts_doublecheck_stamp): $(soong_doublecheck_apkcerts_file) $(soong_apkcerts_file_with_soong_and_make_modules_removed)
+	rm -f $@ && diff -q $^ && touch $@
+
+$(APKCERTS_FILE): $(make_apkcerts_file) $(soong_apkcerts_file_with_soong_and_make_modules_removed) $(soong_apkcerts_doublecheck_stamp)
 	@echo APK certs list: $@
 	@mkdir -p $(dir $@)
 	@rm -f $@
-	$(foreach p,$(sort $(all_apkcerts_packages)),\
-	  $(if $(PACKAGES.$(p).APKCERTS_FILE),\
-	    $(call _apkcerts_merge,$(PACKAGES.$(p).APKCERTS_FILE), $@),\
-	    $(if $(PACKAGES.$(p).EXTERNAL_KEY),\
-	      $(call _apkcerts_write_line,$(PACKAGES.$(p).STEM),EXTERNAL,,$(PACKAGES.$(p).COMPRESSED),$(PACKAGES.$(p).PARTITION),$@),\
-	      $(call _apkcerts_write_line,$(PACKAGES.$(p).STEM),$(PACKAGES.$(p).CERTIFICATE),$(PACKAGES.$(p).PRIVATE_KEY),$(PACKAGES.$(p).COMPRESSED),$(PACKAGES.$(p).PARTITION),$@))))
+	cat $(make_apkcerts_file) $(soong_apkcerts_file_with_soong_and_make_modules_removed) > $@
 	$(if $(filter true,$(PRODUCT_FSVERITY_GENERATE_METADATA)),\
 	  $(call _apkcerts_write_line,BuildManifest,$(FSVERITY_APK_KEY_PATH).x509.pem,$(FSVERITY_APK_KEY_PATH).pk8,,system,$@) \
 	  $(if $(filter true,$(BUILDING_SYSTEM_EXT_IMAGE)),\