werunplugged/unplugged-vendor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
unplugged-vendor/cts/hostsidetests/dexmetadata/host
History
ziv-gabel ebc759d833 Initial commit: AOSP 12 vendor with modifications for Unplugged OS
2025-10-06 13:59:42 +00:00
..
res Initial commit: AOSP 12 vendor with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00
src/com/android/cts/dexmetadata Initial commit: AOSP 12 vendor with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00
Android.bp Initial commit: AOSP 12 vendor with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00
AndroidTest.xml Initial commit: AOSP 12 vendor with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00
OWNERS Initial commit: AOSP 12 vendor with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00
README.md Initial commit: AOSP 12 vendor with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00

README.md

Fs-verity keys

All AOSP compatible devices ship with the Google-managed fs-verity certificate (located at build/make/target/product/security/fsverity-release.x509.der). The public key can verify the signature prebuilt of .dm.fsv_sig in res/.

Modifying a .dm file requires to regenerate the signature with some debug key. To use the debug key, you can run the following commands once per boot.

KEY_DIR=$ANDROID_BUILD_TOP/cts/hostsidetests/appsecurity/test-apps/ApkVerityTestApp/testdata

adb root
adb shell 'mini-keyctl padd asymmetric fsv-play .fs-verity' < $KEY_DIR/fsverity-debug.x509.der

Alternatively, copy the .der file to /{system, product}/etc/security/fsverity. The key will be located upon reboot.

How to modify the signed .dm

The easiet way is to re-sign and replace the signature in place. For example,

m fsverity

fsverity sign CtsDexMetadataSplitApp.dm CtsDexMetadataSplitApp.dm.fsv_sig \
  --key="$KEY_DIR/fsverity-debug-key.pem" \
  --cert="$KEY_DIR/fsverity-debug.x509.pem"