I am including a presigned APK in my AOSP build like so:
LOCAL_PATH :=$(call my-dir)
include $(CLEAR_VARS)
APK_VERSION := 0.2.0
LOCAL_MODULE := SomeAPK
LOCAL_SRC_FILES := $(LOCAL_MODULE).apk
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_CLASS := APPS
LOCAL_MODULE_SUFFIX := .apk
LOCAL_CERTIFICATE := PRESIGNED
LOCAL_PRIVILEGED_MODULE := true
include $(BUILD_PREBUILT)
However, when the device boots the APK is not installed and I see the following log:
2021-05-25 17:19:02.617 3568-3568/system_process W/PackageManager: Failed to scan /system/priv-app/SomeAPK: Failed to collect certificates from /system/priv-app/SomeAPK/SomeAPK.apk
I have tried setting:
LOCAL_DEX_PREOPT := false
and:
LOCAL_DEX_PREOPT := nostripping
But i'm still seeing the issue.
I can adb install the app fine and I have used all of the tools available to confirm the APK is actually signed.
How can we get AOSP to truly leave the APK signing alone?
I eventually found a solution.
Apps that were signed using gradle always seemed to be left with their signature stripped after the AOSP build process.
The solution was to remove the signing config from gradle altogether and sign the app manually instead using apksigner.
E.g:
apksigner sign --ks your-keystore.jks --ks-pass pass:"keystore-password" --ks-key-alias keystore-alias --key-pass pass:"alias-password" --out signed-output.apk input-file.apk
To verify if your APK is signed correctly, it should validate successfully using keytool:
keytool -printcert -jarfile signed-apk.apk