The Signed Config feature allows embedding configuration of non-SDK interface restrictions in APKs. This allows removing specific non-SDK interfaces from the blacklist, to allow AndroidX to safely use them. This allows the AndroidX team to add support for new features on Android versions that have already been released. It is supported in Android 10 and later.
Properly supporting Signed Config ensures that the AndroidX libraries will function correctly on devices in the future.
No customization of this feature is possible. It is fully supported in AOSP and requires no OEM effort to support it.
Examples and source
The feature implementation is in the system server at
frameworks/base/services/core/java/com/android/server/signedconfig. The CTS
CtsSignedConfigHostTestCases includes example usage, and an example
No effort is required to support the feature, and there are no specific hardware requirements.
The feature uses two application metadata keys to embed configuration and a
signature inside APKs. Those keys are
android.settings.global.signature. If or when the AndroidX libraries require
non-SDK interfaces to be removed from the blacklist in the future, values for
these keys will be published by the Android team and/or as part of AndroidX.
The APK metadata keys
android.settings.global.signature both contain base-64 encoded data. The value
android.settings.global is JSON-encoded config values to be applied to
the global settings in
SettingsProvider. The value for
android.settings.global.signature is an ECDSA-p256 signature of the JSON data.
The signature is used to verify the origin of the configuration data.
The feature isn't user visible.
The feature isn't intended for customization. OEMs are discouraged from modifying the feature, including replacing the keys. Any changes to it are likely to cause AndroidX to not function properly on affected devices in the future.
The CTS test
CtsSignedConfigHostTestCases verifies the feature implementation.
You can also test the feature manually by installing an appropriate APK and
adb logcat output:
$ adb install CtsSignedConfigTestAppV1.apk ... $ adb logcat ... I SignedConfig: Verified config using production key ...