Android: Never sign .aab files

They are signed outside of the build system before uploaded to Play
Store.

Bug: 1173126
Change-Id: I0a48e6522e026d7db868b35c71ded99c2a2aaffe
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2665269
Reviewed-by: Mohamed Heikal <mheikal@chromium.org>
Commit-Queue: Andrew Grieve <agrieve@chromium.org>
Cr-Commit-Position: refs/heads/master@{#850116}

android_webview/system_webview_bundle.gni

@@ -88,14 +88,6 @@ template("system_webview_bundle") {
       proguard_android_sdk_dep = webview_framework_dep
     }
 
-    # NOTE: Only sign bundle for official builds since this is very slow.
-    if (enable_chrome_android_internal && use_signing_keys &&
-        is_official_build) {
-      sign_bundle = true
-      keystore_path = webview_keystore_path
-      keystore_name = webview_keystore_name
-      keystore_password = webview_keystore_password
-    }
     forward_variables_from(invoker, "*")
   }
 }

build/android/docs/android_app_bundles.md

@@ -56,11 +56,6 @@ single base module, which enables language-based splits:
     # be 'foo_bundle' otherwise.
     bundle_name = "FooBundle"
 
-    # Signing your bundle is required to upload it to the Play Store
-    # but since signing is very slow, avoid doing it for non official
-    # builds. Signing the bundle is not required for local testing.
-    sign_bundle = is_official_build
-
     # Enable language-based splits for this bundle. Which means that
     # resources and assets specific to a given language will be placed
     # into their own split APK in the final .apks archive.

build/android/gyp/create_app_bundle.py

@@ -106,9 +106,6 @@ def _ParseArgs(args):
                       action='store_true',
                       help='Treat all warnings as errors.')
 
-  parser.add_argument('--keystore-path', help='Keystore path')
-  parser.add_argument('--keystore-password', help='Keystore password')
-  parser.add_argument('--key-name', help='Keystore key name')
   parser.add_argument(
       '--validate-services',
       action='store_true',
@@ -122,13 +119,6 @@ def _ParseArgs(args):
   if len(options.module_zips) == 0:
     raise Exception('The module zip list cannot be empty.')
 
-  # Signing is optional, but all --keyXX parameters should be set.
-  if options.keystore_path or options.keystore_password or options.key_name:
-    if not options.keystore_path or not options.keystore_password or \
-        not options.key_name:
-      raise Exception('When signing the bundle, use --keystore-path, '
-                      '--keystore-password and --key-name.')
-
   # Merge all uncompressed assets into a set.
   uncompressed_list = []
   if options.uncompressed_assets:
@@ -500,10 +490,6 @@ def main(args):
 
     tmp_bundle = os.path.join(tmp_dir, 'tmp_bundle')
 
-    tmp_unsigned_bundle = tmp_bundle
-    if options.keystore_path:
-      tmp_unsigned_bundle = tmp_bundle + '.unsigned'
-
     # Important: bundletool requires that the bundle config file is
     # named with a .pb.json extension.
     tmp_bundle_config = tmp_bundle + '.BundleConfig.pb.json'
@@ -516,7 +502,7 @@ def main(args):
         bundletool.BUNDLETOOL_JAR_PATH,
         'build-bundle',
         '--modules=' + ','.join(module_zips),
-        '--output=' + tmp_unsigned_bundle,
+        '--output=' + tmp_bundle,
         '--config=' + tmp_bundle_config,
     ]
 
@@ -532,25 +518,7 @@ def main(args):
       # isolated splits disabled and 2s for bundles with isolated splits
       # enabled.  Consider making this run in parallel or move into a separate
       # step before enabling isolated splits by default.
-      _MaybeCheckServicesAndProvidersPresentInBase(tmp_unsigned_bundle,
-                                                   module_zips)
-
-    if options.keystore_path:
-      # NOTE: As stated by the public documentation, apksigner cannot be used
-      # to sign the bundle (because it rejects anything that isn't an APK).
-      # The signature and digest algorithm selection come from the internal
-      # App Bundle documentation. There is no corresponding public doc :-(
-      signing_cmd_args = [
-          'jarsigner', '-sigalg', 'SHA256withRSA', '-digestalg', 'SHA-256',
-          '-keystore', 'file:' + options.keystore_path,
-          '-storepass' , options.keystore_password,
-          '-signedjar', tmp_bundle,
-          tmp_unsigned_bundle,
-          options.key_name,
-      ]
-      build_utils.CheckOutput(signing_cmd_args,
-                              print_stderr=True,
-                              fail_on_output=options.warnings_as_errors)
+      _MaybeCheckServicesAndProvidersPresentInBase(tmp_bundle, module_zips)
 
     shutil.move(tmp_bundle, options.out_bundle)
 

build/config/android/rules.gni

@@ -4460,11 +4460,6 @@ if (enable_java_templates) {
   #    enable_language_splits: Optional. If true, enable APK splits based
   #      on languages.
   #
-  #    sign_bundle: Optional. If true, sign the bundle. Default is false
-  #      because signing is very slow, and there is no reason to do it
-  #      unless one wants to upload the bundle to the Play Store (e.g.
-  #      for official builds).
-  #
   #    keystore_path: optional keystore path, used only when generating APKs.
   #    keystore_name: optional keystore name, used only when generating APKs.
   #    keystore_password: optional keystore password, used only when
@@ -4836,8 +4831,6 @@ if (enable_java_templates) {
     _all_rebased_module_zip_paths =
         rebase_path(_all_module_zip_paths, root_build_dir)
 
-    _sign_bundle = defined(invoker.sign_bundle) && invoker.sign_bundle
-
     _enable_language_splits = defined(invoker.enable_language_splits) &&
                               invoker.enable_language_splits
 
@@ -4858,13 +4851,6 @@ if (enable_java_templates) {
 
     _rebased_keystore_path = rebase_path(_keystore_path, root_build_dir)
 
-    if (_sign_bundle) {
-      # For now, the same keys are used to sign the bundle and the set of
-      # generated APKs. In the future, signing the bundle may require a
-      # different set of keys.
-      _bundle_keystore_name = _keystore_name
-    }
-
     _bundle_target_name = "${_target_name}__bundle"
     action_with_pydeps(_bundle_target_name) {
       # TODO(crbug.com/1112471): Get this to run cleanly under Python 3.
@@ -4880,16 +4866,6 @@ if (enable_java_templates) {
         "--pathmap-out-path=$_rebased_bundle_path.pathmap.txt",
         "--module-zips=$_all_rebased_module_zip_paths",
       ]
-      if (_sign_bundle) {
-        args += [
-          "--keystore-path",
-          _rebased_keystore_path,
-          "--keystore-password",
-          _keystore_password,
-          "--key-name",
-          _bundle_keystore_name,
-        ]
-      }
       if (_split_dimensions != []) {
         args += [ "--split-dimensions=$_split_dimensions" ]
       }

chrome/android/modules/chrome_bundle_tmpl.gni

@@ -158,7 +158,6 @@ template("chrome_bundle") {
                              "lint_suppressions_dep",
                              "min_sdk_version",
                              "proguard_android_sdk_dep",
-                             "sign_bundle",
                              "static_library_provider",
                              "static_library_synchronized_proguard",
                              "version_code",
@@ -175,14 +174,5 @@ template("chrome_bundle") {
     # testing easier. This removes the need to manually specify, e.g.,
     # "-m dev_ui" on every install or run.
     default_modules_for_testing = [ "dev_ui" ]
-
-    # NOTE: Only sign bundle for official builds since this is very slow.
-    if (enable_chrome_android_internal && use_signing_keys &&
-        is_official_build) {
-      sign_bundle = true
-      keystore_path = chrome_keystore_path
-      keystore_name = chrome_keystore_name
-      keystore_password = chrome_keystore_password
-    }
   }
 }