Re-enable app shim code signature checking with fixes.

Two changes:
- Remove the IS_OFFICIAL_BUILD check (don't require official builds to
  be signed for app shims to run at all).
- Construct a custom designated requirement to verify the app shim,
  which checks its identifier and that its certificate matches the

For now, keep failures log-only.

This reverts commit add2f7a11d13cf857b95ccb575afcd5d66690532.

Bug: 913362, 923612
Change-Id: I1c536e2172519dbf8e5b36a2dd9b5f1b26fb8302
Reviewed-by: Avi Drissman <>
Reviewed-by: Mark Mentovai <>
Commit-Queue: Sidney San Martín <>
Auto-Submit: Sidney San Martín <>
Cr-Commit-Position: refs/heads/master@{#625394}
3 files changed