diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 3f66cb8d2d4..0ba07c3a3ca 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -1313,6 +1313,11 @@
                   android:exported="false">
         </activity>
 
+        <activity android:name=".security.InstallAppSourceCertificateWarning"
+                  android:theme="@style/GlifV3Theme.Light"
+                  android:exported="false">
+        </activity>
+
         <activity
             android:name="Settings$DeviceAdminSettingsActivity"
             android:label="@string/device_admin_settings_title">
diff --git a/res/layout/app_source_certificate_warning_dialog.xml b/res/layout/app_source_certificate_warning_dialog.xml
new file mode 100644
index 00000000000..f0902c7ccf5
--- /dev/null
+++ b/res/layout/app_source_certificate_warning_dialog.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  ~ Copyright (C) 2019 The Android Open Source Project
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<com.google.android.setupdesign.GlifLayout
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    android:id="@+id/setup_wizard_layout"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent">
+
+    <LinearLayout
+        style="@style/SudContentFrame"
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content"
+        android:orientation="vertical"
+        android:gravity="center_horizontal">
+
+        <ImageView
+            android:id="@+id/sud_layout_icon"
+            style="@style/SudGlifIcon"
+            android:layout_width="wrap_content"
+            android:layout_height="wrap_content"
+            android:gravity="center"
+            android:src="@drawable/ic_warning_googred_48dp"/>
+
+        <TextView
+            android:id="@+id/sud_layout_title"
+            style="@style/SudGlifHeaderTitle"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:gravity="center"
+            android:text="@string/app_src_certificate_warning_title"/>
+
+        <TextView
+            android:id="@+id/sud_layout_description"
+            style="@style/SudDescription.Glif"
+            android:layout_marginTop="16dp"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:text="@string/app_src_certificate_warning_description"/>
+
+    </LinearLayout>
+
+</com.google.android.setupdesign.GlifLayout>
diff --git a/res/layout/user_credential.xml b/res/layout/user_credential.xml
index f441bdac825..0ea46f23f4f 100644
--- a/res/layout/user_credential.xml
+++ b/res/layout/user_credential.xml
@@ -73,5 +73,14 @@
             android:textAppearance="?android:attr/textAppearanceSmall"
             android:textColor="?android:attr/textColorTertiary"
             android:paddingStart="?android:attr/listPreferredItemPaddingStart"/>
+
+        <TextView
+            android:id="@+id/contents_appsrccrt"
+            android:text="@string/one_appsrccrt"
+            android:layout_width="wrap_content"
+            android:layout_height="wrap_content"
+            android:textAppearance="?android:attr/textAppearanceSmall"
+            android:textColor="?android:attr/textColorTertiary"
+            android:paddingStart="?android:attr/listPreferredItemPaddingStart"/>
     </LinearLayout>
 </LinearLayout>
diff --git a/res/values/strings.xml b/res/values/strings.xml
index ecfce4a5559..9a1e8408ecd 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -5902,6 +5902,8 @@
     <string name="credential_for_vpn_and_apps">Installed for VPN and apps</string>
     <!-- Sub-heading for a user credential installed to be used as part of a Wi-Fi configuration. [CHAR LIMIT=NONE]. -->
     <string name="credential_for_wifi">Installed for Wi-Fi</string>
+    <!-- Sub-heading for a user credential installed to be used by kernel for fs-verity verification [CHAR LIMIT=NONE]. -->
+    <string name="credential_for_fsverity">Installed for app install source verification</string>
     <!-- Description of dialog to reset credential storage [CHAR LIMIT=NONE] -->
     <string name="credentials_reset_hint">Remove all the contents?</string>
     <!-- Toast message [CHAR LIMIT=30] -->
@@ -5916,14 +5918,20 @@
     <string name="user_certificate">VPN &amp; app user certificate</string>
     <!-- Title of Wi-Fi certificate [CHAR LIMIT=30] -->
     <string name="wifi_certificate">Wi\u2011Fi certificate</string>
+    <!-- Title of App Source certificate [CHAR LIMIT=30] -->
+    <string name="app_src_certificate">App Source certificate</string>
     <!-- Title of warning shown to the user before they can install a CA certificate [CHAR LIMIT=NONE] -->
     <string name="ca_certificate_warning_title">Your privacy is at risk</string>
     <!-- Description of warning shown to the user before they can install a CA certificate [CHAR LIMIT=NONE] -->
     <string name="ca_certificate_warning_description">CA certificates are used by websites, apps, and VPNs for encryption. Only install CA certificates from organizations you trust. \n\n If you install a CA certificate, the certificate owner could access your information, such as passwords, messages, or credit card details, from websites you visit or apps you use - even if that information is encrypted.</string>
-    <!-- Label for button to not install a CA certificate [CHAR_LIMIT=50] -->
-    <string name="ca_certificate_warning_dont_install">Don\u2019t install</string>
-    <!-- Label for button to continue installing a CA certificate [CHAR_LIMIT=50] -->
-    <string name="ca_certificate_warning_install_anyway">Install anyways</string>
+    <!-- Label for button to not install a certificate [CHAR_LIMIT=50] -->
+    <string name="certificate_warning_dont_install">Don\u2019t install</string>
+    <!-- Label for button to continue installing a certificate [CHAR_LIMIT=50] -->
+    <string name="certificate_warning_install_anyway">Install anyways</string>
+    <!-- Title of warning shown to the user before they can install an App Source certificate [CHAR LIMIT=50] -->
+    <string name="app_src_certificate_warning_title">Install this certificate at your own risk</string>
+    <!-- Description of warning shown to the user before they can install an App Source certificate [CHAR LIMIT=NONE] -->
+    <string name="app_src_certificate_warning_description">App source certificates verify that apps are safe for your device. Only install certificates from organizations you trust.</string>
     <!-- Toast message that a certificate was not installed -->
     <string name="cert_not_installed">Certificate not installed</string>
 
@@ -6549,14 +6557,28 @@
     <string name="one_usercrt">one user certificate</string>
     <!-- Item found in the PKCS12 keystore being investigated [CHAR LIMIT=NONE] -->
     <string name="one_cacrt">one CA certificate</string>
-    <!-- Item found in thee PKCS12 keystore being investigated [CHAR LIMIT=NONE]-->
+    <!-- Item found in the PKCS12 keystore being investigated [CHAR LIMIT=NONE]-->
     <string name="n_cacrts">%d CA certificates</string>
+    <!-- Item found in the PKCS12 keystore being investigated [CHAR LIMIT=NONE] -->
+    <string name="one_appsrccrt">one App Source certificate</string>
     <!-- Alert dialog when viewing a set of user credentials. -->
     <string name="user_credential_title">Credential details</string>
     <!-- Announcement to confirm a user credential being removed. [CHAR LIMIT=NONE] -->
     <string name="user_credential_removed">Removed credential: <xliff:g id="credential_name" example="signing key">%s</xliff:g></string>
     <!-- Placeholder for the list of installed user credentials (private keys) when the list is empty. [CHAR LIMIT=120] -->
     <string name="user_credential_none_installed">No user credentials installed</string>
+    <!-- Title of alert dialog after an app source certificate is installed. [CHAR LIMIT=45] -->
+    <string name="app_src_cert_reboot_dialog_install_title">Restart to use certificate</string>
+    <!-- Message of alert dialog after an app source certificate is installed. [CHAR LIMIT=NONE] -->
+    <string name="app_src_cert_reboot_dialog_install_message">To use this app source certificate, you need to restart your device</string>
+    <!-- Title of alert dialog after an app source certificate is deleted. [CHAR LIMIT=45] -->
+    <string name="app_src_cert_reboot_dialog_uninstall_title">Restart to finish uninstalling</string>
+    <!-- Message of alert dialog after an app source certificate is deleted. [CHAR LIMIT=NONE] -->
+    <string name="app_src_cert_reboot_dialog_uninstall_message">To uninstall this app source certificate, you need to restart your device</string>
+    <!-- Button to restart the device. [CHAR LIMIT=25] -->
+    <string name="app_src_cert_reboot_dialog_button_restart">Restart</string>
+    <!-- Button to skip restarting the device. [CHAR LIMIT=25] -->
+    <string name="app_src_cert_reboot_dialog_button_not_now">Not now</string>
 
     <!--  Title for spell checker settings -->
     <string name="spellcheckers_settings_title">Spell checker</string>
diff --git a/res/xml/install_certificate_from_storage.xml b/res/xml/install_certificate_from_storage.xml
index 0cf4a36e46d..640cb562c1e 100644
--- a/res/xml/install_certificate_from_storage.xml
+++ b/res/xml/install_certificate_from_storage.xml
@@ -62,6 +62,18 @@
 
         </Preference>
 
+        <Preference
+            android:key="install_app_src_certificate"
+            android:title="@string/app_src_certificate"
+            settings:controller="com.android.settings.security.InstallAppSourceCertificatePreferenceController">
+
+            <intent
+                android:targetPackage="com.android.settings"
+                android:targetClass="com.android.settings.security.InstallAppSourceCertificateWarning">
+            </intent>
+
+        </Preference>
+
     </PreferenceCategory>
 
 </PreferenceScreen>
\ No newline at end of file
diff --git a/src/com/android/settings/RebootDialog.java b/src/com/android/settings/RebootDialog.java
new file mode 100644
index 00000000000..700d140065c
--- /dev/null
+++ b/src/com/android/settings/RebootDialog.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings;
+
+import android.annotation.StringRes;
+import android.app.Activity;
+import android.content.Context;
+import android.content.DialogInterface;
+import android.os.PowerManager;
+
+import androidx.appcompat.app.AlertDialog;
+
+/** Dialog to confirm a reboot immediately, or later. */
+public class RebootDialog implements DialogInterface.OnClickListener,
+        DialogInterface.OnDismissListener {
+    private final Activity mActivity;
+    private final AlertDialog mDialog;
+    private final String mRebootReason;
+
+    public RebootDialog(Activity activity, @StringRes int titleRes, @StringRes int messageRes,
+            String rebootReason) {
+        mActivity = activity;
+        mDialog = new AlertDialog.Builder(activity)
+                .setTitle(titleRes)
+                .setMessage(messageRes)
+                .setPositiveButton(R.string.app_src_cert_reboot_dialog_button_restart, this)
+                .setNegativeButton(R.string.app_src_cert_reboot_dialog_button_not_now, null)
+                .setOnDismissListener(this)
+                .create();
+        mRebootReason = rebootReason;
+    }
+
+    /** Shows the dialog. */
+    public void show() {
+        mDialog.show();
+    }
+
+    @Override
+    public void onClick(DialogInterface dialog, int button) {
+        if (button == DialogInterface.BUTTON_POSITIVE) {
+            PowerManager pm = (PowerManager) mActivity.getSystemService(Context.POWER_SERVICE);
+            pm.reboot(mRebootReason);
+        }
+    }
+
+    @Override
+    public void onDismiss(DialogInterface dialog) {
+        mActivity.finish();
+    }
+}
diff --git a/src/com/android/settings/UserCredentialsSettings.java b/src/com/android/settings/UserCredentialsSettings.java
index d322819ba98..4983a36ee1d 100644
--- a/src/com/android/settings/UserCredentialsSettings.java
+++ b/src/com/android/settings/UserCredentialsSettings.java
@@ -193,6 +193,8 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
                 for (final Credential credential : credentials) {
                     if (credential.isSystem()) {
                         removeGrantsAndDelete(credential);
+                    } else if (credential.isFsverity()) {
+                        deleteAppSourceCredential(credential);
                     } else {
                         deleteWifiCredential(credential);
                     }
@@ -219,6 +221,16 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
                 }
             }
 
+            private void deleteAppSourceCredential(final Credential credential) {
+                final KeyStore keyStore = KeyStore.getInstance();
+                final EnumSet<Credential.Type> storedTypes = credential.getStoredTypes();
+
+                if (storedTypes.contains(Credential.Type.APP_SOURCE_CERTIFICATE)) {
+                    keyStore.delete(Credentials.APP_SOURCE_CERTIFICATE + credential.getAlias(),
+                            Process.FSVERITY_CERT_UID);
+                }
+            }
+
             private void removeGrantsAndDelete(final Credential credential) {
                 final KeyChainConnection conn;
                 try {
@@ -242,10 +254,21 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
             protected void onPostExecute(Credential... credentials) {
                 if (targetFragment instanceof UserCredentialsSettings && targetFragment.isAdded()) {
                     final UserCredentialsSettings target = (UserCredentialsSettings) targetFragment;
+                    boolean includeFsverity = false;
                     for (final Credential credential : credentials) {
                         target.announceRemoval(credential.alias);
+                        if (credential.isFsverity()) {
+                            includeFsverity = true;
+                        }
                     }
                     target.refreshItems();
+                    if (includeFsverity) {
+                        new RebootDialog(
+                                getActivity(),
+                                R.string.app_src_cert_reboot_dialog_uninstall_title,
+                                R.string.app_src_cert_reboot_dialog_uninstall_message,
+                                "Reboot to make new fsverity cert effective").show();
+                    }
                 }
             }
         }
@@ -272,10 +295,12 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
             final int myUserId = UserHandle.myUserId();
             final int systemUid = UserHandle.getUid(myUserId, Process.SYSTEM_UID);
             final int wifiUid = UserHandle.getUid(myUserId, Process.WIFI_UID);
+            final int fsverityUid = UserHandle.getUid(myUserId, Process.FSVERITY_CERT_UID);
 
             List<Credential> credentials = new ArrayList<>();
             credentials.addAll(getCredentialsForUid(keyStore, systemUid).values());
             credentials.addAll(getCredentialsForUid(keyStore, wifiUid).values());
+            credentials.addAll(getCredentialsForUid(keyStore, fsverityUid).values());
             return credentials;
         }
 
@@ -402,6 +427,7 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
         credentialViewTypes.put(R.id.contents_userkey, Credential.Type.USER_KEY);
         credentialViewTypes.put(R.id.contents_usercrt, Credential.Type.USER_CERTIFICATE);
         credentialViewTypes.put(R.id.contents_cacrt, Credential.Type.CA_CERTIFICATE);
+        credentialViewTypes.put(R.id.contents_appsrccrt, Credential.Type.APP_SOURCE_CERTIFICATE);
     }
 
     protected static View getCredentialView(Credential item, @LayoutRes int layoutResource,
@@ -411,9 +437,15 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
         }
 
         ((TextView) view.findViewById(R.id.alias)).setText(item.alias);
-        ((TextView) view.findViewById(R.id.purpose)).setText(item.isSystem()
-                ? R.string.credential_for_vpn_and_apps
-                : R.string.credential_for_wifi);
+        int purpose;
+        if (item.isSystem()) {
+            purpose = R.string.credential_for_vpn_and_apps;
+        } else if (item.isFsverity()) {
+            purpose = R.string.credential_for_fsverity;
+        } else {
+            purpose = R.string.credential_for_wifi;
+        }
+        ((TextView) view.findViewById(R.id.purpose)).setText(purpose);
 
         view.findViewById(R.id.contents).setVisibility(expanded ? View.VISIBLE : View.GONE);
         if (expanded) {
@@ -435,7 +467,8 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
         static enum Type {
             CA_CERTIFICATE (Credentials.CA_CERTIFICATE),
             USER_CERTIFICATE (Credentials.USER_CERTIFICATE),
-            USER_KEY(Credentials.USER_PRIVATE_KEY, Credentials.USER_SECRET_KEY);
+            USER_KEY(Credentials.USER_PRIVATE_KEY, Credentials.USER_SECRET_KEY),
+            APP_SOURCE_CERTIFICATE(Credentials.APP_SOURCE_CERTIFICATE);
 
             final String[] prefix;
 
@@ -452,7 +485,8 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
 
         /**
          * UID under which this credential is stored. Typically {@link Process#SYSTEM_UID} but can
-         * also be {@link Process#WIFI_UID} for credentials installed as wifi certificates.
+         * also be {@link Process#WIFI_UID} for credentials installed as wifi certificates, or
+         * {@link Process#FSVERITY_CERT_UID} for app source certificates.
          */
         final int uid;
 
@@ -462,6 +496,7 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
          *   <li>{@link Credentials.CA_CERTIFICATE}</li>
          *   <li>{@link Credentials.USER_CERTIFICATE}</li>
          *   <li>{@link Credentials.USER_KEY}</li>
+         *   <li>{@link Credentials.APP_SOURCE_CERTIFICATE}</li>
          * </ul>
          */
         final EnumSet<Type> storedTypes = EnumSet.noneOf(Type.class);
@@ -512,6 +547,10 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
             return UserHandle.getAppId(uid) == Process.SYSTEM_UID;
         }
 
+        public boolean isFsverity() {
+            return UserHandle.getAppId(uid) == Process.FSVERITY_CERT_UID;
+        }
+
         public String getAlias() { return alias; }
 
         public EnumSet<Type> getStoredTypes() {
diff --git a/src/com/android/settings/security/CredentialStorage.java b/src/com/android/settings/security/CredentialStorage.java
index 5e647230852..28d4f63bde1 100644
--- a/src/com/android/settings/security/CredentialStorage.java
+++ b/src/com/android/settings/security/CredentialStorage.java
@@ -44,6 +44,7 @@ import androidx.fragment.app.FragmentActivity;
 
 import com.android.internal.widget.LockPatternUtils;
 import com.android.settings.R;
+import com.android.settings.RebootDialog;
 import com.android.settings.password.ChooseLockSettingsHelper;
 import com.android.settings.vpn2.VpnUtils;
 
@@ -130,10 +131,10 @@ public final class CredentialStorage extends FragmentActivity {
         if (uid != KeyStore.UID_SELF && !UserHandle.isSameUser(uid, Process.myUid())) {
             final int dstUserId = UserHandle.getUserId(uid);
 
-            // Restrict install target to the wifi uid.
-            if (uid != Process.WIFI_UID) {
+            // Restrict install target to the known uid.
+            if (uid != Process.WIFI_UID && uid != Process.FSVERITY_CERT_UID) {
                 Log.e(TAG, "Failed to install credentials as uid " + uid + ": cross-user installs"
-                        + " may only target wifi uids");
+                        + " may only target known uids");
                 return true;
             }
 
@@ -309,6 +310,16 @@ public final class CredentialStorage extends FragmentActivity {
         Log.i(TAG, String.format("Successfully installed alias %s to uid %d.",
                 alias, uid));
 
+        if (uid == Process.FSVERITY_CERT_UID) {
+            new RebootDialog(
+                    this,
+                    R.string.app_src_cert_reboot_dialog_install_title,
+                    R.string.app_src_cert_reboot_dialog_install_message,
+                    "Reboot to make new fsverity cert effective").show();
+            setResult(RESULT_OK);
+            return;
+        }
+
         // Send the broadcast.
         final Intent broadcast = new Intent(KeyChain.ACTION_KEYCHAIN_CHANGED);
         sendBroadcast(broadcast);
diff --git a/src/com/android/settings/security/InstallAppSourceCertificatePreferenceController.java b/src/com/android/settings/security/InstallAppSourceCertificatePreferenceController.java
new file mode 100644
index 00000000000..86c02cd3dc1
--- /dev/null
+++ b/src/com/android/settings/security/InstallAppSourceCertificatePreferenceController.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.security;
+
+import android.content.Context;
+import android.os.SystemProperties;
+
+import com.android.internal.annotations.VisibleForTesting;
+import com.android.settings.core.BasePreferenceController;
+
+class InstallAppSourceCertificatePreferenceController extends
+        BasePreferenceController {
+
+    private static final String APK_VERITY_PROPERTY = "ro.apk_verity.mode";
+    private static final int APK_VERITY_MODE_ENABLED = 2;
+
+    InstallAppSourceCertificatePreferenceController(Context context, String key) {
+        super(context, key);
+    }
+
+    @Override
+    public int getAvailabilityStatus() {
+        return isApkVerityEnabled() ? AVAILABLE : UNSUPPORTED_ON_DEVICE;
+    }
+
+    @VisibleForTesting
+    static boolean isApkVerityEnabled() {
+        // TODO(victorhsieh): replace this with a new API in PackageManager once it is landed.
+        return SystemProperties.getInt(APK_VERITY_PROPERTY, 0) == APK_VERITY_MODE_ENABLED;
+    }
+}
diff --git a/src/com/android/settings/security/InstallAppSourceCertificateWarning.java b/src/com/android/settings/security/InstallAppSourceCertificateWarning.java
new file mode 100644
index 00000000000..9ea1b0ea2a4
--- /dev/null
+++ b/src/com/android/settings/security/InstallAppSourceCertificateWarning.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.security;
+
+import android.annotation.Nullable;
+import android.app.Activity;
+import android.content.Intent;
+import android.os.Bundle;
+import android.security.Credentials;
+import android.view.View;
+import android.widget.Toast;
+
+import com.android.settings.R;
+
+import com.google.android.setupcompat.template.FooterBarMixin;
+import com.google.android.setupcompat.template.FooterButton;
+import com.google.android.setupdesign.GlifLayout;
+
+/**
+ * Creates a warning dialog explaining the consequences of installing a certificate
+ * This is displayed before an app source certificate can be installed from Settings.
+ */
+public class InstallAppSourceCertificateWarning extends Activity {
+    @Override
+    public void onCreate(@Nullable Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+
+        setContentView(R.layout.app_source_certificate_warning_dialog);
+        final GlifLayout layout = findViewById(R.id.setup_wizard_layout);
+
+        final FooterBarMixin mixin = layout.getMixin(FooterBarMixin.class);
+        mixin.setSecondaryButton(
+                new FooterButton.Builder(this)
+                        .setText(R.string.certificate_warning_install_anyway)
+                        .setListener(installCertificate())
+                        .setButtonType(FooterButton.ButtonType.OTHER)
+                        .setTheme(R.style.SudGlifButton_Secondary)
+                        .build()
+        );
+
+        mixin.setPrimaryButton(
+                new FooterButton.Builder(this)
+                        .setText(R.string.certificate_warning_dont_install)
+                        .setListener(returnToInstallCertificateFromStorage())
+                        .setButtonType(FooterButton.ButtonType.NEXT)
+                        .setTheme(R.style.SudGlifButton_Primary)
+                        .build()
+        );
+    }
+
+    private View.OnClickListener installCertificate() {
+        return v -> {
+            final Intent intent = new Intent();
+            intent.setAction(Credentials.INSTALL_ACTION);
+            intent.putExtra(Credentials.EXTRA_CERTIFICATE_USAGE,
+                    Credentials.CERTIFICATE_USAGE_APP_SOURCE);
+            startActivity(intent);
+            finish();
+        };
+    }
+
+    private View.OnClickListener returnToInstallCertificateFromStorage() {
+        return v -> {
+            Toast.makeText(this, R.string.cert_not_installed, Toast.LENGTH_SHORT).show();
+            finish();
+        };
+    }
+
+}
diff --git a/src/com/android/settings/security/InstallCaCertificateWarning.java b/src/com/android/settings/security/InstallCaCertificateWarning.java
index 701d9f46432..91faae1f6a1 100644
--- a/src/com/android/settings/security/InstallCaCertificateWarning.java
+++ b/src/com/android/settings/security/InstallCaCertificateWarning.java
@@ -46,7 +46,7 @@ public class InstallCaCertificateWarning extends Activity {
         final FooterBarMixin mixin = layout.getMixin(FooterBarMixin.class);
         mixin.setSecondaryButton(
                 new FooterButton.Builder(this)
-                        .setText(R.string.ca_certificate_warning_install_anyway)
+                        .setText(R.string.certificate_warning_install_anyway)
                         .setListener(installCaCertificate())
                         .setButtonType(FooterButton.ButtonType.OTHER)
                         .setTheme(R.style.SudGlifButton_Secondary)
@@ -55,7 +55,7 @@ public class InstallCaCertificateWarning extends Activity {
 
         mixin.setPrimaryButton(
                 new FooterButton.Builder(this)
-                        .setText(R.string.ca_certificate_warning_dont_install)
+                        .setText(R.string.certificate_warning_dont_install)
                         .setListener(returnToInstallCertificateFromStorage())
                         .setButtonType(FooterButton.ButtonType.NEXT)
                         .setTheme(R.style.SudGlifButton_Primary)
diff --git a/src/com/android/settings/security/InstallCertificateFromStorage.java b/src/com/android/settings/security/InstallCertificateFromStorage.java
index 3810531815a..c5a93f076e7 100644
--- a/src/com/android/settings/security/InstallCertificateFromStorage.java
+++ b/src/com/android/settings/security/InstallCertificateFromStorage.java
@@ -60,6 +60,7 @@ public class InstallCertificateFromStorage extends DashboardFragment {
 
     private static List<AbstractPreferenceController> buildPreferenceControllers(Context context,
             Lifecycle lifecycle) {
+        // TODO(eranm,victorhsieh): use "settings:controller" in xml and remove the following.
         final List<AbstractPreferenceController> controllers = new ArrayList<>();
         controllers.add(new InstallCaCertificatePreferenceController(context));
         controllers.add(new InstallUserCertificatePreferenceController(context));
diff --git a/tests/robotests/src/com/android/settings/security/InstallCertificateFromStorageTest.java b/tests/robotests/src/com/android/settings/security/InstallCertificateFromStorageTest.java
index 61c39fca933..03bdb088809 100644
--- a/tests/robotests/src/com/android/settings/security/InstallCertificateFromStorageTest.java
+++ b/tests/robotests/src/com/android/settings/security/InstallCertificateFromStorageTest.java
@@ -67,6 +67,7 @@ public class InstallCertificateFromStorageTest {
         mTestKeys.add("install_ca_certificate");
         mTestKeys.add("install_user_certificate");
         mTestKeys.add("install_wifi_certificate");
+        mTestKeys.add("install_app_src_certificate");
     }
 
     @Test
diff --git a/tests/robotests/src/com/android/settings/security/RestrictedEncryptionPreferenceControllerTest.java b/tests/robotests/src/com/android/settings/security/RestrictedEncryptionPreferenceControllerTest.java
index 78ad5e57510..7d3b1176fbb 100644
--- a/tests/robotests/src/com/android/settings/security/RestrictedEncryptionPreferenceControllerTest.java
+++ b/tests/robotests/src/com/android/settings/security/RestrictedEncryptionPreferenceControllerTest.java
@@ -37,6 +37,9 @@ import org.robolectric.annotation.Config;
 @Config(shadows = ShadowUserManager.class)
 public class RestrictedEncryptionPreferenceControllerTest {
 
+    private static final String APK_VERITY_PROPERTY = "ro.apk_verity.mode";
+    private static final int APK_VERITY_MODE_ENABLED = 2;
+
     private Context mContext;
     private ShadowUserManager mUserManager;
     private CredentialStoragePreferenceController mCredentialStoragePreferenceController;
@@ -46,6 +49,8 @@ public class RestrictedEncryptionPreferenceControllerTest {
     private InstallCaCertificatePreferenceController mInstallCaCertificatePreferenceController;
     private InstallUserCertificatePreferenceController mInstallUserCertificatePreferenceController;
     private InstallWifiCertificatePreferenceController mInstallWifiCertificatePreferenceController;
+    private InstallAppSourceCertificatePreferenceController
+            mInstallAppSourceCertificatePreferenceController;
     private Lifecycle mLifecycle;
     private LifecycleOwner mLifecycleOwner;
 
@@ -64,6 +69,9 @@ public class RestrictedEncryptionPreferenceControllerTest {
                 new UserCredentialsPreferenceController(mContext);
         mInstallCaCertificatePreferenceController =
                 new InstallCaCertificatePreferenceController(mContext);
+        mInstallAppSourceCertificatePreferenceController =
+                new InstallAppSourceCertificatePreferenceController(
+                        mContext, "install_app_src_certificate");
         mInstallUserCertificatePreferenceController =
                 new InstallUserCertificatePreferenceController(mContext);
         mInstallWifiCertificatePreferenceController =
@@ -80,6 +88,8 @@ public class RestrictedEncryptionPreferenceControllerTest {
         assertThat(mInstallCaCertificatePreferenceController.isAvailable()).isTrue();
         assertThat(mInstallUserCertificatePreferenceController.isAvailable()).isTrue();
         assertThat(mInstallWifiCertificatePreferenceController.isAvailable()).isTrue();
+        assertThat(mInstallAppSourceCertificatePreferenceController.isAvailable())
+                .isEqualTo(InstallAppSourceCertificatePreferenceController.isApkVerityEnabled());
     }
 
     @Test