keystore android

Android Apk签名

Sign your app

Posted by LXG on April 11, 2019

Sign your app-AOSP

AOSP系统签名的生成和替换

查看Apk的证书信息

  1. 解压Apk

  2. keytool -printcert -file META-INF/CERT.RSA

所有者: C=US, O=Android, CN=Android Debug
发布者: C=US, O=Android, CN=Android Debug
序列号: 1
有效期为 Fri Jan 04 21:22:41 CST 2019 至 Sun Dec 27 21:22:41 CST 2048
证书指纹:
MD5: 09:B0:2D:55:CE:10:17:59:8A:81:D4:6A:3E:80:4D:3D
SHA1: A6:F4:A7:40:DF:06:E3:ED:82:10:00:78:13:52:8F:FE:4E:F7:95:86
SHA256: 20:E6:0F:5C:B6:A2:C0:4B:6F:85:DC:15:06:32:41:FF:13:DD:CE:05:D6:B8:B0:EF:31:B7:58:F6:4B:03:7E:04
签名算法名称: SHA1withRSA
主体公共密钥算法: 1024 位 RSA 密钥
版本: 1

keystore

查看证书指纹命令

keytool -list -v -keystore **.keystore

apksigner

验证Apk是否已经签名

apksigner verify my-app-release.apk

命令行给apk签名

apksigner sign –ks my-release-key.jks –out my-app-release.apk my-app-unsigned-aligned.apk

配置 Gradle


android {
    ...
    defaultConfig { ... }
    signingConfigs {
        release {
            // You need to specify either an absolute path or include the
            // keystore file in the same directory as the build.gradle file.
            storeFile file("my-release-key.jks")
            storePassword "password"
            keyAlias "my-alias"
            keyPassword "password"
        }
    }
    buildTypes {
        release {
            signingConfig signingConfigs.release
            ...
        }
    }
}

AOSP 系统签名

提取系统签名platform.keystore

name: aosp password:123456

  1. cd build/target/product/security/
  2. openssl pkcs8 -inform DER -nocrypt -in platform.pk8 -out platform.pem
  3. keytool -importkeystore -deststorepass 123456 -destkeystore ./platform.keystore -srckeystore ./platform.p12 -srcstoretype PKCS12 -srcstorepass 123456
  4. keytool -importkeystore -srckeystore ./platform.keystore -destkeystore ./platform.keystore -deststoretype pkcs12

android R

android$ cd build/target/product/security/

android/build/target/product/security$ openssl pkcs8 -inform DER -nocrypt -in platform.pk8 -out platform.pem

android/build/target/product/security$ ls
Android.bp  fsverity-release.x509.der  media.x509.pem    networkstack.x509.pem  platform.pk8       README      shared.x509.pem  testkey.x509.pem  verity.pk8
Android.mk  media.pk8                  networkstack.pk8  platform.pem           platform.x509.pem  shared.pk8  testkey.pk8      verity_key        verity.x509.pem

android/build/target/product/security$ openssl pkcs12 -export -in platform.x509.pem -out platform.p12 -inkey platform.pem -password pass:123456 -name aosp

android/build/target/product/security$ ls
Android.bp  fsverity-release.x509.der  media.x509.pem    networkstack.x509.pem  platform.pem  platform.x509.pem  shared.pk8       testkey.pk8       verity_key  verity.x509.pem
Android.mk  media.pk8                  networkstack.pk8  platform.p12           platform.pk8  README             shared.x509.pem  testkey.x509.pem  verity.pk8

android/build/target/product/security$ keytool -importkeystore -deststorepass 123456 -destkeystore ./platform.keystore -srckeystore ./platform.p12 -srcstoretype PKCS12 -srcstorepass 123456
正在将密钥库 ./platform.p12 导入到 ./platform.keystore...
已成功导入别名 aosp 的条目。
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消

Warning:
<aosp> 使用的 MD5withRSA 签名算法存在安全风险。
JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore ./platform.keystore -destkeystore ./platform.keystore -deststoretype pkcs12" 迁移到行业标准格式 PKCS12。
android/build/target/product/security$ keytool -importkeystore -srckeystore ./platform.keystore -destkeystore ./platform.keystore -deststoretype pkcs12
输入源密钥库口令:123456
已成功导入别名 aosp 的条目。
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消

Warning:
<aosp> 使用的 MD5withRSA 签名算法存在安全风险。
已将 "./platform.keystore" 迁移到 Non JKS/JCEKS。将 JKS 密钥库作为 "./platform.keystore.old" 进行了备份。

android/build/target/product/security$ ls
Android.bp  fsverity-release.x509.der  media.x509.pem    networkstack.x509.pem  platform.keystore.old  platform.pem  platform.x509.pem  shared.pk8       testkey.pk8       verity_key  verity.x509.pem
Android.mk  media.pk8                  networkstack.pk8  platform.keystore      platform.p12           platform.pk8  README             shared.x509.pem  testkey.x509.pem  verity.pk8

android系统签名替换

AOSP系统签名的生成以及替换-Android


build/target/product/security$ tree -L 1
.
├── Android.mk
├── media.pk8
├── media.x509.pem
├── platform.pk8         私钥
├── platform.x509.pem    公钥
├── README
├── shared.pk8
├── shared.x509.pem
├── testkey.pk8
├── testkey.x509.pem
├── verity_key
├── verity.pk8
└── verity.x509.pem

README


The following commands were used to generate the test key pairs:

  development/tools/make_key testkey  '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
  development/tools/make_key platform '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
  development/tools/make_key shared   '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
  development/tools/make_key media    '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'

The following standard test keys are currently included:

testkey -- a generic key for packages that do not otherwise specify a key.
platform -- a test key for packages that are part of the core platform.
shared -- a test key for things that are shared in the home/contacts process.
media -- a test key for packages that are part of the media/download system.

These test keys are used strictly in development, and should never be assumed
to convey any sort of validity.  When $BUILD_SECURE=true, the code should not
honor these keys in any context.


signing using the openssl commandline (for boot/system images)
--------------------------------------------------------------

1. convert pk8 format key to pem format
   % openssl pkcs8 -inform DER -nocrypt -in testkey.pk8 -out testkey.pem

2. create a signature using the pem format key
   % openssl dgst -binary -sha1 -sign testkey.pem FILE > FILE.sig

extracting public keys for embedding
------------------------------------
it's a Java tool
but it generates C code
take a look at commands/recovery/Android.mk
you'll see it running $(HOST_OUT_JAVA_LIBRARIES)/dumpkey.jar

自定义签名信息

development/tools/make_key platform ‘/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com’

  • C —> Country Name (2 letter code)
  • ST —> State or Province Name (full name)
  • L —> Locality Name (eg, city)
  • O —> Organization Name (eg, company)
  • OU —> Organizational Unit Name (eg, section)
  • CN —> Common Name (eg, your name or your server’s hostname)
  • emailAddress —> Contact email address

签名制作脚本

签名版本以供发布

development/tools/make_key


subject='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
mkdir ~/.android-certs
for x in releasekey platform shared media; do \
    ./development/tools/make_key ~/.android-certs/$x "$subject"; \
  done
CATALOG
    FEATURED TAGS
    Android debug dumpsys shell linux Permission 心理学 ubuntu JNI android IMS systemui selinux eSIM androidstudio performance pms wms view iptables netd property c++ kernel mqtt usb company statusbar docker hardware webrtc recovery web camera rk3288 A133 driver rockchip rk3399 chip rk3588 a133 qt t113 buildroot AI MCU
    FRIENDS