Android 中使用系統(tǒng)簽名的方法
Android Build中系統(tǒng)簽名使用方法
Key的目錄
默認加密key是放在Android源碼的/build/target/product/security目錄下
其中,.pk8文件為私鑰,.x509.pem文件為公鑰
platform.x509.pem 探遵、platform.pk8 這兩個文件位置其實并不是固定的,在Android 平臺可以自定義路徑
export PRODUCT_DEFAULT_DEV_CERTIFICATE := vendor/xxxx/security/releasekey
Key的使用
Apk的Android.mk文件中會指定LOCAL_CERTIFICATE
LOCAL_CERTIFICATE := testkey # 普通APK料仗,默認情況下使用
LOCAL_CERTIFICATE := platform # 該APK完成一些系統(tǒng)的核心功能,這種方式編譯出來的APK所在進程的UID為system
LOCAL_CERTIFICATE := shared # 該APK是media/download系統(tǒng)中的一環(huán)
LOCAL_CERTIFICATE := media # 該APK是media/download系統(tǒng)testkey克蚂。
如果不指定,默認使用testkey规辱。
對應(yīng)的绿鸣,除了在Android.mk指定上述的值疚沐,還需要在APK源碼的AndroidManifest.xml文件的manifest節(jié)點里面申明權(quán)限:
android:sharedUserId="android.uid.system"
android:sharedUserId="android.uid.shared"
android:sharedUserId="android.media"
key的生成
在/build/target/product/security目錄下有個README,里面有說怎么制作這些key以及使用問題
For detailed information on key types and image signing, please see:
https://source.android.com/devices/tech/ota/sign_builds.html
The test keys in this directory are used in development only and should
NEVER be used to sign packages in publicly released images (as that would
open a major security hole).
key generation
--------------
The following commands were used to generate the test key pairs:
development/tools/make_key testkey '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
development/tools/make_key platform '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
development/tools/make_key shared '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
development/tools/make_key media '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
signing using the openssl commandline (for boot/system images)
--------------------------------------------------------------
1\. convert pk8 format key to pem format
% openssl pkcs8 -inform DER -nocrypt -in testkey.pk8 -out testkey.pem
2\. create a signature using the pem format key
% openssl dgst -binary -sha1 -sign testkey.pem FILE > FILE.sig
extracting public keys for embedding
------------------------------------
dumpkey.jar is a Java tool that takes an x.509 certificate in PEM format as
input and prints a C structure to standard output:
$ java -jar out/host/linux-x86/framework/dumpkey.jar build/target/product/security/testkey.x509.pem
{64,0xc926ad21,{1795090719,2141396315,950055447,2581568430,4268923165,1920809988,546586521,3498997798,1776797858,3740060814,1805317999,1429410244,129622599,1422441418,1783893377,1222374759,2563319927,323993566,28517732,609753416,1826472888,215237850,4261642700,4049082591,3228462402,774857746,154822455,2497198897,2758199418,3019015328,2794777644,87251430,2534927978,120774784,571297800,3695899472,2479925187,3811625450,3401832990,2394869647,3267246207,950095497,555058928,414729973,1136544882,3044590084,465547824,4058146728,2731796054,1689838846,3890756939,1048029507,895090649,247140249,178744550,3547885223,3165179243,109881576,3944604415,1044303212,3772373029,2985150306,3737520932,3599964420},{3437017481,3784475129,2800224972,3086222688,251333580,2131931323,512774938,325948880,2657486437,2102694287,3820568226,792812816,1026422502,2053275343,2800889200,3113586810,165549746,4273519969,4065247892,1902789247,772932719,3941848426,3652744109,216871947,3164400649,1942378755,3996765851,1055777370,964047799,629391717,2232744317,3910558992,191868569,2758883837,3682816752,2997714732,2702529250,3570700455,3776873832,3924067546,3555689545,2758825434,1323144535,61311905,1997411085,376844204,213777604,4077323584,9135381,1625809335,2804742137,2952293945,1117190829,4237312782,1825108855,3013147971,1111251351,2568837572,1684324211,2520978805,367251975,810756730,2353784344,1175080310}}
This is called by build/make/core/Makefile to incorporate the OTA signing keys
into the recovery image.
APK開發(fā)環(huán)境中系統(tǒng)簽名使用方法
AndroidManifest.xml中的android:sharedUserId="android.uid.system"潮模,代表的意思是和系統(tǒng)相同的uid濒旦,可以擁有修改系統(tǒng)時間,文件操作等權(quán)限再登。
使用命令行方式
java -jar signapk.jar platform.x509.pem platform.pk8 MyDemo.apk MyDemo_signed.apk
platform.x509.pem
文件位置:platform/build/target/product/security/
platform.pk8
文件位置:platform/build/target/product/security/
signapk.jar
由源文件 /platform/build/tools/signapk/編譯產(chǎn)生
生成目錄 /out/host/linux-x86/framework/ 中找到
Android Studio方式
build.gradle中添加
signingConfigs {
release {
//發(fā)布正式版本模式下的使用的簽名文件
keyAliard 'android'
keyPassword 'android'
storeFile file('./platform.keystore')
storePassword 'android'
}
}
關(guān)于 platform.keystore 生成有提供如下兩種方法
Linux 環(huán)境 keystore 生成
platform.pk8尔邓、platform.x509.pem轉(zhuǎn)成keystore類型的簽名文件
1、環(huán)境:Ubuntu
2锉矢、JDK配置
3梯嗽、下載keytool-importkeypair GitHub - getfatday/keytool-importkeypair: A shell script to import key/certificate pairs into an existing Java keystore
4、生成keystore簽名文件
將platform.pk8沽损、platform.x509.pem和keytool-importkeypair放到同一個文件夾下灯节,然后打開終端,執(zhí)行以下語句即可在文件夾下生成keystore簽名文件
./keytool -importkeypair -k name.keystore -p android -pk8 platform.pk8 \
-cert platform.x509.pem -alias android
-k:生成的簽名文件名稱
-p:簽名文件密碼
-alias:簽名文件別名
Note:Android
Windows環(huán)境keystore 生成
1绵估、安裝OpenSSL炎疆,參考 Windows 下OpenSSL安裝過程及錯誤解決辦法_離水的魚兒的博客-CSDN博客_openssl
2、將platform.pk8国裳,platform.x509.pem 文件復(fù)制到openSSL安裝目錄形入,方便后面執(zhí)行命令
3、執(zhí)行文件目錄中的start.bat缝左,會打開命令窗
4亿遂、在本目錄下生成platform.pem文件浓若,目錄圖中的platform.pem文件此步驟后生成
openssl pkcs8 -inform DER -nocrypt -in platform.pk8 -out platform.pem
5、在本目錄下生成platform.p12文件蛇数,并設(shè)置別名和密碼
openssl pkcs12 -export -in platform.x509.pem -out platform.p12 \
-inkey platform.pem -password pass:android -name android
這里設(shè)置的別名和密碼就是在Android Studio打包時選擇的別名和密碼(這里都設(shè)置為android)挪钓,輸出 platform.p12文件
6.在本目錄下生成platform.jks文件
keytool -importkeystore -deststorepass android -destkeystore ./platform.jks \
-srckeystore ./platform.p12 -srcstoretype PKCS12 -srcstorepass android
更多原理性介紹可以看這兩篇文檔
