Android system Signature "Go"

This article was reproduced from: http://blog.csdn.net/csh86277516/article/details/73549824

android--compiled release version of the signature system androidmanifest.xml in the android:shareduserid= "Android.uid.system", which means the same UID as the system, You can have permissions to modify system time, file operations, and so on.

Also mention how to give a single apk signature, here to add the Android signature permission control mechanism.

One: Signature type

Android's standard signature key is:

TestKey

Media

Platform

Shared

The above four kinds, can see the corresponding key in the/build/target/product/security of the source code, wherein SHARED.PK8 represents the private key, SHARED.X509.PEM public key, must be in pairs appear.

Where TestKey is the default signature key for Android compilation, TestKey is used by default if the local_certificate value is not set in the android.mk of the APK in the system .

And if set to:

Local_certificate: = Platform

That means signing with platform, so that the APK has the same signature as the system, because the systems-level signature is also used to sign the platform, using android:shareduserid= " Android.uid.system "only works!

Two: Custom signature key

In the/build/target/product/security directory there is a readme, there is said how to make these key and use problems (android4.2):

2. The following commands were used to generate the test key pairs:
6.   development/tools/make_key testkey   '/C=< Span class= "Attribute-value" >us/st=california/l=mountain view/o= android/ou=Android/cn=android/emailaddress=[email protected] '   
8.   development/tools/make_key platform  '/c= us/st=california/l=mountain view/o=android/ou=android/ cn=android/emailaddress=[email protected] '   
10.   development/tools/make_key shared    '/ C=us/st=california/l=mountain view/o=android/ou=android/ cn=android/emailaddress=[email protected] '   
12. Development/tools/make_key Media '/c=us/st=california/l=Mountain view/o=Android/ ou=Android/cn=android/emailaddress=[email protected] '
16. The following standard test keys is currently included:
20. TestKey--a generic key for packages that does not otherwise specify a key.
22. Platform-a test key for packages that is part of the core platform.
24. GKFX-a test key for things that is shared in the home/contacts process.
26. Media-a test key for packages that is part of the media/download system.
30. These test keys is used strictly in development, and should never be assumed
32. To convey any sort of validity. When $build_secure=True, the code should not
34. Honor these keys in any context.

From the above can be seen in the source under the/development/tools directory has a Make_key script, by passing in two parameters can be generated by a pair of signature key.

The first is the name of the key, generally default to Android itself, because many places are used by default, we only need to customize the second parameter to the foot, defined as follows:

C---> Country Name (2 letter code)
ST---> State or province Name (full name)
L---> Locality Name (eg, city)
O---> Organization Name (eg, company)
OU---> Organizational Unit Name (eg, section)
CN---> Common name (eg, your name or your server ' s hostname)
EmailAddress---> Contact email address

In addition, in the use of the above Make_key script generated key process will be prompted to enter password, my processing is not input, direct enter, do not password! Explained later, replace/security with a custom key.

Can see the Android source key used in the second parameter is the above readme, is open, so to release the version of the system, it must have its own signature key to play a security control role.

Three: Modify the system default signature key

As mentioned above, if the compile option in APK local_certificate is not set, it will use the default TestKey as the signature key, we can change to the key we want, and follow the above steps to make a releasekey. Modify the Android configuration to define variables in/BUILD/CORE/CONFIG.MK:

1. Default_system_dev_certificate : = build/target/product/security/releasekey

Inside the main makefile file:

1. Ifeq ($ (default_system_dev_certificate), Build/target/product/security/releasekey)
2. Build_version_tags + = Release-keys

In this case, all default signatures will use Releasekey.

After the modification will be compiled, if the above key in the production of the input password will appear the following error:

2. Enter Password for build/target/product/security/releasekey.pk8 (password won't be hidden): Java.lang.NullPointerException
4. At Com.android.signapk.SignApk.decryptPrivateKey (signapk.java:142)
6. At Com.android.signapk.SignApk.readPrivateKey (signapk.java:166)
8. At Com.android.signapk.SignApk.main (signapk.java:531)
10. Enter Password for build/target/product/security/releasekey.pk8 (password is not being hidden): Make: * * * [Out/target/prod UCT/GOTECHCN/OBJ/APPS/CALENDARPROVIDER_INTERMEDIATES/PACKAGE.APK] Error 1
12. Make: * * is waiting for unfinished tasks ....
14. Enter Password for build/target/product/security/releasekey.pk8 (password won't be hidden): Java.lang.NullPointerException
16. At Com.android.signapk.SignApk.decryptPrivateKey (signapk.java:142)
18. At Com.android.signapk.SignApk.readPrivateKey (signapk.java:166)
20. At Com.android.signapk.SignApk.main (signapk.java:531)
22. Make: * * [out/target/product/gotechcn/obj/apps/calculator_intermediates/package.apk] Error 1
24. Warning:AndroidManifest.xml already defines minsdkversion (in http://schemas.android.com/apk/res/android); Using existing value in manifest.
26. Warning:AndroidManifest.xml already defines targetsdkversion (in http://schemas.android.com/apk/res/android); Using existing value in manifest.
28. ' Out/target/common/obj/apps/calendar_intermediates/classes.dex ' as ' classes.dex ' ...
30. Enter Password for build/target/product/security/releasekey.pk8 (password won't be hidden): Java.lang.NullPointerException
32. At Com.android.signapk.SignApk.decryptPrivateKey (signapk.java:142)
34. At Com.android.signapk.SignApk.readPrivateKey (signapk.java:166)
36. At Com.android.signapk.SignApk.main (signapk.java:531)
38. Make: * * [out/target/product/gotechcn/obj/apps/calendar_intermediates/package.apk] Error 1
40. ^cmake: * * * [out/target/product/gotechcn/obj/apps/basicdreams_intermediates/package.apk] Error 130

I found a reasonable explanation on the Internet:

In fact, the most fundamental reason for this error is the problem of multithreading. In the compile time in order to speed up the general will execute make-jxxx, this would have to manually enter the password, due to the other threads running, it will affect the current input terminal, so it will lead to the password can not be entered the situation!

You can also view the variables in Build.prop after the compilation is complete:

1. ro.build.tags=Release-keys

This is done after the compilation is signed, the system is the release version

I found that after I had done this, the whole system was signed according to my request.

Four: Other

See on the Internet there is another signature release method, but should be for another version of, borrowed to learn a bit:

1. Make-j4 Product-product_modul-user Dist

This is not the same as the usual compilation, there are more than two parameters Product-product_modul-user and Dist. After the compilation is complete, generate a product_modul-target_ in the source/out/dist/directory. Files at the beginning of the zip file. This is the filesystem we need to sign.

My Product_modul is FULL_GOTECHCN, behind the "-user" represents the end-user version, about this name and Product_modul, etc. can refer to HTTP// blog.csdn.net/jscese/article/details/23931159

After compiling the ZIP compression package that needs to be signed, it is signed with the/security key that follows:

1. ./build/tools/releasetools/sign_target_files_apks-d/build/target/product/security Out/dist/full_gotechcn-target _files.zip Out/dist/signed_target_files.zip

Signature destination file output to Signed_target_files.zip

If some apk errors occur, you can filter the APK by adding the parameter "-e <apkname>=" in front of the full_gotechcn-target_files.zip.

Then through the image of the script to generate imag zip file, this way does not apply with my current project source code, did not do too much verification!

Android signature mechanism can be divided into two parts: (1) ROM signature mechanism, (2) third-party apk signature mechanism.

Android apk is actually a jar package, and the jar package is also a zip package. The signature of the APK package actually uses the signature mechanism of the JAR package: Add a meta subdirectory in the zip that holds the signature information, and the signing method computes its hash value for each file in the Zip package, obtains the signature file (*.SF), and then the signature file (. sf) Sign and save the signature in the signature block file (*.DSA).

ROM signature mechanism

The APK is signed with 4 keys (media, platform, shared, TestKey) in the Build/target/product/security directory during the compilation of the Android source code generation ROM. Where *.pk8 is the private key in binary form (DER), *.x509.pem is the corresponding X509 public key certificate (BASE64 encoding). These default keys in the build/target/product/security directory are not password protected and can only be used for debug versions of ROM.

To generate the release version of the ROM, you can first generate the targetfiles, then use the key with the password to re-sign the targetfiles, and finally the re-signed Targetfiles to generate the final ROM.

You can use the tool "Development/tools/make_key", which comes with the Android source tree, to generate an RSA public private key pair with a password (actually generated through OpenSSL):
$ development/tools/make_key Media '/c=cn/st=sichuan/l=chengdu/o=myorg/ou=mydepartment/cn=myname '
The above command will generate a binary form (DER) private key File "Media.pk8" and a corresponding X509 public key certificate file "Media.x509.pem". wherein,/C means "country Code",/st means "state or province",/L means "city or Locality",/O means "Organization",/ou means "organizational Unit", /CN represents "Name". The preceding command generates an E value of 3 for the RSA public key, which can be modified Development/tools/make_key script using F4 (0x10001) as the E value (the 3 parameter of the OpenSSL Genrsa is changed to-F4).

You can also use Keytool in the JDK to generate a public private key pair, and a third-party apk signature is typically generated by Keytool to generate a public private key pair.

You can use the OpenSSL x509 command to view the details of a public key certificate:
$ OpenSSL x509-in media.x509.pem-text-noout
Or
$ OpenSSL x509-in media.x509.pem-inform pem-text-noout

You can also use Keytool in the JDK to view the contents of the public key certificate, but its output does not have the OpenSSL x509 comprehensive:
$ keytool-printcert-v-file Media.x509.pem

After you have the key, you can use the tool "Build/tools/releasetools/sign_target_files" to re-sign the targetfiles:
$ build/tools/releasetools/sign_target_files_apks-d new_keys_dir-o target_files.zip Target_files_resigned.zip
Of these, four keys (media, platform, GKFX, Releasekey) are required in the New_keys_dir directory. Note: The releasekey here will replace the default TestKey (refer to the Build/tools/releasetools/sign_target_files script implementation), i.e., If the local_certificate in the Android.mk file for an apk is TestKey, then the build/target/product/security/testkey used to sign the targetfiles is generated. , the New_keys_dir/releasekey will be used to sign the signature when re-signing here.

The Build/tools/releasetools/sign_target_files_apks is signed by Host/linux-x86/framework/signapk.jar. You can also use Host/linux-x86/framework/signapk.jar to sign an APK directly:
$ Java-jar signapk [-W] publickey.x509[.pem] privatekey.pk8 Input.jar Output.jar
The "-W" means that the entire APK package (Zip package) is signed, and the signature is placed in the comment of the zip package.

Third-party APK signature mechanism

For third-party app developers, the APK signature is relatively straightforward. Third-party application development generally uses the Keytool and Jarsigner in the JDK to complete the management of the signature key and the signature of the APK.

Use Keytool to generate a keystore that stores the pair of public private keys:
$ keytool-genkey-v-keystore my-release-key.keystore-alias mykey-keyalg rsa-keysize 2048-validity 10000

To view the generated key information:
$ keytool-list-keystore My-release-key.keystore-alias mykey-v
Or
$ keytool-list-keystore My-release-key.keystore-alias MYKEY-RFC
(Note: Obtain a public key certificate in the BASE64 format, RFC 1421)

To export a public key certificate:
$ keytool-export-keystore Mystore-alias mykey-file My.der
(Note: Public key certificate in binary format, DER)
$ keytool-export-keystore Mystore-alias mykey-file MY.PEM-RFC
(Note: Base64 format public key certificate, PEM)

To sign the APK:
$ jarsigner-verbose-keystore My-release-key.keystore my_application.apk MyKey

Verify Signature:
$ jarsigner-verify-verbose-certs my_application.apk

In the development of Android two times, sometimes need to build/target/product/security the following public key pair into the form of keystore, you can refer to this article: the Android source code to convert the password to KeyStore method.

Android system Signature "Go"