【android12】给第三方应用APK添加系统签名

一、背景

自己或者客户的第三方apk需要用到很多系统权限，所以要内置到系统目录下，变成系统自带的APP，如果不用系统文件生成的签名安装，会导致APP远程更新失败提示签名错误。

二、环境准备

1.Ubuntu系统（推荐1804版本及以上）

• 安装JAVA-JDK11（如果已经有可以跳过）

  先检查JDK版本，不是11的话往下看

  java -version
  

  运行下面的命令安装Jdk11，要选择的地方选择Y，等待安装完成即可

  sudo apt install openjdk-11-jdk
  

2.Android系统源码一套

需要用到源码根目录以下几个文件
	
 - signapk.jar（系统路径：/out/host/linux-x86/framework/signapk.jar ）
 - libconscrypt_openjdk_jni.so （系统路径：/out/soong/host/linux-x86/lib64/libconscrypt_openjdk_jni.so）
 - platform.pk8 （系统路径：build/target/product/security）
 - platform.x509.pem （系统路径：build/target/product/security）

 另外需要准备不带签名的第三方APK文件
 - Test.apk

3.操作步骤

• 将第2步的libconscrypt_openjdk_jni.so文件改名为：conscrypt_openjdk_jni-windows-x86_64.so

• 在ubuntu新建一个文件夹apk_sign，将第2步列举的文件都放进去

• 执行命令

  java -Djava.library.path=. -jar signapk.jar platform.x509.pem platform.pk8 Test.apk signed.apk
  

  这步会生成一个文件叫signed.apk，就是已经完成系统签名的APK，但是这个是一次性的，下面继续介绍生成证书的步骤

• 依次执行下面的命令
  1.生成shared.priv.pem 文件

  openssl pkcs8 -in platform.pk8 -inform DER -outform PEM -out shared.priv.pem -nocrypt
  

  2.生成shared.pk12文件

  openssl pkcs12 -export -in platform.x509.pem -inkey shared.priv.pem -out shared.pk12 -name bubble
  

  3.生成jks 或者 keystone文件

  keytool -importkeystore -deststorepass android -destkeypass  android -destkeystore bubble.jks -srckeystore shared.pk12 -srcstoretype PKCS12 -srcstorepass android -alias bubble
  

  生成的bundle.jks拷贝到app源代码目录下，并在app文件夹下面的build.gradle加入以下配置

   android{
    
    
		signingConfigs {
    
    
	        release {
    
    
	            keyAlias 'bubble'
	            keyPassword 'android'
	            storePassword 'android'
	            storeFile file('../keystore/bubble.jks')
	        }
	    }
	}

编译生成的APK就可以放到系统目录下正常使用了

三、报错提示

• 没有openssl环境

Exception in thread "main" java.lang.ExceptionInInitializerError
        at org.conscrypt.OpenSSLBIOInputStream.<init>(OpenSSLBIOInputStream.java:34)
        at org.conscrypt.OpenSSLX509Certificate.fromX509PemInputStream(OpenSSLX509Certificate.java:119)
        at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:220)
        at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:216)
        at org.conscrypt.OpenSSLX509CertificateFactory$Parser.generateItem(OpenSSLX509CertificateFactory.java:94)
        at org.conscrypt.OpenSSLX509CertificateFactory.engineGenerateCertificate(OpenSSLX509CertificateFactory.java:272)
        at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
        at com.android.signapk.SignApk.readPublicKey(SignApk.java:184)
        at com.android.signapk.SignApk.main(SignApk.java:1007)
Caused by: java.lang.IllegalArgumentException: Failed to load any of the given libraries: [conscrypt_openjdk_jni-linux-x86_64, conscrypt_openjdk_jni-linux-x86_64-fedora, conscrypt_openjdk_jni]
        at org.conscrypt.NativeLibraryLoader.loadFirstAvailable(NativeLibraryLoader.java:160)
        at org.conscrypt.NativeCryptoJni.init(NativeCryptoJni.java:49)
        at org.conscrypt.NativeCrypto.<clinit>(NativeCrypto.java:53)
Exception in thread "main" java.lang.ExceptionInInitializerError
        at org.conscrypt.OpenSSLBIOInputStream.<init>(OpenSSLBIOInputStream.java:34)
        at org.conscrypt.OpenSSLX509Certificate.fromX509PemInputStream(OpenSSLX509Certificate.java:119)
        at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:220)
        at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:216)
        at org.conscrypt.OpenSSLX509CertificateFactory$Parser.generateItem(OpenSSLX509CertificateFactory.java:94)
        at org.conscrypt.OpenSSLX509Certificat

• JDK版本不对，升级到1.8+，推荐11

Error: A JNI error has occurred, please check your installation and try again
Exception in thread "main" java.lang.UnsupportedClassVersionError: 
com/android/signapk/SignApk has been 
compiled by a more recent version of the Java Runtime (class file version 53.0), 
this version of the Java Runtime only recognizes class file versions up to 52.0

• 缺少conscrypt_openjdk_jni-windows-x86_64.so文件（系统文件libconscrypt_openjdk_jni.so改名而来）

Exception in thread "main" java.lang.UnsatisfiedLinkError:
 no conscrypt_openjdk_jni-linux-x86_64 in java.library.path: 
 [/usr/java/packages/lib, /usr/lib/x86_64-linux-gnu/jni, /lib/x86_64-linux-gnu, /usr/lib/x86_64-linux-gnu, /usr/lib/jni, /lib, /usr/lib]

参考连接