Original link:
http://blog.votzone.com/2018/05/05/android_signature.html
There are two ways to sign Android. One is to use the jarsigner tool provided by jdk to sign the keystore file, and the other is to use the signapk.jar provided by Android itself through two signature files, .pk8 (key) and .x509.pem (certificate). Complete the signature.
I used signapk to sign a package before, because it is simple and straightforward to sign a package without entering a password. I encountered a problem when uploading to Baidu today. After downloading the signature documentation, it said that I needed to use jarsigner to sign, so I researched The problem of mutual conversion between the next two signatures is solved.
And in order to reduce the cost of finding information when encountering such problems again in the future, I wrote a simple bat script for semi-automatic operation.
tool:
After the openssl
installation is complete, add the bin directory to the environment variable to use openssl
tools in the jdk/bin directory of keytool
signapk.jar is a tool for Android signing (the source code is under the source code of aosp)
jarsigner A tool in jdk for signing jars (or any zip package)
1. The signature process of two different signature schemes
1. jarsigner is a tool provided by jdk. It can be used after installing jdk. The command to use jarsigner to sign is as follows:
jarsigner -verbose -storepass 12345678 -keystore testkey.jks -signedjar signed_out.apk 111.zip testkey
in
-verbose means output verbose information
-storepass indicates the password of the signature store
-keystore indicates the signature file path
-signedjar indicates the output file path after signing
Finally, it is followed by the file path to be signed and the alias of the keystore
Detailed parameters can be viewed through jarsigner -help, and the Chinese is still very clear.
2. signapk is a tool provided by android to sign apk alone. How to use it:
java -jar signapk.jar testkey.x509.pem testkey.pk8 111 . zip signed_out.apk
It can be seen that the jarsigner signature needs to provide a signature file jks and the password of the signature library, and if the password of the signature library is different from the key password, the key password needs to be provided; (hereinafter we call jks signature or jks signature library)
The signapk signature only needs to provide a pk8 file and an x509.pem file. (The following two files are referred to as pk8 signatures for short)
2. Convert pk8 signature to jks signature library
Next, we solve the signature problem of Baidu channel. The first step is to convert our pk8 signature to jks signature.
Through online search, we learned that java signature library files usually have .keystore and .jks suffixes, so we can think that the .keystore signature in the previous eclipse era is in the same format as the .jks signature in the Android Studio era.
Now that we have the pk8 signature, we can use openssl and keytool to merge it into the jks signature library
The following is an example of merging the testkey.pk8/testkey.x509.pem signature file into the testkey.jks signature library, and setting its password 12345678 and alias testkey
a)
openssl pkcs8 -inform DER -nocrypt -in testkey.pk8 -out testkey.pem
Use open ssl to decrypt pk8 into pem file, and generate a testkey.pem file at this time
b)
openssl pkcs12 -export -in testkey.x509.pem -inkey testkey.pem -out platform.p12 -password pass:12345678 -name testkey
Import the two pem files into the platform.p12 file, and set the alias testkey and keypass password: 12345678 (alias and password can be customized)
platform.p12 will be newly generated
c)
keytool -importkeystore -deststorepass 12345678 -destkeystore testkey.jks -srckeystore platform.p12 -srcstoretype PKCS12 -srcstorepass 12345678
Use keytool to import the previously generated platform.p12 into the testkey.jks signature, and set the storepass password (12345678)
Need to provide correct keypass password
At this point, the required testkey.jks signature file is generated
d)
keytool -list -v -keystore testkey.jks
View the generated signature information
Note: storepass and keypass can be different
When the two passwords are the same, you only need to provide storepass when signing with jarsigner
Otherwise, two passwords are required
You only need to provide storepass when viewing keytool -list
With the jks signing library, we sign the empty package
jarsigner -verbose -storepass 12345678 -keystore testkey.jks -signedjar jks_out.apk 111.zip testkey
The command signs the input file 111.zip as jks_out.apk by providing -stroepass (password) and alias (testkey)
Next, we provide a simple bat script to generate jks from pk8 signature. The script needs to configure the openssl keytool path, and manually set the file name to be signed.
For the script, see cvt2jks.bat in the github code base at the end of the article
The tool running directory is as follows
3. Extract the pk8 signature from the jks signature library
openssl can merge the signature used by signapk into the jarsigner signature, and it can also be separated. The specific operation steps are as follows:
a)
keytool -importkeystore -srckeystore testkey.jks -destkeystore testkey.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass 12345678 -deststorepass 12345678 -noprompt
First convert testkey.jks into a .p12 file. During execution, you need to enter the srcstore password and deststroe password, which are specified by -srcstorepass and -deststorepass on the command line
b)
openssl pkcs12 -in testkey.p12 -nodes -out testkey_all.rsa.pem -password pass:12345678
Use openssl's pkcs12 command to export the certificate in the p12 file,
-password pass:12345678 In order to omit the subsequent password input step
Through the online tutorial, we can see that the above code exports the key and certificate at the same time, and the certificate needs to be manually copied to generate the .x509.pem signature
Looking at the openssl help documentation, we know that we can export only the certificate or key, so we can export only the certificate through the -nokeys parameter
openssl pkcs12 -in testkey.p12 -nodes -nokeys -out testkey.x509.pem -password pass:12345678
Export key via -cacerts parameter
openssl pkcs12 -in testkey.p12 -nodes -cacerts -out testkey.rsa.pem -password pass:12345678
c) Generate pk8 according to the key file generated in b), you can use testkey_all.rsa.pem or testkey.rsa.pem
openssl pkcs8 -topk8 -outform DER - in testkey.rsa.pem -inform PEM -out testkey.pk8 -nocrypt
As above testkey.pk8 and testkey.x509.pem are the required signatures
A simple bat script
See the jks2pk8.bat file in the github code base at the end of the article
Fourth, explore the generation of jks signature
We know that we can use Android Studio to generate jks, is there a command line tool?
keytool can do this
Core command keytool -genkey -v -keystore app.jks -alias app -keyalg RSA -validity 999999
As above, specify the name of the signature file to be generated, alias and validity period (day)
During the operation, you need to enter two passwords, one is the password password (keypass), and the other is the keystore password (storepass)
Can be specified with -keypass and -storepass
Simple bat script
See the genkey.bat file in the github code base at the end of the article
Five, signature case analysis
Create a jks signature app.jks, split the jks signature into the pk8 signature required by signapk, and then merge the pk8 signature back into jks
Use the above three signatures to sign the consent file respectively. The comparison is as follows: The certificates are all the same!
PS: Attach command-line operations for signing with signapk.jar and jarsigner tools
signapk.jar signature example
java -jar signapk.jar testkey.x509.pem testkey.pk8 111.zip jifei_out.apk
jarsigner tool signing example
jarsigner -verbose -storepass 12345678 -keystore testkey.jks -signedjar jks_out.apk 111.zip testkey
The final testkey is an alias
script: