Operation after hardening the Android application platform (apk re-signature "zipalign", "apksigner", "jarsigner") Operating environment: MacOS

foreword

say a horrible thing:The current Android signature scheme already has v1, v2, v3, v4, v3 supports multiple certificates, and v4 is incremental signature. See the official . We still focus on v1 and v2 at present.

Of course, this is a digression. The current topic of this article is: the re-signature posture after the Android platform is hardened. When we download the apk after hardening on platforms such as Tencent reinforcement/360 reinforcement/Ai Encryption, we need to re-sign it. As for re-signature, there are two methods:

• Java：jar signerThe jar signature that comes with java, that is, the v1 signature packaged by our Android, the signature scheme can only be v1
• Android：apk signerThe Android-specific signature, that is, the packaged v2 signature, supports multiple signature schemes (v1~v4).

This article will introduce the apk packages downloaded from major hardening platforms, and explain in detail the operations of " alignment (zipalign) " and " re-signature (jarsigner and apksigner) ".

operating environment

operating environment	Version
operating system	macOS 13.0.1 (Coming)
AndroidStudio	2021.3.1 Patch 1 (Dolphin)
JDK	1.8.0_322
Android SDK	27.0.3

The three methods described in this article all need to configure environment variables. Otherwise, you need to open the terminal and navigate to the corresponding location:

• zipalign tool location: SDK path/tools/zipalign

  例如：/Users/leomark/Library/Android/sdk/tools/zipalign

• jarsigner tool location: JDK path/Contents/Home/bin/jarsigner

  For example: /Users/leomark/Library/Java/JavaVirtualMachines/corretto-1.8.0_322/Contents/Home/bin/jarsigner

• Apksigner tool location: SDK path/build-tools/"version number"/apksigner "version number needs to be >=24.0.3」

  For example: /Users/leomark/Library/Android/sdk/build-tools/27.0.3/apksigner

To configure environment variables, please refer to the previous article Flutter Development-Installation and Environment Configuration-Configuration Environment Variable Failure Problem Add three environment variables in it (the ones that have been added can be ignored, and which ones are missing can be added):

export PATH="「SDK路径」/tools"
export PATH="「JDK路径」/Contents/Home/bin"
export PATH="「SDK路径」/build-tools/「版本号」" 「版本号需 >= 24.0.3」
例如：
export PATH="/Users/leomark/Library/Android/sdk/tools"
export PATH="/Users/leomark/Library/Java/JavaVirtualMachines/corretto-1.8.0_322/Contents/Home/bin"
export PATH="/Users/leomark/Library/Android/sdk/build-tools/27.0.3"

Note that, becauseapk signerIt was launched by Google in Android 7.0 Nougat, so our version number needs to be >=24.0.3, otherwise you can only choosejar signerThe way to make a v1 package.

alignment (zipalign)

The reinforced apk package we downloaded from the platform is described in detail in the official document. For details, see " Official Document - zipalign" here.zipAlignEnabled trueThis option, but after we reinforce it, thisAlign "zipalign"is lost and we need to recreate theAlign "zipalign". The build.gradle file in the app directory of the project:

    buildTypes {
    
    
        release {
    
    
            minifyEnabled true//混淆
            buildConfigField "boolean", "LOG_DEBUG", "false" //不显示log
            zipAlignEnabled true     //Zipalign优化
            shrinkResources true    // 移除无用的resource文件
            signingConfig signingConfigs.release
            multiDexKeepFile file ('multidex-config.txt')
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
        }
        debug {
    
    
            minifyEnabled true//混淆
            buildConfigField "boolean", "LOG_DEBUG", "false" //不显示log
            zipAlignEnabled true     //Zipalign优化
            shrinkResources true    // 移除无用的resource文件
            signingConfig signingConfigs.debug
            multiDexKeepFile file ('multidex-config.txt')
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
        }
    }

have to be aware of is,The use of zipalign has a time limit for jarsigner and apksigner:

• If you are using apksigner, you must use zipalign before signing the APK file. If you make further changes to the APK after signing it with apksigner, the signature will become invalid.
• If you are using jarsigner, you must use zipalign after signing the APK file.

After configuring the environment variables, you can use the terminal to use the corresponding alignment statement. The following is the method to check whether the apk is aligned. Open the terminal and enter:

zipalign -c -v 4 apk路径
例如：
zipalign -c -v 4 /Volumes/Data/Android_jiagu/teacher/jiagu.apk

The result is as follows:

The next step is to use the terminal to realize the apk alignment operation, and enter in the opened terminal:

zipalign  -v 4 「需要对齐操作的apk地址」 「对齐之后生成的地址」
例如：
zipalign  -v 4 /Volumes/Data/Android_jiagu/teacher/jiagu.apk /Volumes/Data/Android_jiagu/teacher/zipaligned.apk

The result is as follows:

If "Verification successful" appears, the alignment is successful. We can repeat the appeal check alignment operation to see the results are as follows:

Note: The apk name at the end of the detection statement here has to be changed tozipaligned.apk, the reason is that when we align, a new one namedzipaligned.apknew file for . Of course, the name here can be freely defined.

Re-sign apksigner (recommended method)

Re-signing "apksigner" is the same as "zipalign" alignment method, we need to use check statement and generate statement.
have to be aware of is:

• We use the "apksigner" method to re-sign, and we need to align the "zipalign" apk package first.You cannot align the "zipalign" apk package after re-signing.Although the "zipalign" terminal statement can be run after re-signing, but after the alignment, the signature of the apk package will become invalid.

So if we use the "apksigner" method to re-sign, we must first align the "zipalign" apk package, and then re-sign.
The following is a terminal statement to check whether it is signed, and enter it in the open terminal:

apksigner verify -v 检查的apk路径
例如：
apksigner verify -v /Volumes/Data/Android_jiagu/teacher/zipaligned.apk

The result is as follows:

Next, continue to enter the "apksigner" re-signature statement in the terminal (of course, you can also execute the re-signature statement directly after aligning "zipalign" without executing the check statement):

apksigner sign -verbose --ks 「jks文件路径」 --v1-signing-enabled （「true/false」v1打包开启/关闭） --v2-signing-enabled （「true/false」v2打包开启/关闭） -ks-key-alias （jks别名 key-alias） --ks-pass pass: （jks密码，key store password） --key-pass pass:（key 密码，key password） --out 「生成的apk路径，重签名后的」 「对齐之后的apk路径」
例如：
apksigner sign -verbose --ks /Volumes/Data/Android_jiagu/teacher/zhty.jks --v1-signing-enabled true --v2-signing-enabled true --ks-key-alias key --ks-pass pass:123456 --key-pass pass:123456 --out /Volumes/Data/Android_jiagu/teacher/signed.apk /Volumes/Data/Android_jiagu/teacher/zipaligned.apk

The terminal operation results are as follows: if Signed appears, the re-signature is successful.

Let's check again, the terminal enters the check statement, the result is as follows:

The two lines in the box appear, which means that we have successfully re-signed "apksigner", and we can take the apk package to the major application markets for operation.

Re-sign jarsigner (v1 packaging)

Re-signing "jarsigner" is the same as "adksigner", and only needs to check and re-sign two methods.
have to be aware of is:

• The re-signature "jarsigner" is signed to align the "zipalign" apk package.If "jarsigner" is re-signed after aligning "zipalign", the alignment "zipalign" will be invalid.

So we need to re-sign "jarsigner" first, and then perform the "zipalign" operation. Next, we open the terminal and enter:

jarsigner -verify 「检查的apk路径」
例如：
jarsigner -verify /Volumes/Data/Android_jiagu/teacher/jiagu.apk

The result is as follows:

Next, continue to enter the "jarsigner" re-signature statement in the terminal (of course, you can also directly execute the re-signature statement without executing the check statement):

jarsigner -verbose -keystore 「apk签名文件路径」 -storepass 「签名密码」 -signedjar 「需要重签名apk路径」  「加固的apk路径」 「签名别名 key-alias」
例如：
jarsigner -verbose -keystore /Volumes/Data/Android_jiagu/teacher/zhty.jks -storepass 123456 -signedjar /Volumes/Data/Android_jiagu/teacher/signed.apk /Volumes/Data/Android_jiagu/teacher/jiagu.apk key

The result is as follows:

After signing we check again:

After checking, we can repeat the operation of aligning "zipalign" mentioned above. After aligning again, we can get the apk package aligned with "zipalign" and put it on the shelves of major application markets.

Specific use

The order of operations for re-signing "jarsigner" and "apksigner" is:

• jar signer:Check if the apk is signed ===> "jarsigner" re-signature===>Whether the re-signature is successful===>Align "zipalign"===>check for alignment
• apk signer:check for alignment===>Align "zipalign"===>check for alignment===>Check if the apk is signed===>"apksigner" re-signature===>Whether the re-signature is successful

For specific operation statements, please refer to the detailed introduction of each method above. Recommended Use「apk signer」Perform re-signature and directly type the signed apk package of v1 and v2.

Aligning "zipalign" appears "Output file '…apk' exists"

When we execute the alignment statement multiple times, if we use the same name each time and enter the alignment statement, the terminal will explode this error, as shown in the following figure:

The terminal is reminding us that the file already exists. The statement we entered does not support overwriting. Check the Android official website alignment「zipalign」definition, the solution is found at the end of the article:

It can be seen from the list on the official website that when we input in the terminal, add a「 -f 」You can overwrite the output file. So, we currently have two solutions:

• Every time we harden, we clear all the apk files in the current operation folder, and then execute the statement.
• Based on the original statement, add a「 -f 」Terminal statement:

  •  zipalign -f -v 4 「需要对齐操作的apk地址」 「对齐之后生成的地址」
     例如：
     zipalign -f -v 4 /Volumes/Data/Android_jiagu/teacher/jiagu.apk /Volumes/Data/Android_jiagu/teacher/zipaligned.apk
     
    

Summarize

The above is the tutorial for re-signing after downloading from the reinforcement platform introduced in this article. Again, it is recommended to use「apk signer」Perform re-signature and directly type the signed apk package of v1 and v2.

If there is something wrong or wrong, please point it out!

Relevant reference materials:

• Android Official Documentation - Application Signing
• Android Official Documentation - zipalign
• Android Official Documentation - apksigner
• Android manually signs the apk through apksigner
• Android APK hardening re-signing
• Flutter development - installation and environment configuration - configuration environment variable failure problem