Article directory
V2 signature
Manually signing the application with the system requires three files: platform.pk8, platform.x509.pem, and signapk.jar. You need to add android:sharedUserId="android.uid.system" to the AndroidManifest.xml of the application , and then enter the following command You can get the signed apk file:
java -jar signapk.jar platform.x509.pem platform.pk8 target.apk sign.apk
If your application targetSdkVersion>=30 , if the installation fails on devices above 7.0, the following error will be reported:
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Scanning Failed.: No signature found in package of version 2 or newer for package com.xxx.fotatest]
For Android11 (Api30) as the target platform, the apk must be signed with V2 or above, otherwise it cannot be installed successfully.
The following introduces a way to use system files to generate .jks signature files to system-sign Apk.
Generate .jks signature file
Go to the /build/target/product/security directory in the source code and enter the following command:
cd build/target/product/security/
// 1.生成 platform.pem
openssl pkcs8 -inform DER -nocrypt -in platform.pk8 -out platform.pem
// 2.生成 platform.p12
// 别名:systemkey
// 密码:123456
openssl pkcs12 -export -in platform.x509.pem -out platform.p12 -inkey platform.pem -password pass:123456 -name systemkey
// 3.生成 platform.jks文件
keytool -importkeystore -deststorepass 123456 -destkeystore ./platform.jks -srckeystore ./platform.p12 -srcstoretype PKCS12 -srcstorepass 123456
Entering the third command will prompt you to enter the source keystore password: directly enter 123456
正在将密钥库 ./platform.p12 导入到 ./platform.jks...
输入源密钥库口令:
已成功导入别名 systemkey 的条目。
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消
Warning:
<systemkey> uses the MD5withRSA signature algorithm which is considered a security risk and is disabled.
JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore ./platform.jks -destkeystore ./platform.jks -deststoretype pkcs12" 迁移到行业标准格式 PKCS12。
The above completed import command line indicates that the .jks file was successfully created and migrated to the industry standard format according to the recommended commands.
keytool -importkeystore -srckeystore ./platform.jks -destkeystore ./platform.jks -deststoretype pkcs12
输入源密钥库口令:
已成功导入别名 systemkey 的条目。
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消
Warning:
<systemkey> uses the MD5withRSA signature algorithm which is considered a security risk and is disabled.
已将 "./platform.jks" 迁移到 Non JKS/JCEKS。将 JKS 密钥库作为 "./platform.jks.old" 进行了备份。
Platform.pem, platform.p12, platform.jks, platform.jks.old will be generated in the same directory.
Use the command to view .jks files
keytool -list -v -keystore platform.jks
输入密钥库口令:
密钥库类型: PKCS12
密钥库提供方: SUN
您的密钥库包含 1 个条目
别名: systemkey
创建日期: 2023-6-20
条目类型: PrivateKeyEntry
证书链长度: 1
证书[1]:
所有者: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
发布者: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
序列号: b3998086d056cffa
有效期为 Wed Apr 16 06:40:50 CST 2008 至 Sun Sep 02 06:40:50 CST 2035
证书指纹:
MD5: 27:19:6E:38:6B:87:5E:76:AD:F7:00:E7:EA:84:E4:C6:EE:E3:3D:FA
SHA1: C8:A2:E9:BC:CF:59:7C:2F:B6:DC:66:BE:E2:93:FC:13:F2:FC:47:EC:77:BC:6B:2B:0D:52:C1:1F:51:19:2A:B8
SHA256: MD5withRSA (disabled)
签名算法名称: 2048 位 RSA 密钥
主体公共密钥算法: 3
版本: {
10}
扩展:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4F E4 A0 B3 DD 9C BA 29 F7 1D 72 87 C4 E7 C3 8F O......)..r.....
0010: 20 86 C2 99 ...
]
[EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US]
SerialNumber: [ b3998086 d056cffa]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4F E4 A0 B3 DD 9C BA 29 F7 1D 72 87 C4 E7 C3 8F O......)..r.....
0010: 20 86 C2 99 ...
]
]
Studio quote platform.jks
Create a new key directory in the app directory, place platform.jks in the key directory, and
add the following content under build.gradle:
android {
...
signingConfigs {
release {
storeFile file("/key/platform.jks")
keyAlias "systemkey"
keyPassword "123456"
storePassword "123456"
}
}
buildTypes {
release {
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
signingConfig signingConfigs.release
}
debug {
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
signingConfig signingConfigs.release
}
}
}
Just run the program directly.
Manually sign the APK using platform.jks
Copy your Apk file and platform.jks to your /sdk/build-tools/30.0.2 directory
// 1.Zipalign 优化 APK
D:\Studio\sdk\build-tools\30.0.2>zipalign -f -v 4 target.apk sign.apk
// 2.签名APK
D:\Studio\sdk\build-tools\30.0.2>apksigner sign --ks platform.jks --ks-key-alias systemkey sign.apk
In this way, apply sign.apk after getting the signature
Note: System signing of an application requires adding android:sharedUserId="android.uid.system" to the AndroidManifest.xml of the application.
Use command to view APK file signature information
> keytool -printcert -jarfile sign.apk
签名者 #1:
签名:
所有者: EMAILADDRESS=android@android.com, CN=android, OU=android, O=android, L=Mountain View, ST=California, C=US
发布者: EMAILADDRESS=android@android.com, CN=android, OU=android, O=android, L=Mountain View, ST=California, C=US
序列号: 32aec6361322ef35697e6d76a2b65319be7b2d5c
有效期开始日期: Thu Aug 24 20:51:23 CST 2023, 截止日期: Mon Jan 09 20:51:23 CST 2051
证书指纹:
MD5: 96:5F:61:D7:DB:61:84:25:CD:6A:5B:C0:E1:3F:BA:6F
SHA1: FA:FE:E5:F9:09:7C:ED:A3:67:39:B0:BC:DC:36:C8:F8:DE:D6:23:9F
SHA256: 6A:A5:D2:29:1D:18:E6:28:D1:29:70:34:A9:3A:29:D0:A7:B6:DC:B8:57:85:2F:BA:41:85:2B:D1:0F:5D:47:86
签名算法名称: SHA256withRSA
版本: 3
扩展:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 00 4E 32 24 3D B6 55 3E 35 D8 48 47 1E 5A CA 44 .N2$=.U>5.HG.Z.D
0010: F8 C1 12 2E ....
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 00 4E 32 24 3D B6 55 3E 35 D8 48 47 1E 5A CA 44 .N2$=.U>5.HG.Z.D
0010: F8 C1 12 2E ....
]
]
Refer to Microsoft official documentation:
https://learn.microsoft.com/zh-cn/xamarin/android/deploy-test/signing/manually-signing-the-apk#zipalign-the-apk