Android11.0 generates system signature .jks file and signs Apk

Article directory

V2 signature

Manually signing the application with the system requires three files: platform.pk8, platform.x509.pem, and signapk.jar. You need to add android:sharedUserId="android.uid.system" to the AndroidManifest.xml of the application , and then enter the following command You can get the signed apk file:

 java -jar signapk.jar platform.x509.pem platform.pk8 target.apk sign.apk

If your application targetSdkVersion>=30 , if the installation fails on devices above 7.0, the following error will be reported:

 Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Scanning Failed.: No signature found in package of version 2 or newer for package com.xxx.fotatest]

For Android11 (Api30) as the target platform, the apk must be signed with V2 or above, otherwise it cannot be installed successfully.
The following introduces a way to use system files to generate .jks signature files to system-sign Apk.

Generate .jks signature file

Go to the /build/target/product/security directory in the source code and enter the following command:

 cd build/target/product/security/

 // 1.生成 platform.pem
 openssl pkcs8 -inform DER -nocrypt -in platform.pk8 -out platform.pem

 // 2.生成 platform.p12 
 // 别名：systemkey
 // 密码：123456
 openssl pkcs12 -export -in  platform.x509.pem -out platform.p12 -inkey  platform.pem -password pass:123456 -name systemkey

 // 3.生成 platform.jks文件
 keytool -importkeystore -deststorepass 123456 -destkeystore ./platform.jks -srckeystore ./platform.p12 -srcstoretype PKCS12 -srcstorepass 123456

Entering the third command will prompt you to enter the source keystore password: directly enter 123456

 正在将密钥库 ./platform.p12 导入到 ./platform.jks...
 输入源密钥库口令:  
 已成功导入别名 systemkey 的条目。
 已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消

 Warning:
 <systemkey> uses the MD5withRSA signature algorithm which is considered a security risk and is disabled.
 JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore ./platform.jks -destkeystore ./platform.jks -deststoretype pkcs12" 迁移到行业标准格式 PKCS12。

The above completed import command line indicates that the .jks file was successfully created and migrated to the industry standard format according to the recommended commands.

 keytool -importkeystore -srckeystore ./platform.jks -destkeystore ./platform.jks -deststoretype pkcs12
 输入源密钥库口令:  
 已成功导入别名 systemkey 的条目。
 已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消

 Warning:
 <systemkey> uses the MD5withRSA signature algorithm which is considered a security risk and is disabled.
 已将 "./platform.jks" 迁移到 Non JKS/JCEKS。将 JKS 密钥库作为 "./platform.jks.old" 进行了备份。

Platform.pem, platform.p12, platform.jks, platform.jks.old will be generated in the same directory.

Use the command to view .jks files

 keytool -list -v -keystore platform.jks
 输入密钥库口令:  
 密钥库类型: PKCS12
 密钥库提供方: SUN

 您的密钥库包含 1 个条目

 别名: systemkey
 创建日期: 2023-6-20
 条目类型: PrivateKeyEntry
 证书链长度: 1
 证书[1]:
 所有者: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
 发布者: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
 序列号: b3998086d056cffa
 有效期为 Wed Apr 16 06:40:50 CST 2008 至 Sun Sep 02 06:40:50 CST 2035
 证书指纹:
	 MD5:  27:19:6E:38:6B:87:5E:76:AD:F7:00:E7:EA:84:E4:C6:EE:E3:3D:FA
	 SHA1: C8:A2:E9:BC:CF:59:7C:2F:B6:DC:66:BE:E2:93:FC:13:F2:FC:47:EC:77:BC:6B:2B:0D:52:C1:1F:51:19:2A:B8
	 SHA256: MD5withRSA (disabled)
 签名算法名称: 2048 位 RSA 密钥
 主体公共密钥算法: 3
 版本: {
    
    10}

 扩展: 

 #1: ObjectId: 2.5.29.35 Criticality=false
 AuthorityKeyIdentifier [
 KeyIdentifier [
 0000: 4F E4 A0 B3 DD 9C BA 29   F7 1D 72 87 C4 E7 C3 8F  O......)..r.....
 0010: 20 86 C2 99                                         ...
 ]
 [EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US]
 SerialNumber: [    b3998086 d056cffa]
 ]

 #2: ObjectId: 2.5.29.19 Criticality=false
 BasicConstraints:[
   CA:true
   PathLen:2147483647
 ]

 #3: ObjectId: 2.5.29.14 Criticality=false
 SubjectKeyIdentifier [
 KeyIdentifier [
 0000: 4F E4 A0 B3 DD 9C BA 29   F7 1D 72 87 C4 E7 C3 8F  O......)..r.....
 0010: 20 86 C2 99                                         ...
 ]
 ]

Studio quote platform.jks

Create a new key directory in the app directory, place platform.jks in the key directory, and
add the following content under build.gradle:

 android {
    
    
     ...
     signingConfigs {
    
    
        release {
    
    
            storeFile file("/key/platform.jks")
            keyAlias "systemkey"
            keyPassword "123456"
            storePassword "123456"
        }
    }

    buildTypes {
    
    
        release {
    
    
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
            signingConfig signingConfigs.release
        }
        debug {
    
    
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
            signingConfig signingConfigs.release
        }
    }
 }

Just run the program directly.

Manually sign the APK using platform.jks

Copy your Apk file and platform.jks to your /sdk/build-tools/30.0.2 directory

// 1.Zipalign 优化 APK
D:\Studio\sdk\build-tools\30.0.2>zipalign -f -v 4 target.apk sign.apk

// 2.签名APK
D:\Studio\sdk\build-tools\30.0.2>apksigner sign --ks platform.jks --ks-key-alias systemkey sign.apk

In this way, apply sign.apk after getting the signature

Note: System signing of an application requires adding android:sharedUserId="android.uid.system" to the AndroidManifest.xml of the application.

Use command to view APK file signature information

> keytool -printcert -jarfile sign.apk
签名者 #1:

签名:

所有者: EMAILADDRESS=android@android.com, CN=android, OU=android, O=android, L=Mountain View, ST=California, C=US
发布者: EMAILADDRESS=android@android.com, CN=android, OU=android, O=android, L=Mountain View, ST=California, C=US
序列号: 32aec6361322ef35697e6d76a2b65319be7b2d5c
有效期开始日期: Thu Aug 24 20:51:23 CST 2023, 截止日期: Mon Jan 09 20:51:23 CST 2051
证书指纹:
         MD5: 96:5F:61:D7:DB:61:84:25:CD:6A:5B:C0:E1:3F:BA:6F
         SHA1: FA:FE:E5:F9:09:7C:ED:A3:67:39:B0:BC:DC:36:C8:F8:DE:D6:23:9F
         SHA256: 6A:A5:D2:29:1D:18:E6:28:D1:29:70:34:A9:3A:29:D0:A7:B6:DC:B8:57:85:2F:BA:41:85:2B:D1:0F:5D:47:86
         签名算法名称: SHA256withRSA
         版本: 3

扩展:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 00 4E 32 24 3D B6 55 3E   35 D8 48 47 1E 5A CA 44  .N2$=.U>5.HG.Z.D
0010: F8 C1 12 2E                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 00 4E 32 24 3D B6 55 3E   35 D8 48 47 1E 5A CA 44  .N2$=.U>5.HG.Z.D
0010: F8 C1 12 2E                                        ....
]
]

Refer to Microsoft official documentation:
https://learn.microsoft.com/zh-cn/xamarin/android/deploy-test/signing/manually-signing-the-apk#zipalign-the-apk