Android: After building platform source, how to sign arbitrary APK with platform key?
Asked Answered
E

2

26

As an experiment, I would like to use the platform key of my custom built Android platform to sign an arbitrary APK, that is built via the NDK. What is the process to go about doing this?

Entoil answered 22/11, 2010 at 16:42 Comment(1)
you also should delete META-INF folder in apk = zip -d my_application.apk META-INF/*Insouciance
T
46

If you have your platform key/certificate pair (.pk8 + x509.pem). Which can be found under build/target/product/security in the pulbic sdk.

You can use the SignApk.jar from the command line

java -jar SignApk.jar platform.x509.pem platform.pk8 Application.apk Application_signed.apk

Or to make automation easier, you can import the key/cert pair into your java keystore file, with the keytool-importkeypair, and use an ant makefile or eclipse for signing.

keytool-importkeypair -k ~/.android/debug.keystore -p android -pk8 platform.pk8 -cert platform.x509.pem -alias platform

Tiber answered 23/11, 2010 at 15:2 Comment(1)
Getting an error while adb install <signedApp> : "Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Failed to collect certificates from /data/app/vmdl500742354.tmp/base.apk: META-INF/PLATFORM.SF indicates /data/app/vmdl500742354.tmp/base.apk is signed using APK Signature Scheme v2, but no such signature was found. Signature stripped?]"Tramline
U
18

The signapk.jar (all lowercase) file mentioned in aprock' answer can be found at prebuilts/sdk/tools/lib/signapk.jar (or out/host/linux-x86/framework/signapk.jar).

Below I will describe how to manage the keystore used by Eclipse and ant release.


The following command takes the key file platform.pk8 and X509 certificate platform.x509.pem and outputs the decrypted key material in tmp.p12. The name platformkey is used to

openssl pkcs8 -inform DER -nocrypt -in platform.pk8 | \
    openssl pkcs12 -export -in platform.x509.pem -inkey /dev/stdin \
    -name platformkey -password pass: -out tmp.p12

Eclipse and ant debug use the keystore at ~/.android/debug.keystore which is locked with the password android. (You can also specify an other keystore file if you want to, e.g. ~/.android/mykeys.keystore.) The next command stores the key material from tmp.p12 in the keystore (without a password for the keys, if you want one, edit -srcstorepass '' below):

keytool -importkeystore -deststorepass android -srckeystore tmp.p12 \
    -srcstoretype PKCS12 -srcstorepass '' -destkeystore ~/.android/debug.keystore

At this point, you can delete the tmp.p12 file because it is no longer needed.

In order to check what is in your keystore, you can run the next keytool command (the output it shown on the line thereafter):

$ keytool -list -keystore ~/.android/debug.keystore -storepass android
...
platformkey, Nov 23, 2013, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 12:34:56:(stripped):AB:CD:EF

When you no longer need the key, it can be removed with:

keytool -delete -keystore ~/.android/debug.keystore -storepass android -alias platformkey

In your local.properties file, put (if you omit the key.*.password options, you have to enter it every time you sign the APK):

key.store=${user.home}/.android/debug.keystore
key.alias=platformkey
key.store.password=android
key.alias.password=

Now you can run ant release to sign your APK using the platform key you stored in a keystore.

Utrillo answered 23/11, 2013 at 21:52 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.