Android: How to signed APK

Post Reply
tong
Site Admin
Posts: 2381
Joined: Fri 01 May 2009 8:55 pm

Android: How to signed APK

Post by tong »

aapt.exe			https://developer.android.com/studio/releases/build-tools
				https://dl.google.com/android/repository/build-tools_r29.0.3-windows.zip

adb.exe				https://developer.android.com/studio/releases/platform-tools
  AdbWinApi.dll			https://dl.google.com/android/repository/platform-tools_r31.0.2-windows.zip
  AdbWinUsbApi.dll		
fastboot.exe

apktool_2.5.0.jar		https://bitbucket.org/iBotPeaches/apktool/downloads/

jarsigner.exe			https://docs.oracle.com/javase/9/tools/jarsigner.htm

zipalign.exe			https://developer.android.com/studio/command-line/zipalign
  libwinpthread-1.dll
apksigner.jar			https://developer.android.com/studio/command-line/apksigner

If you use jarsigner, zipalign must only be performed after the APK file has been signed.
If you use apksigner, zipalign must only be performed before the APK file has been signed.

keytool.exe			https://docs.oracle.com/javase/9/tools/keytool.htm

openssl.exe			http://gnuwin32.sourceforge.net/packages/openssl.htm
  openssl.cnf
  libcrypto-1_1-x64.dll
  libssl-1_1-x64.dll
tong
Site Admin
Posts: 2381
Joined: Fri 01 May 2009 8:55 pm

Re: Android: How to signed APK

Post by tong »

=========================================================================================================================
There are two types of the private key and certificate files.
=========================================================================================================================

(1) Combine - Oracle Keystore (*.keystore, *.jks) 
(2) Split   - Private key (*.pk8, *.pem) and Certificate (*.x509.pem)


=========================================================================================================================
Create myKey.keystore by keytool (Need alias and password)
=========================================================================================================================

"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -genkeypair -v -alias myKey -storepass 123456 -keypass 123456 -keystore myKey.keystore -keyalg RSA -keysize 2048 -validity 9999 -dname "EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US"


=========================================================================================================================
Create myKey.pk8 and myKey.x509.pem by openssl 1.x.x
=========================================================================================================================

(1)	openssl genrsa  -out myKey.pem 2048
	-or-
	openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out myKey.pem

(2)	openssl req     -new   -key myKey.pem -out myKey.req.pem -subj "/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com" -config openssl.cnf

(3)	openssl x509    -req   -days 9999 -in myKey.req.pem -signkey myKey.pem -out myKey.x509.pem

(4)	openssl pkcs8   -topk8 -nocrypt -inform PEM -outform DER -in myKey.pem -out myKey.pk8

-or-

(1)	openssl req     -x509  -days 9999 -newkey rsa:2048 -nodes -keyout myKey.pem -out myKey.x509.pem -subj "/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com" -config openssl.cnf

(2)	openssl pkcs8   -topk8 -nocrypt -inform PEM -outform DER -in myKey.pem -out myKey.pk8
tong
Site Admin
Posts: 2381
Joined: Fri 01 May 2009 8:55 pm

Re: Android: How to signed APK

Post by tong »

=============================================================================================================
Sign APK
=============================================================================================================

(1)	java -jar jarsigner.jar -keystore myKey.keystore -storepass 123456 -signedjar gg.Signed.apk gg.apk myKey

(2)	zipalign.exe -f -p 4  gg.Signed.apk  gg.Align.apk

-or-

(1)	zipalign.exe -f -p 4  gg.apk         gg.Align.apk

(2)	java -jar apksigner.jar sign  --key myKey.pk8       --cert myKey.x509.pem  --out gg.Signed.apk gg.Align.apk
	-or-
	java -jar apksigner.jar sign  --ks  myKey.keystore  --ks-pass pass:123456  --out gg.Signed.apk gg.Align.apk
tong
Site Admin
Posts: 2381
Joined: Fri 01 May 2009 8:55 pm

Re: Android: How to signed APK

Post by tong »

=========================================================================================================================
Verify/View APK
=========================================================================================================================

"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -printcert -jarfile gg.Signed.apk

-or-

java -jar jarsigner.jar -verify -verbose -certs gg.Signed.apk

-or-

java -jar apksigner.jar verify -v --print-certs gg.Signed.apk
tong
Site Admin
Posts: 2381
Joined: Fri 01 May 2009 8:55 pm

Re: Android: How to signed APK

Post by tong »

Self Signed Certificate always Blocked by Play Protect

Play Protect doesn't recognise this app's developer.
We have to submit an app to Google Play Console to recognize the fingerprint.
blocked.png
tong
Site Admin
Posts: 2381
Joined: Fri 01 May 2009 8:55 pm

Re: Android: How to signed APK

Post by tong »

-dname "CN=Android Debug, OU=Android, O=US, L=US, ST=US, C=US"
-subj  "/C=US/ST=US/L=US/O=US/OU=Android/CN=Android Debug"

-dname "EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US"
-subj  "/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com"
tong
Site Admin
Posts: 2381
Joined: Fri 01 May 2009 8:55 pm

Re: Android: How to signed APK

Post by tong »

=============================================================================================================
Certificates and private keys
=============================================================================================================

Each key comes in two files: 
the certificate, which has the extension .x509.pem, and the private key, which has the extension .pk8.

The private key should be kept secret and is needed to sign a package. The key may itself be protected by a password.
The certificate, in contrast, contains only the public half of the key, so it can be distributed widely. 
It is used to verify a package has been signed by the corresponding private key.


=============================================================================================================
The standard Android build uses five keys, all of which reside in build/target/product/security:
=============================================================================================================

testkey      : Generic default key for packages that do not otherwise specify a key.
platform     : Test key for packages that are part of the core platform.
shared       : Test key for things that are shared in the home/contacts process.
media        : Test key for packages that are part of the media/download system.
networkstack : Test key for packages that are part of the networking system. 
               The networkstack key is used to sign binaries designed as Modular System Components.
               If your module updates are built separately and integrated as prebuilts in your device image,
               you may not need to generate a networkstack key in the Android source tree.

"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -printcert -file testkey.x509.pem
"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -printcert -file platform.x509.pem
"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -printcert -file shared.x509.pem
"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -printcert -file media.x509.pem
"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -printcert -file networkstack.x509.pem
"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -printcert -file verity.x509.pem
"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -printcert -file cts_uicc_2021.x509.pem

https://source.android.com/devices/tech/ota/sign_builds
https://android.googlesource.com/platform/build/+/refs/heads/master/target/product/security/
https://github.com/aosp-mirror/platform_build/tree/master/target/product/security
tong
Site Admin
Posts: 2381
Joined: Fri 01 May 2009 8:55 pm

Re: Android: How to signed APK

Post by tong »

Alias     : androiddebugkey
StorePass : android
KeyPass   : android


=============================================================================================================
Convert testkey.pk8 and testkey.x509.pem to testkey.keystore
=============================================================================================================

openssl.exe pkcs8  -nocrypt -inform DER            -outform PEM                                -in testkey.pk8       -out testkey.pem
openssl.exe pkcs12 -export  -name androiddebugkey  -password pass:android  -inkey testkey.pem  -in testkey.x509.pem  -out testkey.keystore.p12

"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -importkeystore -srckeystore testkey.keystore.p12 -destkeystore testkey.keystore -srcstoretype PKCS12 -deststoretype JKS -srcstorepass android


=============================================================================================================
Convert testkey.keystore to testkey.pk8 and testkey.x509.pem
=============================================================================================================

"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -importkeystore -srckeystore testkey.keystore -destkeystore testkey.keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass android

openssl.exe pkcs12 -nokeys                                       -in testkey.keystore.p12  -out testkey.x509.pem
openssl.exe pkcs12 -nocerts -nodes                               -in testkey.keystore.p12  -out testkey.pem
openssl.exe pkcs8  -topk8   -nocrypt  -inform PEM  -outform DER  -in testkey.pem           -out testkey.pk8


=============================================================================================================
testkey.pk8 and testkey.x509.pem
=============================================================================================================

Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 1
Signer #1 certificate DN: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc
Signer #1 certificate SHA-1 digest: 61ed377e85d386a8dfee6b864bd85b0bfaa5af81
Signer #1 certificate MD5 digest: e89b158e4bcf988ebd09eb83f5378e87
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: ef57b690165cb561b5026922c00d2d6574e8b184fa7d161e076f06e06e6d35db
Signer #1 public key SHA-1 digest: 0c2440c055c753a8f0493b4e602d3ea0096b1023
Signer #1 public key MD5 digest: 452f8cfe026b30a8a3e99a6074e5f285
Attachments
Key-ASOP.zip
[ 19.06 KiB | Downloaded 337 times ]
tong
Site Admin
Posts: 2381
Joined: Fri 01 May 2009 8:55 pm

Re: Android: How to signed APK

Post by tong »

Alias     : lorenz
StorePass : 123456
KeyPass   : 123456


=============================================================================================================
Convert lorenz.pk8 and lorenz.x509.pem to lorenz.keystore
=============================================================================================================

openssl.exe pkcs8  -nocrypt -inform DER   -outform PEM                              -in lorenz.pk8       -out lorenz.pem
openssl.exe pkcs12 -export  -name lorenz  -password pass:123456  -inkey lorenz.pem  -in lorenz.x509.pem  -out lorenz.keystore.p12

"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -importkeystore -srckeystore lorenz.keystore.p12 -destkeystore lorenz.keystore -srcstoretype PKCS12 -deststoretype JKS -srcstorepass 123456


=============================================================================================================
Convert lorenz.keystore to lorenz.pk8 and lorenz.x509.pem
=============================================================================================================

"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -importkeystore -srckeystore lorenz.keystore -destkeystore lorenz.keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass 123456

openssl.exe pkcs12 -nokeys                                       -in lorenz.keystore.p12  -out lorenz.x509.pem
openssl.exe pkcs12 -nocerts -nodes                               -in lorenz.keystore.p12  -out lorenz.pem
openssl.exe pkcs8  -topk8   -nocrypt  -inform PEM  -outform DER  -in lorenz.pem           -out lorenz.pk8


=============================================================================================================
lorenz.pk8 and lorenz.x509.pem
=============================================================================================================

Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Number of signers: 1
Signer #1 certificate DN: EMAILADDRESS=lorenz@londatiga.net, CN=Lorensius W. L. T, OU=AndroidDev, O=Londatiga, L=Bandung, ST=Jawa Barat, C=ID
Signer #1 certificate SHA-256 digest: 518ac8bdaf0c767deb31bae1eba826adbef793a68f22784cf3e19c67ba87ecb9
Signer #1 certificate SHA-1 digest: ece521e38c5e9cbea53503eaef1a6ddd204583fa
Signer #1 certificate MD5 digest: eea6f6f40858b8215c48b0465fe479b8
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 1024
Signer #1 public key SHA-256 digest: d8dc2ef9b37fcb543b07678a2d64d3a1dc5122642ee824a61dfbed0bf86d25c4
Signer #1 public key SHA-1 digest: 74bd7b456d9e651fc84446f65041bef1207c408d
Signer #1 public key MD5 digest: 58d291bc49e568eb8fc84dabaf508d08
Attachments
Key-Lorenz.zip
[ 2.57 KiB | Downloaded 333 times ]
tong
Site Admin
Posts: 2381
Joined: Fri 01 May 2009 8:55 pm

Re: Android: How to signed APK

Post by tong »

Alias     : androiddebugkey
StorePass : android
KeyPass   : android


=============================================================================================================
Convert debug.pk8 and debug.x509.pem to debug.keystore
=============================================================================================================

openssl.exe pkcs8  -nocrypt -inform DER            -outform PEM                              -in debug.pk8       -out debug.pem
openssl.exe pkcs12 -export  -name androiddebugkey  -password pass:android  -inkey debug.pem  -in debug.x509.pem  -out debug.keystore.p12

"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -importkeystore -srckeystore debug.keystore.p12 -destkeystore debug.keystore -srcstoretype PKCS12 -deststoretype JKS -srcstorepass android


=============================================================================================================
Convert debug.keystore to debug.pk8 and debug.x509.pem
=============================================================================================================

"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -importkeystore -srckeystore debug.keystore -destkeystore debug.keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass android

openssl.exe pkcs12 -nokeys                                       -in debug.keystore.p12  -out debug.x509.pem
openssl.exe pkcs12 -nocerts -nodes                               -in debug.keystore.p12  -out debug.pem
openssl.exe pkcs8  -topk8   -nocrypt  -inform PEM  -outform DER  -in debug.pem           -out debug.pk8


=============================================================================================================
debug.pk8 and debug.x509.pem from Eclipse or Android Studio (debug.keystore)
=============================================================================================================

Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Number of signers: 1
Signer #1 certificate DN: CN=Android Debug, OU=Android, O=US, L=US, ST=US, C=US
Signer #1 certificate SHA-256 digest: 1e08a903aef9c3a721510b64ec764d01d3d094eb954161b62544ea8f187b5953
Signer #1 certificate SHA-1 digest: 5d08264b44e0e53fbccc70b4f016474cc6c5ab5c
Signer #1 certificate MD5 digest: ffd6314a83f267ac4f9407fd2e5a0480
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 353a102774907fe76fdc2387261a21cb48d181a864ef125b74816facf0a177df
Signer #1 public key SHA-1 digest: 67c2a2aece338209c9ee20735fff4252d2c9489b
Signer #1 public key MD5 digest: 2624523a16ecb1bc43b4155e363c4050
Attachments
Key-Debug.zip
[ 5.45 KiB | Downloaded 334 times ]
Post Reply