Background:
When developing framework or system applications, the term “system signature” is quite familiar, as it allows for higher permissions than ordinary third-party applications, enabling the successful invocation of many core functions. Therefore, during system application development, it is often necessary to sign the APK accordingly. But how exactly can one sign system applications?
Generally, there are two scenarios:
1. The system application’s source code is integrated, with Android.bp or mk specifying the platform signature, which means the APK is compiled together with the AOSP system. In this case, you only need to recompile the system or compile the APK as a separate module using make xxxx target. The APK generated in the out directory will automatically include the system signature.
2. However, many companies’ system applications are developed independently of the system for improved development efficiency. They integrate the APK similarly to how we develop in Android Studio, where the APK is compiled directly by Android Studio. This means there is no coupling with the system, and thus, when compiling the APK, one must consider using the system signature.
But how do you ensure that the APK compiled in Android Studio carries the system signature? What is the specific process?
Creating the System Signature Files
1. Export the signature files included with Lineage or AOSP from the root directory of the source code by executing the following command:
cd build/target/product/security/
ls | grep platform
platform.pk8
platform.x509.pemYou can see that there are two platform files in build/target/product/security/. Copy both files to a separate directory.
2. Execute the command to generate the platform.pem file:
openssl pkcs8 -in platform.pk8 -inform DER -outform PEM -out platform.pem -nocrypt3. Execute the command to generate the platform.pk12 file:
# Generate platform.pk12 with alias platform and password: android
openssl pkcs12 -export -in platform.x509.pem -out platform.p12 -inkey platform.pem -password pass:android -name platform4. Generate the corresponding platform.jks (note that there is a pitfall here):
test@test:~/disk2/platform-signed$ ~/android-studio/jre/bin/keytool -importkeystore -deststorepass android -destkeystore platform.jks -srckeystore platform.p12 -srcstoretype PKCS12 -srcstorepass android
Importing keystore platform.p12 to platform.jks...
Entry for alias platform successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
<platform> uses the MD5withRSA signature algorithm which is considered a security risk.
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore platform.jks -destkeystore platform.jks -deststoretype pkcs12".Note: The keytool used here must match the JRE directory corresponding to Android Studio. It is crucial to ensure that the keytool corresponds to the correct Java version; otherwise, the generated platform.jks might not be compilable in Android Studio, resulting in an “Invalid keystore format” error.
Execution failed for task ':app:packageDebug'.
> A failure occurred while executing com.android.build.gradle.internal.tasks.Workers$ActionFacade
> com.android.ide.common.signing.KeytoolException: Failed to read key platform from store "/home/test/AndroidStudioProjects/ANRDemo/app/platform.jks": Invalid keystore format
* Try:To determine the JRE directory for Android Studio:
Thus, we used the keytool located at ~/android-studio/jre/bin/keytool instead of the default one.
After completing the above steps, you should see the critical signature file platform.jks in the directory:
Using it, you can import it into Android Studio for compilation.
Using the Signature File in Android Studio for Compilation
Copy platform.jks to the app directory in Android Studio:
Then modify the build.gradle file in the app directory:
signingConfigs {
config {
storeFile file("platform.jks")
storePassword 'android'
keyAlias 'platform'
keyPassword 'android'
}
}
buildTypes {
debug {
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
signingConfig signingConfigs.config
}
release {
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
signingConfig signingConfigs.config
}
}Then proceed to compile:
After successful compilation, install the APK:
test@test:~/AndroidStudioProjects/ANRDemo$ adb install -r app/build/outputs/apk/debug/app-debug.apk
SuccessThe installation was successful, as the APK is an embedded APK.
test@test:~/disk2/platform-signed$ adb shell dumpsys package android | grep "signatures:"
signatures=PackageSignatures{24b8cda version:3, signatures:[b4addb29], past signatures:[]}
test@test:~/disk2/platform-signed$ adb shell dumpsys package com.example.anrdemo| grep signa
signatures=PackageSignatures{114d882 version:2, signatures:[b4addb29], past signatures:[]}
signatures=PackageSignatures{114d882 version:2, signatures:[b4addb29], past signatures:[]}
Using dumpsys, we can confirm that it indeed belongs to the system platform signature.
For specific purchase methods, please contact Ma Ge via WeChat:
