Android实现客制化系统apk在线签名
目录
一、基线代码签名key
二、如何生成自定义的签名pk8 .x509.pem 签名文件
三、如何使用签名key对apk进行重新签名
四、大厂商为了安全,使用自定义签名方式,而不采用原生的签名方式
五、客制化签名方式 修改记录,可以借鉴。
一、基线代码签名key
原生基线代码系统签名地址在:build/target/product/security/下面,主要有platform media shared testkey releasekey apexkey networkstackkey 等等
二、如何生成自定义的签名pk8 .x509.pem 签名文件
如果要使用自己生成的key可以通过下面命令一次生成对应的xx.pk8 xx.x509.pem
eg:release生成可以采用如下命令
development/tools/make_key release '/C=CN/ST=ShenZhen/L=NanShan View/O=XXXXX/OU=XXXXXTechnology Co., Ltd/CN=XXXXreleased key/emailAddress=xxxx@xxxxxxxx.com'
三、如何使用签名key对apk进行重新签名
给apk单独签名方式如下:
eg:给apk使用platform签名
java -Xmx2048m -Djava.library.path="out/soong/host/linux-x86/lib64" -jar out/host/linux-x86/framework/signapk.jar --min-sdk-version 30
build/target/product/security/release/platform.x509.pem
build/target/product/security/release/platform.pk8 ~/ 源 .apk ~/ 签名后的 .apk
四、大厂商为了安全,使用自定义签名方式,而不采用原生的签名方式
很多时候一些品牌手机会定制自己的签名,而并不采用原生的签名文件,例如三星 OV 华为等
他们一般可能采用在线验签的方式,例如他们会定制signapk.jar 和签名命令,例如他们再签名时可能采用跟域账号 域密码等关联信息给apk签名,而不采用目录三那种死命令去签名apk,
其实,换汤不换药,无非就是在原生签名基础上自定义signapk.jar 并在中间添加自定义命令而已,我们完全可以照葫芦画瓢。
关键性的文件修改是:
builder.go definitions.mk app_builder.go sign-apk-online.sh is_sign_onine.mk
五、客制化签名方式 修改记录,可以借鉴。
以下是基展锐 9863a需求:定制系统签名,实现客制化在线签名。
以下签名方式:
java -jar SignApkV2.jar 域网址 域账号 域密码 签名秘钥 签名秘钥 未签名 签名
以下是修改记录,其中以Felix.Ma TAG可以查询patch修改。
1.1 build/make/core/app_prebuilt_internal.mk
# Set a actual_partition_tag (calculated in base_rules.mk) for the package.
PACKAGES.$(LOCAL_MODULE).PARTITION := $(actual_partition_tag)
#Add by Felix.Ma. For app online sign. start.
-include vendor/xxxxx/xxxxx/build/core/is_sign_online.mk
#Add by Felix.Ma. For app online sign. end.
# Disable dex-preopt of prebuilts to save space, if requested.
ifndef LOCAL_DEX_PREOPT
ifeq ($(DONT_DEXPREOPT_PREBUILTS),true)
LOCAL_DEX_PREOPT := false
endif
endif
ifeq (true, $(LOCAL_UNCOMPRESS_DEX))
$(uncompress-dexs)
endif # LOCAL_UNCOMPRESS_DEX
ifneq ($(LOCAL_CERTIFICATE),PRESIGNED)
ifeq ($(module_run_appcompat),true)
$(call appcompat-header, aapt2)
$(run-appcompat)
endif # module_run_appcompat
#Add by Felix.Ma. For app online sign. start.
# $(sign-package)
ifeq ($(sign_online),true)
$(sign-package-online)
else
$(sign-package)
endif
#Add by Felix.Ma. For app online sign. end.
# No need for align-package because sign-package takes care of alignment
else # LOCAL_CERTIFICATE == PRESIGNED
$(align-package)
endif # LOCAL_CERTIFICATE
# Rules to sign the split apks.
my_src_dir := $(sort $(dir $(LOCAL_PACKAGE_SPLITS)))
ifneq (1,$(words $(my_src_dir)))
$(error You must put all the split source apks in the same folder: $(LOCAL_PACKAGE_SPLITS))
endif
my_src_dir := $(LOCAL_PATH)/$(my_src_dir)
$(built_apk_splits) : $(LOCAL_CERTIFICATE).pk8 $(LOCAL_CERTIFICATE).x509.pem
$(built_apk_splits) : PRIVATE_PRIVATE_KEY := $(LOCAL_CERTIFICATE).pk8
$(built_apk_splits) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
$(built_apk_splits) : $(intermediates)/%.apk : $(my_src_dir)/%.apk
$(copy-file-to-new-target)
#Add by Felix.Ma. For app online sign. start.
# $(sign-package)
ifeq ($(sign_online),true)
$(sign-package-online)
else
$(sign-package)
endif
#Add by Felix.Ma. For app online sign. end.
1.2 ./build/make/core/config.mk
#Add by Felix.Ma. For app online sign. start.
SIGNAPK_ONLINE_JAR := tools/signcenter/SignApkV2.jar
#Add by Felix.Ma. For app online sign. end.
ifdef PRODUCT_SHIPPING_API_LEVEL
ifneq ($(call numbers_less_than,$(PRODUCT_SHIPPING_API_LEVEL),$(BOARD_SYSTEMSDK_VERSIONS)),)
$(error BOARD_SYSTEMSDK_VERSIONS ($(BOARD_SYSTEMSDK_VERSIONS)) must all be greater than or equal to PRODUCT_SHIPPING_API_LEVEL ($(PRODUCT_SHIPPING_API_LEVEL)))
endif
ifneq ($(call math_gt_or_eq,$(PRODUCT_SHIPPING_API_LEVEL),28),)
ifneq ($(TARGET_IS_64_BIT), true)
ifneq ($(TARGET_USES_64_BIT_BINDER), true)
$(error When PRODUCT_SHIPPING_API_LEVEL >= 28, TARGET_USES_64_BIT_BINDER must be true)
endif
endif
endif
ifneq ($(call math_gt_or_eq,$(PRODUCT_SHIPPING_API_LEVEL),29),)
ifneq ($(BOARD_OTA_FRAMEWORK_VBMETA_VERSION_OVERRIDE),)
$(error When PRODUCT_SHIPPING_API_LEVEL >= 29, BOARD_OTA_FRAMEWORK_VBMETA_VERSION_OVERRIDE cannot be set)
endif
endif
endif
#Add by Felix.Ma. For app online sign. start.
ifdef SIGN_PACKAGE_ONLINE_ENABLE
SIGN_PACKAGE_ONLINE_ENABLE := $(SIGN_PACKAGE_ONLINE_ENABLE)
else
SIGN_PACKAGE_ONLINE_ENABLE := true
endif
#ONLINE_KEYID := apkkey_11v_
ONLINE_SERVER := signcenter.pki.hixxxxx.com
PUBLIC_LOCAL_KEY_DIR := build/target/product/security/
#Add by Felix.Ma. For app online sign. end.
# The default key if not set as LOCAL_CERTIFICATE
#Add by Felix.Ma. For app online sign. start.
ifeq ($(SIGN_PACKAGE_ONLINE_ENABLE),true)
#Add by Felix.Ma .for app online sign start
ifeq ($(TARGET_BUILD_VARIANT),user)
DEFAULT_SYSTEM_DEV_CERTIFICATE := vendor/xxxxx/chipset_common/build/security/releasekey
else
DEFAULT_SYSTEM_DEV_CERTIFICATE := vendor/xxxxx/chipset_common/build/security/testkey
endif
#Add by Felix.Ma .for app online sign end
else
ifdef PRODUCT_DEFAULT_DEV_CERTIFICATE
DEFAULT_SYSTEM_DEV_CERTIFICATE := $(PRODUCT_DEFAULT_DEV_CERTIFICATE)
else
DEFAULT_SYSTEM_DEV_CERTIFICATE := build/make/target/product/security/testkey
endif
endif
#Add by Felix.Ma. For app online sign. end.
.KATI_READONLY := DEFAULT_SYSTEM_DEV_CERTIFICATE
1.3 build/make/core/definitions.mk
# Sign a package using the specified key/cert.
#
define sign-package
$(call sign-package-arg,$@)
endef
# $(1): the package file we are signing.
define sign-package-arg
$(hide) mv $(1) $(1).unsigned
$(hide) $(JAVA) -Djava.library.path=$$(dirname $(SIGNAPK_JNI_LIBRARY_PATH)) -jar $(SIGNAPK_JAR) \
$(if $(strip $(PRIVATE_CERTIFICATE_LINEAGE)), --lineage $(PRIVATE_CERTIFICATE_LINEAGE)) \
$(PRIVATE_CERTIFICATE) $(PRIVATE_PRIVATE_KEY) \
$(PRIVATE_ADDITIONAL_CERTIFICATES) $(1).unsigned $(1).signed
$(hide) mv $(1).signed $(1)
endef
#Add by Felix.Ma. For app online sign. start.
# Sign a package online.
#
define sign-package-online
$(hide) mv $@ $@.unsigned
@ java -jar $(SIGNAPK_ONLINE_JAR) --min-sdk-version 30 \
$(ONLINE_SERVER) $(ONLINE_USERNAME) $(ONLINE_PASSWD) $(PUBLIC_LOCAL_KEY) \
apkkey_unisoc_$(PRIVATE_ONLINE_KEY) $@.unsigned $@.signed
$(hide) mv $@.signed $@
endef
#Add by Felix.Ma. For app online sign. end.
# Align STORED entries of a package on 4-byte boundaries to make them easier to mmap.
#
1.4 build/make/core/soong_config.mk
$(call add_json_bool, UseGoma, $(filter-out false,$(USE_GOMA)))
$(call add_json_bool, UseRBE, $(filter-out false,$(USE_RBE)))
$(call add_json_bool, UseRBEJAVAC, $(filter-out false,$(RBE_JAVAC)))
$(call add_json_bool, UseRBER8, $(filter-out false,$(RBE_R8)))
$(call add_json_bool, UseRBED8, $(filter-out false,$(RBE_D8)))
$(call add_json_bool, Arc, $(filter true,$(TARGET_ARC)))
$(call add_json_list, NamespacesToExport, $(PRODUCT_SOONG_NAMESPACES))
#Add by Felix.Ma. For app online sign. start.
$(call add_json_bool, SignPkgOnlineEnable, $(filter true,$(SIGN_PACKAGE_ONLINE_ENABLE)))
$(call add_json_str, OnlineServer, $(ONLINE_SERVER))
$(call add_json_str, OnlineKeyID, $(ONLINE_KEYID))
$(call add_json_str, SignApkOnlineJar, $(SIGNAPK_ONLINE_JAR))
#Add by Felix.Ma. For app online sign. end.
$(call add_json_list, PgoAdditionalProfileDirs, $(PGO_ADDITIONAL_PROFILE_DIRS))
$(call add_json_list, BoardVendorSepolicyDirs, $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_SEPOLICY_DIRS))
$(call add_json_list, BoardOdmSepolicyDirs, $(BOARD_ODM_SEPOLICY_DIRS))
$(call add_json_list, BoardPlatPublicSepolicyDirs, $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
$(call add_json_list, BoardPlatPrivateSepolicyDirs, $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
$(call add_json_list, BoardSepolicyM4Defs, $(BOARD_SEPOLICY_M4DEFS)
1.5 build/make/envsetup.sh
unset TARGET_BSP_OUT
export TARGET_BSP_OUT=$(get_build_var TARGET_BSP_OUT)
# needed for building linux on MacOS
# TODO: fix the path
#export HOST_EXTRACFLAGS="-I "$T/system/kernel_headers/host_include
unset SECURE_BOOT
export SECURE_BOOT=$(get_build_var PRODUCT_SECURE_BOOT)
unset PSS_FLAG
export PSS_FLAG=$(get_build_var PKCS1_PSS_FLAG)
export SIGN_TARGET_BOARD=$(get_build_var TARGET_BOARD)
unset CURRENT_PRODUCT_OUT
export CURRENT_PRODUCT_OUT=$(get_build_var PRODUCT_OUT)
#Add by Felix.Ma. For app sign. start
if [ -r $(gettop)/vendor/xxxxx/chipset_common/build/tools/check_account/check_account.sh ]; then
echo "including vendor/xxxxx/chipset_common/build/tools/check_account/check_account.sh"
source $(gettop)/vendor/xxxxx/chipset_common/build/tools/check_account/check_account.sh
fi
#Add by Felix.Ma. For app sign. end
}
1.6 build/soong/android/config.go
func (c *config) DefaultAppCertificateDir(ctx PathContext) SourcePath {
defaultCert := String(c.productVariables.DefaultAppCertificate)
if defaultCert != "" {
return PathForSource(ctx, filepath.Dir(defaultCert))
} else {
//Add by Felix.Ma. For app online sign. start.
// return PathForSource(ctx, "build/make/target/product/security")
return PathForSource(ctx, "vendor/xxxxx/chipset_common/build/security")
//Add by Felix.Ma. For app online sign. end.
}
}
func (c *config) ProductHiddenAPIStubsSystem() []string {
return c.productVariables.ProductHiddenAPIStubsSystem
}
func (c *config) ProductHiddenAPIStubsTest() []string {
return c.productVariables.ProductHiddenAPIStubsTest
}
//Add by Felix.Ma. For app online sign. start.
func (c *config) GetSignPkgOnlineEnable() bool {
return Bool(c.productVariables.SignPkgOnlineEnable)
}
func (c *config) GetOnlineServer() string {
return String(c.productVariables.OnlineServer)
}
func (c *config) GetOnlineKeyID() string {
return String(c.productVariables.OnlineKeyID)
}
func (c *config) GetSignApkOnlineJar() string {
return String(c.productVariables.SignApkOnlineJar)
}
//Add by Felix.Ma. For app online sign. end.
func (c *deviceConfig) TargetFSConfigGen() []string {
return c.config.productVariables.TargetFSConfigGen
}
func (c *config) ProductPublicSepolicyDirs() []string {
return c.productVariables.ProductPublicSepolicyDirs
}
1.7 /build/soong/android/variable.go
Ndk_abis *bool `json:",omitempty"`
Exclude_draft_ndk_apis *bool `json:",omitempty"`
Flatten_apex *bool `json:",omitempty"`
Aml_abis *bool `json:",omitempty"`
//Add by Felix.Ma. For app online sign. start.
SignPkgOnlineEnable *bool `json:",omitempty"`
OnlineServer *string `json:",omitempty"`
OnlineKeyID *string `json:",omitempty"`
SignApkOnlineJar *string `json:",omitempty"`
//Add by Felix.Ma. For app online sign. end.
DexpreoptGlobalConfig *string `json:",omitempty"`
ManifestPackageNameOverrides []string `json:",omitempty"`
CertificateOverrides []string `json:",omitempty"`
PackageNameOverrides []string `json:",omitempty"`
1.8 build/soong/apex/androidmk.go:
case appSet:
as, ok := fi.module.(*java.AndroidAppSet)
if !ok {
panic(fmt.Sprintf("Expected %s to be AndroidAppSet", fi.module))
}
fmt.Fprintln(w, "LOCAL_APK_SET_MASTER_FILE :=", as.MasterFile())
fmt.Fprintln(w, "LOCAL_APKCERTS_FILE :=", as.APKCertsFile().String())
fmt.Fprintln(w, "include $(BUILD_SYSTEM)/soong_android_app_set.mk")
case nativeSharedLib, nativeExecutable, nativeTest:
fmt.Fprintln(w, "LOCAL_MODULE_STEM :=", fi.Stem())
if ccMod, ok := fi.module.(*cc.Module); ok {
if ccMod.UnstrippedOutputFile() != nil {
fmt.Fprintln(w, "LOCAL_SOONG_UNSTRIPPED_BINARY :=", ccMod.UnstrippedOutputFile().String())
}
//Add by Felix.Ma. For app online sign. start.
//ccMod.AndroidMkWriteAdditionalDependenciesForSourceAbiDiff(w)
//Add by Felix.Ma. For app online sign. end.
if ccMod.CoverageOutputFile().Valid() {
fmt.Fprintln(w, "LOCAL_PREBUILT_COVERAGE_ARCHIVE :=", ccMod.CoverageOutputFile().String())
}
}
fmt.Fprintln(w, "include $(BUILD_SYSTEM)/soong_cc_prebuilt.mk")
default:
1.9 build/soong/apex/apex_test.go:
func TestCertificate(t *testing.T) {
t.Run("if unspecified, it defaults to DefaultAppCertificate", func(t *testing.T) {
ctx, _ := testApex(t, `
apex {
name: "myapex",
key: "myapex.key",
}
apex_key {
name: "myapex.key",
public_key: "testkey.avbpubkey",
private_key: "testkey.pem",
}`)
rule := ctx.ModuleForTests("myapex", "android_common_myapex_image").Rule("signapk")
//Add by Felix.Ma. For app online sign. start.
expected := "build/make/target/product/security/testkey.x509.pem build/make/target/product/security/testkey.pk8"
//Add by Felix.Ma. For app online sign. end.
if actual := rule.Args["certificates"]; actual != expected {
t.Errorf("certificates should be %q, not %q", expected, actual)
}
})
t.Run("override when unspecified", func(t *testing.T) {
ctx, _ := testApex(t, `
apex {
name: "myapex_keytest",
key: "myapex.key",
file_contexts: ":myapex-file_contexts",
}
apex_key {
name: "myapex.key",
public_key: "testkey.avbpubkey",
private_key: "testkey.pem",
}
android_app_certificate {
name: "myapex.certificate.override",
certificate: "testkey.override",
}`)
rule := ctx.ModuleForTests("myapex_keytest", "android_common_myapex_keytest_image").Rule("signapk")
expected := "testkey.override.x509.pem testkey.override.pk8"
if actual := rule.Args["certificates"]; actual != expected {
t.Errorf("certificates should be %q, not %q", expected, actual)
}
})
1.10 build/soong/apex/builder.go
func (a *apexBundle) buildUnflattenedApex(ctx android.ModuleContext) {
var abis []string
for _, target := range ctx.MultiTargets() {
if len(target.Arch.Abi) > 0 {
abis = append(abis, target.Arch.Abi[0])
}
}
//Add by Felix.Ma. For app online sign. start.
isApexSignApkOnlineEnabled := ctx.Config().GetSignPkgOnlineEnable()
//Add by Felix.Ma. For app online sign. end.
abis = android.FirstUniqueStrings(abis)
apexType := a.properties.ApexType
suffix := apexType.suffix()
var implicitInputs []android.Path
unsignedOutputFile := android.PathForModuleOut(ctx, a.Name()+suffix+".unsigned")
a.outputFile = android.PathForModuleOut(ctx, a.Name()+suffix)
//Add by Felix.Ma. For app online sign. start.
var rule blueprint.Rule
var args map[string]string
if isApexSignApkOnlineEnabled == true {
rule = java.ApexsignapkOnline
args = map[string]string{
"certificates": "build/target/product/security/ODM_apexkey_v1.pem",
"onlineServer": "signcenter.pki.hixxxxx.com",
"privateOnlineKey": "ODM_apexkey_v1",
"signapkOnlineCmd": ctx.Config().GetSignApkOnlineJar(),
"platformSdkVer": "30",
}
} else {
rule = java.Signapk
args = map[string]string{
"certificates": a.container_certificate_file.String() + " " + a.container_private_key_file.String(),
"flags": "-a 4096", //alignment
}
}
//Add by Felix.Ma. For app online sign. end.
implicits := android.Paths{
a.container_certificate_file,
a.container_private_key_file,
}
if ctx.Config().IsEnvTrue("RBE_SIGNAPK") {
rule = java.SignapkRE
args["implicits"] = strings.Join(implicits.Strings(), ",")
args["outCommaList"] = a.outputFile.String()
}
ctx.Build(pctx, android.BuildParams{
Rule: rule,
Description: "signapk",
Output: a.outputFile,
Input: unsignedOutputFile,
Implicits: implicits,
Args: args,
})
// Install to $OUT/soong/{target,host}/.../apex
if a.installable() {
ctx.InstallFile(a.installDir, a.Name()+suffix, a.outputFile)
}
a.buildFilesInfo(ctx)
// installed-files.txt is dist'ed
a.installedFilesFile = a.buildInstalledFilesFile(ctx, a.outputFile, imageDir)
}
func (a *apexBundle) setCertificateAndPrivateKey(ctx android.ModuleContext) {
if a.container_certificate_file == nil {
cert := String(a.properties.Certificate)
if cert == "" {
//Add by Felix.Ma. For app online sign. start.
// pem, key := ctx.Config().DefaultAppCertificate(ctx)
pem, key := android.PathForSource(ctx, "build/make/target/product/security/testkey.x509.pem"), android.PathForSource(ctx, "build/make/target/product/security/testkey.pk8")
//Add by Felix.Ma. For app online sign. end.
a.container_certificate_file = pem
a.container_private_key_file = key
} else {
defaultDir := ctx.Config().DefaultAppCertificateDir(ctx)
a.container_certificate_file = defaultDir.Join(ctx, cert+".x509.pem")
a.container_private_key_file = defaultDir.Join(ctx, cert+".pk8")
}
}
}
1.11 ./build/soong/java/app_builder.go
var (
Signapk, SignapkRE = remoteexec.StaticRules(pctx, "signapk",
blueprint.RuleParams{
Command: `$reTemplate${config.JavaCmd} ${config.JavaVmFlags} -Djava.library.path=$$(dirname ${config.SignapkJniLibrary}) ` +
`-jar ${config.SignapkCmd} $flags $certificates $in $out`,
CommandDeps: []string{"${config.SignapkCmd}", "${config.SignapkJniLibrary}"},
},
&remoteexec.REParams{Labels: map[string]string{"type": "tool", "name": "signapk"},
ExecStrategy: "${config.RESignApkExecStrategy}",
Inputs: []string{"${config.SignapkCmd}", "$in", "$$(dirname ${config.SignapkJniLibrary})", "$implicits"},
OutputFiles: []string{"$outCommaList"},
ToolchainInputs: []string{"${config.JavaCmd}"},
Platform: map[string]string{remoteexec.PoolKey: "${config.REJavaPool}"},
}, []string{"flags", "certificates"}, []string{"implicits", "outCommaList"})
//Add by Felix.Ma. For app online sign. start.
signapkOnline = pctx.AndroidStaticRule("signapkOnline",
blueprint.RuleParams{
Command: `vendor/xxxxx/xxxxx/build/tools/signapk/sign-apk-online.sh javacmd=${config.JavaCmd} ` +
`signapkOnlineCmd=$signapkOnlineCmd platformSdkVer=$platformSdkVer ` +
`onlineServer=$onlineServer ` +
`certificates=$certificates privateOnlineKey=$privateOnlineKey inFile=$in outFile=$out`,
},
"certificates", "onlineServer", "privateOnlineKey", "signapkOnlineCmd", "platformSdkVer")
ApexsignapkOnline = pctx.AndroidStaticRule("apexsignapkOnline",
blueprint.RuleParams{
Command: `vendor/xxxxx/xxxxx/build/tools/signapk/sign-apk-online.sh javacmd=${config.JavaCmd} ` +
`signapkOnlineCmd=$signapkOnlineCmd platformSdkVer=$platformSdkVer ` +
`onlineServer=$onlineServer ` +
`certificates=$certificates privateOnlineKey=$privateOnlineKey inFile=$in outFile=$out`,
},
"certificates", "onlineServer", "privateOnlineKey", "signapkOnlineCmd", "platformSdkVer")
//Add by Felix.Ma. For app online sign. end.
)
var combineApk = pctx.AndroidStaticRule("combineApk",
blueprint.RuleParams{
Command: `${config.MergeZipsCmd} $out $in`,
CommandDeps: []string{"${config.MergeZipsCmd}"},
})
func SignAppPackage(ctx android.ModuleContext, signedApk android.WritablePath, unsignedApk android.Path, certificates []Certificate, v4SignatureFile android.WritablePath, lineageFile android.Path) {
var certificateArgs []string
var deps android.Paths
for _, c := range certificates {
certificateArgs = append(certificateArgs, c.Pem.String(), c.Key.String())
deps = append(deps, c.Pem, c.Key)
}
outputFiles := android.WritablePaths{signedApk}
var flags []string
if v4SignatureFile != nil {
outputFiles = append(outputFiles, v4SignatureFile)
flags = append(flags, "--enable-v4")
}
if lineageFile != nil {
flags = append(flags, "--lineage", lineageFile.String())
deps = append(deps, lineageFile)
}
rule := Signapk
args := map[string]string{
"certificates": strings.Join(certificateArgs, " "),
"flags": strings.Join(flags, " "),
}
if ctx.Config().IsEnvTrue("RBE_SIGNAPK") {
rule = SignapkRE
args["implicits"] = strings.Join(deps.Strings(), ",")
args["outCommaList"] = strings.Join(outputFiles.Strings(), ",")
}
//Add by Felix.Ma. For app online sign. start.
var onlineCertificateArgs []string
for _, c := range certificates {
onlineCertificateArgs = append(onlineCertificateArgs, c.Pem.String())
}
onlineKeyIDArgs := ctx.Config().GetOnlineKeyID()
onlineServerArgs := ctx.Config().GetOnlineServer()
platformSdkVerArgs := ctx.Config().PlatformSdkVersion()
signApkOnlineJarArgs := ctx.Config().GetSignApkOnlineJar()
isSignApkOnlineEnabled := ctx.Config().GetSignPkgOnlineEnable()
var keyFilter = [...]string{
"platform",
"shared",
"media",
"testkey",
"releasekey",
}
localSignOnline := isSignApkOnlineEnabled
var privateKeyOnline string
var hitCount uint32 = 0
if isSignApkOnlineEnabled == true {
for _, v := range keyFilter {
for _, u := range onlineCertificateArgs {
if strings.Contains(u, v) {
privateKeyOnline += v
hitCount++
break
}
}
}
if hitCount == 0 {
localSignOnline = false
} else if hitCount > 1 {
panic("certificate needs only one value\n")
} else {
localSignOnline = true
}
}
if localSignOnline == true {
ctx.Build(pctx, android.BuildParams{
Rule: signapkOnline,
Description: "signapkOnline",
Output: signedApk,
Input: unsignedApk,
Implicits: deps,
Args: map[string]string{
"certificates": strings.Join(onlineCertificateArgs, " "),
"onlineServer": onlineServerArgs,
// "onlineUsername": onlineUsernameArgs,
// "onlinePasswd": onlinePasswdArgs,
"privateOnlineKey": onlineKeyIDArgs + privateKeyOnline,
"platformSdkVer": platformSdkVerArgs,
"signapkOnlineCmd": signApkOnlineJarArgs,
},
})
} else {
ctx.Build(pctx, android.BuildParams{
Rule: rule,
Description: "signapk",
Output: signedApk,
Input: unsignedApk,
Implicits: deps,
Args: args,
})
}
//Add by Felix.Ma. For app online sign. end.
}
var buildAAR = pctx.AndroidStaticRule("buildAAR",
blueprint.RuleParams{
Command: `rm -rf ${outDir} && mkdir -p ${outDir} && ` +
`cp ${manifest} ${outDir}/AndroidManifest.xml && ` +
`cp ${classesJar} ${outDir}/classes.jar && ` +
`cp ${rTxt} ${outDir}/R.txt && ` +
`${config.SoongZipCmd} -jar -o $out -C ${outDir} -D ${outDir}`,
CommandDeps: []string{"${config.SoongZipCmd}"},
},
"manifest", "classesJar", "rTxt", "outDir")
1.12 ./build/soong/java/app_test.go
func TestCertificates(t *testing.T) {
testCases := []struct {
name string
bp string
certificateOverride string
expectedLineage string
expectedCertificate string
}{
{
name: "default",
bp: `
android_app {
name: "foo",
srcs: ["a.java"],
sdk_version: "current",
}
`,
certificateOverride: "",
expectedLineage: "",
//Add by Felix.Ma. For app online sign. start.
expectedCertificate: "vendor/xxxxx/chipset_common/build/security/testkey.x509.pem vendor/xxxxx/chipset_common/build/security/testkey.pk8",
//Add by Felix.Ma. For app online sign. end.
},
{
name: "module certificate property",
bp: `
android_app {
name: "foo",
srcs: ["a.java"],
certificate: ":new_certificate",
sdk_version: "current",
}
android_app_certificate {
name: "new_certificate",
certificate: "cert/new_cert",
}
`,
certificateOverride: "",
expectedLineage: "",
expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8",
},
{
name: "path certificate property",
bp: `
android_app {
name: "foo",
srcs: ["a.java"],
certificate: "expiredkey",
sdk_version: "current",
}
`,
certificateOverride: "",
expectedLineage: "",
//Add by Felix.Ma. For app online sign. start.
expectedCertificate: "vendor/xxxxx/chipset_common/build/security/expiredkey.x509.pem vendor/xxxxx/chipset_common/build/security/expiredkey.pk8",
//Add by Felix.Ma. For app online sign. end.
},
{
name: "certificate overrides",
bp: `
android_app {
name: "foo",
srcs: ["a.java"],
certificate: "expiredkey",
sdk_version: "current",
}
android_app_certificate {
name: "new_certificate",
certificate: "cert/new_cert",
}
`,
certificateOverride: "foo:new_certificate",
expectedLineage: "",
expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8",
},
{
name: "certificate lineage",
bp: `
android_app {
name: "foo",
srcs: ["a.java"],
certificate: ":new_certificate",
lineage: "lineage.bin",
sdk_version: "current",
}
android_app_certificate {
name: "new_certificate",
certificate: "cert/new_cert",
}
`,
certificateOverride: "",
expectedLineage: "--lineage lineage.bin",
expectedCertificate: "cert/new_cert.x509.pem cert/new_cert.pk8",
},
}
func TestOverrideAndroidApp(t *testing.T) {
ctx, _ := testJava(t, `
android_app {
name: "foo",
srcs: ["a.java"],
certificate: "expiredkey",
overrides: ["qux"],
sdk_version: "current",
}
override_android_app {
name: "bar",
base: "foo",
certificate: ":new_certificate",
lineage: "lineage.bin",
logging_parent: "bah",
}
android_app_certificate {
name: "new_certificate",
certificate: "cert/new_cert",
}
override_android_app {
name: "baz",
base: "foo",
package_name: "org.dandroid.bp",
}
`)
expectedVariants := []struct {
moduleName string
variantName string
apkName string
apkPath string
certFlag string
lineageFlag string
overrides []string
aaptFlag string
logging_parent string
}{
{
moduleName: "foo",
variantName: "android_common",
apkPath: "/target/product/test_device/system/app/foo/foo.apk",
//Add by Felix.Ma. For app online sign. start.
certFlag: "vendor/xxxxx/chipset_common/build/security/expiredkey.x509.pem vendor/xxxxx/chipset_common/build/security/expiredkey.pk8",
//Add by Felix.Ma. For app online sign. end.
lineageFlag: "",
overrides: []string{"qux"},
aaptFlag: "",
logging_parent: "",
},
{
moduleName: "bar",
variantName: "android_common_bar",
apkPath: "/target/product/test_device/system/app/bar/bar.apk",
certFlag: "cert/new_cert.x509.pem cert/new_cert.pk8",
lineageFlag: "--lineage lineage.bin",
overrides: []string{"qux", "foo"},
aaptFlag: "",
logging_parent: "bah",
},
{
moduleName: "baz",
variantName: "android_common_baz",
apkPath: "/target/product/test_device/system/app/baz/baz.apk",
//Add by Felix.Ma. For app online sign. start.
certFlag: "vendor/xxxxx/chipset_common/build/security/expiredkey.x509.pem vendor/xxxxx/chipset_common/build/security/expiredkey.pk8",
//Add by Felix.Ma. For app online sign. end.
lineageFlag: "",
overrides: []string{"qux", "foo"},
aaptFlag: "--rename-manifest-package org.dandroid.bp",
logging_parent: "",
},
}
func TestAndroidAppImport(t *testing.T) {
ctx, _ := testJava(t, `
android_app_import {
name: "foo",
apk: "prebuilts/apk/app.apk",
certificate: "platform",
dex_preopt: {
enabled: true,
},
}
`)
variant := ctx.ModuleForTests("foo", "android_common")
// Check dexpreopt outputs.
if variant.MaybeOutput("dexpreopt/oat/arm64/package.vdex").Rule == nil ||
variant.MaybeOutput("dexpreopt/oat/arm64/package.odex").Rule == nil {
t.Errorf("can't find dexpreopt outputs")
}
// Check cert signing flag.
signedApk := variant.Output("signed/foo.apk")
signingFlag := signedApk.Args["certificates"]
//Add by Felix.Ma. For app online sign. start.
//expected := "build/make/target/product/security/platform.x509.pem build/make/target/product/security/platform.pk8"
expected := "vendor/xxxxx/chipset_common/build/security/platform.x509.pem vendor/xxxxx/chipset_common/build/security/platform.pk8"
//Add by Felix.Ma. For app online sign. end.
if expected != signingFlag {
t.Errorf("Incorrect signing flags, expected: %q, got: %q", expected, signingFlag)
}
}
func TestAndroidAppImport_DefaultDevCert(t *testing.T) {
ctx, _ := testJava(t, `
android_app_import {
name: "foo",
apk: "prebuilts/apk/app.apk",
default_dev_cert: true,
dex_preopt: {
enabled: true,
},
}
`)
variant := ctx.ModuleForTests("foo", "android_common")
// Check dexpreopt outputs.
if variant.MaybeOutput("dexpreopt/oat/arm64/package.vdex").Rule == nil ||
variant.MaybeOutput("dexpreopt/oat/arm64/package.odex").Rule == nil {
t.Errorf("can't find dexpreopt outputs")
}
// Check cert signing flag.
signedApk := variant.Output("signed/foo.apk")
signingFlag := signedApk.Args["certificates"]
//Add by Felix.Ma. For app online sign. start.
//expected := "build/make/target/product/security/testkey.x509.pem build/make/target/product/security/testkey.pk8"
expected := "vendor/xxxxx/chipset_common/build/security/testkey.x509.pem vendor/xxxxx/chipset_common/build/security/testkey.pk8"
//Add by Felix.Ma. For app online sign. end.
if expected != signingFlag {
t.Errorf("Incorrect signing flags, expected: %q, got: %q", expected, signingFlag)
}
}
func TestRuntimeResourceOverlay(t *testing.T) {
fs := map[string][]byte{
"baz/res/res/values/strings.xml": nil,
"bar/res/res/values/strings.xml": nil,
}
bp := `
runtime_resource_overlay {
name: "foo",
certificate: "platform",
lineage: "lineage.bin",
product_specific: true,
static_libs: ["bar"],
resource_libs: ["baz"],
aaptflags: ["--keep-raw-values"],
}
runtime_resource_overlay {
name: "foo_themed",
certificate: "platform",
product_specific: true,
theme: "faza",
overrides: ["foo"],
}
android_library {
name: "bar",
resource_dirs: ["bar/res"],
}
android_app {
name: "baz",
sdk_version: "current",
resource_dirs: ["baz/res"],
}
`
config := testAppConfig(nil, bp, fs)
ctx := testContext()
run(t, ctx, config)
m := ctx.ModuleForTests("foo", "android_common")
// Check AAPT2 link flags.
aapt2Flags := m.Output("package-res.apk").Args["flags"]
expectedFlags := []string{"--keep-raw-values", "--no-resource-deduping", "--no-resource-removal"}
absentFlags := android.RemoveListFromList(expectedFlags, strings.Split(aapt2Flags, " "))
if len(absentFlags) > 0 {
t.Errorf("expected values, %q are missing in aapt2 link flags, %q", absentFlags, aapt2Flags)
}
// Check overlay.list output for static_libs dependency.
overlayList := m.Output("aapt2/overlay.list").Inputs.Strings()
staticLibPackage := buildDir + "/.intermediates/bar/android_common/package-res.apk"
if !inList(staticLibPackage, overlayList) {
t.Errorf("Stactic lib res package %q missing in overlay list: %q", staticLibPackage, overlayList)
}
// Check AAPT2 link flags for resource_libs dependency.
resourceLibFlag := "-I " + buildDir + "/.intermediates/baz/android_common/package-res.apk"
if !strings.Contains(aapt2Flags, resourceLibFlag) {
t.Errorf("Resource lib flag %q missing in aapt2 link flags: %q", resourceLibFlag, aapt2Flags)
}
// Check cert signing flag.
signedApk := m.Output("signed/foo.apk")
lineageFlag := signedApk.Args["flags"]
expectedLineageFlag := "--lineage lineage.bin"
if expectedLineageFlag != lineageFlag {
t.Errorf("Incorrect signing lineage flags, expected: %q, got: %q", expectedLineageFlag, lineageFlag)
}
signingFlag := signedApk.Args["certificates"]
//Add by Felix.Ma. For app online sign. start.
//expected := "build/make/target/product/security/platform.x509.pem build/make/target/product/security/platform.pk8"
expected := "vendor/xxxxx/chipset_common/build/security/platform.x509.pem vendor/xxxxx/chipset_common/build/security/platform.pk8"
//Add by Felix.Ma. For app online sign. end.
if expected != signingFlag {
t.Errorf("Incorrect signing flags, expected: %q, got: %q", expected, signingFlag)
}
androidMkEntries := android.AndroidMkEntriesForTest(t, config, "", m.Module())[0]
path := androidMkEntries.EntryMap["LOCAL_CERTIFICATE"]
//Add by Felix.Ma. For app online sign. start.
expectedPath := []string{"vendor/xxxxx/chipset_common/build/security/platform.x509.pem"}
//Add by Felix.Ma. For app online sign. end.
if !reflect.DeepEqual(path, expectedPath) {
t.Errorf("Unexpected LOCAL_CERTIFICATE value: %v, expected: %v", path, expectedPath)
}
// Check device location.
path = androidMkEntries.EntryMap["LOCAL_MODULE_PATH"]
expectedPath = []string{"/tmp/target/product/test_device/product/overlay"}
if !reflect.DeepEqual(path, expectedPath) {
t.Errorf("Unexpected LOCAL_MODULE_PATH value: %v, expected: %v", path, expectedPath)
}
// A themed module has a different device location
m = ctx.ModuleForTests("foo_themed", "android_common")
androidMkEntries = android.AndroidMkEntriesForTest(t, config, "", m.Module())[0]
path = androidMkEntries.EntryMap["LOCAL_MODULE_PATH"]
expectedPath = []string{"/tmp/target/product/test_device/product/overlay/faza"}
if !reflect.DeepEqual(path, expectedPath) {
t.Errorf("Unexpected LOCAL_MODULE_PATH value: %v, expected: %v", path, expectedPath)
}
overrides := androidMkEntries.EntryMap["LOCAL_OVERRIDES_PACKAGES"]
expectedOverrides := []string{"foo"}
if !reflect.DeepEqual(overrides, expectedOverrides) {
t.Errorf("Unexpected LOCAL_OVERRIDES_PACKAGES value: %v, expected: %v", overrides, expectedOverrides)
}
}
1.13 /build/soong/ui/build/exec.go
func (c *Cmd) prepare() {
if c.Env == nil {
c.Env = c.Environment.Environ()
}
//Add by Felix.Ma. For app online sign. start.
//if c.sandboxSupported() {
//c.wrapSandbox()
//}
//Add by Felix.Ma. For app online sign. end.
c.ctx.Verboseln(c.Path, c.Args)
}
func (c *Cmd) Start() error {
c.prepare()
return c.Cmd.Start()
}
func (c *Cmd) Run() error {
c.prepare()
err := c.Cmd.Run()
return err
}
func (c *Cmd) Output() ([]byte, error) {
c.prepare()
bytes, err := c.Cmd.Output()
return bytes, err
}
1.14 build/soong/ui/build/ninja.go
func runNinja(ctx Context, config Config) {
if cmd.Environment.IsEnvTrue("ALLOW_NINJA_ENV") {
ctx.Println("Allowing all environment variables during ninja; incremental builds may be unsafe.")
} else {
cmd.Environment.Allow(append([]string{
"ASAN_SYMBOLIZER_PATH",
"HOME",
"JAVA_HOME",
"LANG",
"LC_MESSAGES",
"OUT_DIR",
"PATH",
"PWD",
"PYTHONDONTWRITEBYTECODE",
"TMPDIR",
"USER",
// TODO: remove these carefully
"ASAN_OPTIONS",
"TARGET_BUILD_APPS",
"TARGET_BUILD_VARIANT",
"TARGET_PRODUCT",
// b/147197813 - used by art-check-debug-apex-gen
"EMMA_INSTRUMENT_FRAMEWORK",
// Goma -- gomacc may not need all of these
"GOMA_DIR",
"GOMA_DISABLED",
"GOMA_FAIL_FAST",
"GOMA_FALLBACK",
"GOMA_GCE_SERVICE_ACCOUNT",
"GOMA_TMP_DIR",
"GOMA_USE_LOCAL",
// RBE client
"FLAG_compare",
"FLAG_exec_root",
"FLAG_exec_strategy",
"FLAG_invocation_id",
"FLAG_log_dir",
"FLAG_platform",
"FLAG_remote_accept_cache",
"FLAG_remote_update_cache",
"FLAG_server_address",
// ccache settings
"CCACHE_COMPILERCHECK",
"CCACHE_SLOPPINESS",
"CCACHE_BASEDIR",
"CCACHE_CPP2",
"CCACHE_DIR",
//Add by Felix.Ma. For app online sign. start.
"ONLINE_USERNAME",
"ONLINE_PASSWD",
//Add by Felix.Ma. For app online sign. end.
}, config.BuildBrokenNinjaUsesEnvVars()...)...)
}
1.15 ./build/make/core/package_internal.mk
ifeq ($(LOCAL_CERTIFICATE),EXTERNAL)
# The special value "EXTERNAL" means that we will sign it with the
# default devkey, apply predexopt, but then expect the final .apk
# (after dexopting) to be signed by an outside tool.
LOCAL_CERTIFICATE := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
PACKAGES.$(LOCAL_PACKAGE_NAME).EXTERNAL_KEY := 1
endif
//Add by Felix.Ma. For app online sign. start.
-include vendor/xxxxx/xxxxx/build/core/is_sign_online.mk
//Add by Felix.Ma. For app online sign. end.
# If this is not an absolute certificate, assign it to a generic one.
ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./)
LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE)
endif
include $(BUILD_SYSTEM)/app_certificate_validate.mk
private_key := $(LOCAL_CERTIFICATE).pk8
certificate := $(LOCAL_CERTIFICATE).x509.pem
1.16 vendor/xxxxx/xxxxx/build/core/is_sign_online.mk
###########################################################
##
## define whether apk signs online or not.
##
###########################################################
sign_online := $(SIGN_PACKAGE_ONLINE_ENABLE)
xxxxx_PUBLIC_LOCAL_KEY_DIR := vendor/xxxxx/chipset_common/build/security/
ifeq ($(SIGN_PACKAGE_ONLINE_ENABLE),true)
private_key_online := $(filter platform shared media releasekey testkey, \
$(notdir $(LOCAL_CERTIFICATE)))
ifeq ($(words $(private_key_online)),0)
sign_online := false
else
ifneq ($(words $(private_key_online)),1)
$(error LOCAL_CERTIFICATE just need only; saw $(LOCAL_CERTIFICATE))
endif
sign_online_key := $(private_key_online)
$(LOCAL_BUILT_MODULE): $(SIGNAPK_ONLINE_JAR)
$(LOCAL_BUILT_MODULE): PRIVATE_ONLINE_KEY := $(sign_online_key)
$(LOCAL_BUILT_MODULE): PUBLIC_LOCAL_KEY := $(xxxxx_PUBLIC_LOCAL_KEY_DIR)$(private_key_online).x509.pem
endif
endif
1.17 vendor\xxxxx\xxxxx\build\tools\signapk\sign-apk-online.sh
#!/bin/bash
# Sign apk online.
# Copyright (c) xxxxx Technologies Co., Ltd. 2010-2019. All rights reserved.
parse_cmdline()
{
while [ -n "$1" ]
do
OPTIONS=$(echo "$1" | sed 's/\(.*\)=\(.*\)/\1/')
PARAM=$(echo "$1" | sed 's/.*=//')
case "$OPTIONS" in
javacmd) JAVACMD="${PARAM}" ;;
signapkOnlineCmd) SIGN_APK_ONLINE_CMD="${PARAM}" ;;
platformSdkVer) PLATFORM_SDK_VER="${PARAM}" ;;
onlineServer) ONLINE_SERVER="${PARAM}" ;;
# onlineUsername) ONLINE_USERNAME="${PARAM}" ;;
# onlinePasswd) ONLINE_PASSWD="${PARAM}" ;;
certificates) CERTIFICATES="${PARAM}" ;;
privateOnlineKey) PRIVATE_ONLINE_KEY="${PARAM}" ;;
inFile) IN_FILE="${PARAM}" ;;
outFile) OUT_FILE="${PARAM}" ;;
#please add extra parameter here!
*) if [ $(echo "$1" | sed -n '/.*=/p') ];then
echo "Error, the pattem \"$OPTIONS=$PARAM\" can not be recognized!!!"
helpme
fi
break;;
esac
shift
done
}
parse_cmdline $@
#if [ -d vendor/xxxxx/chipset_common/build/security ];then
#CERTIFICATES=${CERTIFICATES/build\/target\/product\/security/vendor\/xxxxx\/chipset_common\/build\/security}
#fi
if [[ "${CERTIFICATES}" == *testkey* ]];then
echo "testkey"
PRIVATE_ONLINE_KEY=apkkey_unisoc_testkey
CERTIFICATES=vendor/xxxxx/chipset_common/build/security/testkey.x509.pem
fi
if [[ "${CERTIFICATES}" == *media* ]];then
echo "media"
PRIVATE_ONLINE_KEY=apkkey_unisoc_media
CERTIFICATES=vendor/xxxxx/chipset_common/build/security/media.x509.pem
fi
if [[ "${CERTIFICATES}" == *platform* ]];then
echo "platform"
PRIVATE_ONLINE_KEY=apkkey_unisoc_platform
CERTIFICATES=vendor/xxxxx/chipset_common/build/security/platform.x509.pem
fi
if [[ "${CERTIFICATES}" == *shared* ]];then
echo "shared"
PRIVATE_ONLINE_KEY=apkkey_unisoc_shared
CERTIFICATES=vendor/xxxxx/chipset_common/build/security/shared.x509.pem
fi
if [[ "${CERTIFICATES}" == *releasekey* ]];then
echo "releasekey"
PRIVATE_ONLINE_KEY=apkkey_unisoc_releasekey
CERTIFICATES=vendor/xxxxx/chipset_common/build/security/releasekey.x509.pem
fi
echo "*********************************************"
echo "$JAVACMD -jar $SIGN_APK_ONLINE_CMD --min-sdk-version $((out/host/linux-x86/bin/aapt dump badging $in 2>&1 | grep '^sdkVersion' || echo \"sdkVersion:'0'\") | cut -d \' -f2 | sed -e s/^.*[^0-9].*\$/$PLATFORM_SDK_VER/) $ONLINE_SERVER ${ONLINE_USERNAME} "${CERTIFICATES}" "${PRIVATE_ONLINE_KEY}" $IN_FILE $PARAM"
$JAVACMD -jar "${SIGN_APK_ONLINE_CMD}" --min-sdk-version $((out/host/linux-x86/bin/aapt dump badging "${in}" 2>&1 | grep '^sdkVersion' || echo \"sdkVersion:'0'\") | cut -d \' -f2 | sed -e s/^.*[^0-9].*\$/"${PLATFORM_SDK_VER}"/) "${ONLINE_SERVER}" "${ONLINE_USERNAME}" "${ONLINE_PASSWD}" "${CERTIFICATES}" "${PRIVATE_ONLINE_KEY}" "${IN_FILE}" "${PARAM}"
if [ -f out/target/product/s9863a1h10_go_32b/vendor/lib/modules/incrementalfs.ko ];then
echo "*********************************************"
if [ -f out/target/product/s9863a1h10_go_32b/vendor/lib/modules/incrementalfs.ko_unsigned ];then
echo "************incrementalfs.ko is exist. skipping.************"
else
cp out/target/product/s9863a1h10_go_32b/vendor/lib/modules/incrementalfs.ko out/target/product/s9863a1h10_go_32b/vendor/lib/modules/incrementalfs.ko_unsigned
rm out/target/product/s9863a1h10_go_32b/vendor/lib/modules/incrementalfs.ko
java -jar tools/signcenter/KernelSignV2.jar signcenter.pki.hixxxxx.com "${ONLINE_USERNAME}" "${ONLINE_PASSWD}" vendor/xxxxx/chipset_common/build/signkernel/longqi_kernel_os_ko_v1.x509 longqi_kernel_os_ko_v1 out/target/product/s9863a1h10_go_32b/vendor/lib/modules/incrementalfs.ko_unsigned out/target/product/s9863a1h10_go_32b/vendor/lib/modules/incrementalfs.ko
fi
fi
1.18 vendor\xxxxx\xxxxx\build\tools\signapk\sign-online.sh
#!/bin/bash
# Sign online.
# Copyright (c) xxxxx Technologies Co., Ltd. 2010-2019. All rights reserved.
BUILD_xxxxx_PATH=$(gettop)/vendor/xxxxx/xxxxx/build
percent_encode()
{
# urlencode <string>
local length="${#1}"
for (( i = 0; i < length; i++ )); do
local c="${1:i:1}"
case "$c" in
[a-zA-Z0-9.~_-]) printf "$c" ;;
*) printf '%%%02X' "'$c"
esac
done
}
account_check()
{
local onlinename
local onlinepasswd
echo "input you domain account for package certificate."
echo "accout:"
read onlinename
stty -echo
echo "passwd:"
read onlinepasswd
stty echo
onlinepasswd=$(percent_encode "$onlinepasswd")
# java -jar tools/signcenter/SignApkV2.jar \
# signcenter.pki.hixxxxx.com "${onlinename}" "${onlinepasswd}" \
# $(gettop)/vendor/xxxxx/chipset_common/build/security/testkey.x509.pem \
# apkkey_11v_testkey \
# ${BUILD_xxxxx_PATH}/tools/signapk/test.apk ~/test_signed.apk
# java -jar sign_test/SignApkV2.jar signcenter.pki.hixxxxx.com $(onlinename) $(onlinepasswd) sign_test/apkkey_unisoc_releasekey.pem apkkey_unisoc_releasekey sign_test/test.apk sign_test/signed.apk
if [ $? -ne 0 ];then
echo "Authentication failed, please check the accout and passwd inputted!"
else
export ONLINE_USERNAME="${onlinename}"
export ONLINE_PASSWD="${onlinepasswd}"
fi
# if [ -f ~/test_signed.apk ];then
# rm ~/test_signed.apk
# fi
}
if [ -z "${ONLINE_USERNAME}" ];then
account_check
fi
1.19 zprojects pre_signApk.sh
#!/bin/bash
#Add by FelixMa For app-sign-online start
if [ -r $(gettop)/vendor/xxxxx/xxxxx/build/tools/signapk/sign-apk-online.sh ]; then
echo "goto sign-apk-online including vendor/xxxxx/xxxxx/build/tools/signapk/sign-apk-online.sh"
###########################################################sprdPreBuildapk############################
sprdPrebuildApks=$(find $(gettop)/vendor/sprd/release/IDH/$TARGET_PRODUCT-$TARGET_BUILD_VARIANT*/out/target/product/s9863a1h10_go_32b/system_ext -name *.apk)
echo "the value of sprdPrebuildApks is $sprdPrebuildApks"
for IN_FILE in ${sprdPrebuildApks}
do
apkname=$(basename $IN_FILE .apk)
PRIVATE_ONLINE_KEY=apkkey_unisoc_platform
CERTIFICATES=vendor/xxxxx/chipset_common/build/security/platform.x509.pem
if [ $apkname = "SprdVoWifiConfiguration" ]; then
echo "the value of apkname is SprdVoWifiConfiguration"
OUT_FILE=$(gettop)/out/target/product/s9863a1h10_go_32b/system_ext/priv-app/SprdVoWifiConfiguration/SprdVoWifiConfiguration.apk
elif [ $apkname = "SprdVoWifiService" ]; then
echo "the value of apkname is SprdVoWifiService"
OUT_FILE=$(gettop)/out/target/product/s9863a1h10_go_32b/system_ext/priv-app/SprdVoWifiService/SprdVoWifiService.apk
elif [ $apkname = "ImsCM" ]; then
echo "the value of apkname is ImsCM"
OUT_FILE=$(gettop)/out/target/product/s9863a1h10_go_32b/system_ext/priv-app/ImsCM/ImsCM.apk
elif [ $apkname = "LinkTurbo" ]; then
echo "the value of apkname is LinkTurbo"
OUT_FILE=$(gettop)/out/target/product/s9863a1h10_go_32b/system_ext/app/LinkTurbo/LinkTurbo.apk
elif [ $apkname = "USCPhotosProvider" ]; then
echo "the value of apkname is USCPhotosProvider"
PRIVATE_ONLINE_KEY=apkkey_unisoc_media
CERTIFICATES=vendor/xxxxx/chipset_common/build/security/media.x509.pem
OUT_FILE=$(gettop)/out/target/product/s9863a1h10_go_32b/system_ext/app/USCPhotosProvider/USCPhotosProvider.apk
elif [ $apkname = "VceDaemon" ]; then
echo "the value of apkname is VceDaemon"
OUT_FILE=$(gettop)/out/target/product/s9863a1h10_go_32b/system_ext/app/VceDaemon/VceDaemon.apk
fi
DIR_NAME=$(dirname $OUT_FILE)
echo "DIR_NAME=${DIR_NAME}"
mkdir -p "${DIR_NAME}"
echo "gettop=$(gettop) ONLINE_USERNAME=${ONLINE_USERNAME} ONLINE_PASSWD=${ONLINE_PASSWD} CERTIFICATES=${CERTIFICATES} PRIVATE_ONLINE_KEY=${PRIVATE_ONLINE_KEY} IN_FILE=${IN_FILE} OUT_FILE=${OUT_FILE}"
$(gettop)/prebuilts/jdk/jdk11/linux-x86/bin/java -jar $(gettop)/tools/signcenter/SignApkV2.jar --min-sdk-version 30 signcenter.pki.hixxxxx.com "${ONLINE_USERNAME}" "${ONLINE_PASSWD}" "${CERTIFICATES}" "${PRIVATE_ONLINE_KEY}" "${IN_FILE}" "${OUT_FILE}"
echo "start copy"
cp "${OUT_FILE}" "${IN_FILE}"
echo "end copy"
done
###########################################################sprdPreBuildapk##########################
fi
#Add by FelixMa For app-sign-online end
1.20 build\make\core\Makefile
# A list of arbitrary tags describing the build configuration.
# Force ":=" so we can use +=
BUILD_VERSION_TAGS := $(BUILD_VERSION_TAGS)
ifeq ($(TARGET_BUILD_TYPE),debug)
BUILD_VERSION_TAGS += debug
endif
# The "test-keys" tag marks builds signed with the old test keys,
# which are available in the SDK. "dev-keys" marks builds signed with
# non-default dev keys (usually private keys from a vendor directory).
# Both of these tags will be removed and replaced with "release-keys"
# when the target-files is signed in a post-build step.
#Add by Felix.Ma. For app online sign. start.
ifeq ($(DEFAULT_SYSTEM_DEV_CERTIFICATE),vendor/xxxxx/chipset_common/build/security/releasekey)
BUILD_KEYS := release-keys
else ifeq ($(DEFAULT_SYSTEM_DEV_CERTIFICATE),vendor/xxxxx/chipset_common/build/security/testkey)
BUILD_KEYS := test-keys
else ifeq ($(DEFAULT_SYSTEM_DEV_CERTIFICATE),build/make/target/product/security/testkey)
BUILD_KEYS := test-keys
else ifeq ($(DEFAULT_SYSTEM_DEV_CERTIFICATE),build/target/product/security/release/releasekey)
BUILD_KEYS := release-keys
else
BUILD_KEYS := dev-keys
endif
#Add by Felix.Ma. For app online sign. end
BUILD_VERSION_TAGS += $(BUILD_KEYS)
BUILD_VERSION_TAGS := $(subst $(space),$(comma),$(sort $(BUILD_VERSION_TAGS)))
Android实现客制化系统apk在线签名相关推荐
- Android项目客制化
关键编译目录 Makefile build/core/Makefile build/core/main.mk build/core/config.mk build/core/envsetup.mk b ...
- Android如何客制化adb shell进去后显示shell@xxxx的标识
首先,找到源代码,在external/mksh/mkshrc,打开这个文件后会看到开头有如下脚本: android4.2源码内容如下: : ${TERM:=vt100} ${HOME:=/data} ...
- Android 系统序列号从哪里来,以及客制化序列号
Android 系统序列号从哪里来,以及客制化序列号 系统获取序列号过程 客制化序列号 系统获取序列号过程 Android系统的SN号,实际是从"cmdline"里面的" ...
- Android 系统(251)---sec2.0和sec2.1新增分区DA客制化步骤
sec2.0和sec2.1新增分区DA客制化步骤 在sec2.0和sec2.1中,如果客户新增分区超过两个,又不想用DA中默认的sec policy,可以按如下方法进行配置. 以MT6739为例,增加 ...
- android+动画打包命令,Android 开机动画客制化
Android开机动画总共有三个过程.第一个开机动画是在Kenel启动时显示的,第二个开机动画是在init进程启动时显示的,这两个都是静态图片.第三个动画是在系统服务启动过程中显示的,他是一个动态图片 ...
- Android 手机按键客制化详解
在Android 中会有以下5个按键(Back.Home.Menu.Power.Volume)与用户进行交互,Framework 层中实现按键功能,因此,从手机系统定制的角度,可以满足客户的客制化要求 ...
- 由I9100字体客制化apk架构说起
众所周知,I9100可以在设置--显示设置--字体风格里面改变系统字体. android的系统字体位置在system/fonts文件夹下.而I9100无需root权限.只需安装字体apk包就可以实现更 ...
- android 7.0平台客制化虚拟导航按键(隐藏NavigationBar,上滑显示NavigationBar)
如图,需求是增加一个按钮可以隐藏NavigationBar,上滑显示NavigationBar. 参考文章: Android 8.1平台客制化虚拟导航按键 Android 7.0 虚拟按键(Navig ...
- 一步步客制化Android桌面(Launcher3)图标
由于最近在负责MTK5.1的Android系统开发,所以本文就以5.1的代码为参考.其它版本虽然会略有不同,但是修改思路是大致相同的. 在市面上很多手机都会对原生桌面进行一些修改,比如把时钟.日历修改 ...
最新文章
- 第一个以自己语言描述GBDT算法
- 切换卡TabHost控件的使用
- UNIX环境高级编程——Linux终端设备详解
- LiveVideoStack线上分享第五季(五):用FFmpeg搭建基于CNN的视频分析方案
- 第5章 Python 数字图像处理(DIP) - 图像复原与重建5 - 均匀噪声
- 51Nod1469 淋漓尽致子串
- 激发你的灵感:16个精美视差效果网页设计作品
- 电机的入门之路系列5--二相四线,四相五线,四相六线电机的区分方法
- 程序员必知必会的十大排序算法
- JavaScript获取坐标
- SpringMVC扩展
- php foreach 多出一个_PHP如何实现统计数据合并
- 1.1 线性方程组(线性代数及其应用-第5版-系列笔记)
- 浅谈NFC、RFID、红外、蓝牙的区别
- 当代最值得收藏的画家作品_当代最具潜力和收藏价值的十大画家
- 档案重要吗有什么作用(转载记录避免以后麻烦)
- html类型的网页文件,文件的ContentType类型-网页设计,HTML/CSS
- 餐饮系统店家后端基础功能构建
- SYBASE 12.5 维护手册 3. 技术专刊
- 2019胡润百富榜公布:中国互联网上演: 龙虎斗 , 阿里暂时领跑 , 企鹅紧随其后 , 李彦宏,雷军掉队...