Signing an apk as system using keys found in source/build/target/product/security/
Well as the title states, I am trying to sign my app using the platform.x509.pem and platform.pk8. The problem is that I get errors when using keytool-importkeypairs to add these like this:
keytool-importkeypair -k ~/.android/debug.keystore -p android -pk8 platform.pk8 -cert platform.x509.pem -alias platform
And I also get an error when trying to directly sign the APK using SignApk.jar like this:
java -jar SignApk.jar platform.x509.pem platform.pk8 test-app.apk test-app-signed.apk
Keytool-importkeypairs error:
Error decrypting key
3074042056:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
3074042056:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS8_PRIV_KEY_INFO
unable to load private key
3074091208:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY
Importing "platform" with unable to load certificate
3073755336:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
keytool error: java.lang.Exception: Source keystore file exists, but is empty: /tmp/keytool-importkeypair.vDOP/p12
Sources Used: Apk with system privileges, How to sign Android app with system signature? (SO), and How to update the android dev phone 2 from 1.6 to 2.1
Neither of the methods described in the links above work now, as you can see.
Thanks in advance.
Answer
Check the format of the files first (with cat, etc.), the error suggests they are not in the expected format (ASN.1/PEM).
More importantly, using those keys rarely makes any sense. Those are just sample keys, and any self-respecting custom ROM will use its own private keys. Otherwise just about anyone can sign their APK with the public keys in AOSP and get whatever privilege they want. Which is, needless to say, a very bad thing. If you need to develop an app that uses system privileges and want it to work on all (or most) rooted phones and custom ROMs, the right way to do it is to request root access with su and execute whatever you need to do in a root shell. If the user grants you the permission, of course.
EDIT:
To debug the import error, run this step by step. It does work with the default AOSP keys.
$ openssl pkcs8 -inform DER -nocrypt -in platform.pk8 -out platform.pem
$ openssl pkcs12 -export -in platform.x509.pem -inkey platform.pem -out platform.p12 -password pass:android -name platform
$ keytool -importkeystore -deststorepass android -destkeystore test.keystore -srckeystore platform.p12 -srcstoretype PKCS12 -srcstorepass android
$ keytool -list -v -keystore test.keystore
What it does:
- Converts the PKCS#8 format binary key to PEM (
openssl pkcs8) - Creates a PKCS#12 file that includes both the private key and certificate (
openssl pkcs12) - Since Java's
keytoolcan read PKCS#12 files as keystore, it imports your PKCS#12 file to effectively convert it to the native format (BKS or JKS) (keytool -importkeystore) - (bonus) Uses
keytoolto list the contents in order to make sure everything worked. (keytool -list)