Android 系统自定义签名
16lz
2021-01-23
1. 工具make_key
生成x509.pem(公钥) 和pk8 (私钥)
openssl req -new -x509 -sha1 -key ${two} -out $1.x509.pem \ -days 10000 -subj "$2" & openssl pkcs8 -in ${one} -topk8 -outform DER -out $1.pk8 -nocrypt
#development/tools/make_key#!/bin/bash## Copyright (C) 2009 The Android Open Source Project## Licensed under the Apache License, Version 2.0 (the "License");# you may not use this file except in compliance with the License.# You may obtain a copy of the License at## http://www.apache.org/licenses/LICENSE-2.0## Unless required by applicable law or agreed to in writing, software# distributed under the License is distributed on an "AS IS" BASIS,# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.# See the License for the specific language governing permissions and# limitations under the License.# Generates a public/private key pair suitable for use in signing# android .apks and OTA update packages.if [ "$#" -ne 2 ]; then cat < Creates .pk8 key and .x509.pem cert. Cert contains thegiven .EOF exit 2fiif [[ -e $1.pk8 || -e $1.x509.pem ]]; then echo "$1.pk8 and/or $1.x509.pem already exist; please delete them first" echo "if you want to replace them." exit 1fi# Use named pipes to connect get the raw RSA private key to the cert-# and .pk8-creating programs, to avoid having the private key ever# touch the disk.tmpdir=$(mktemp -d)trap 'rm -rf ${tmpdir}; echo; exit 1' EXIT INT QUITone=${tmpdir}/onetwo=${tmpdir}/twomknod ${one} pmknod ${two} pchmod 0600 ${one} ${two}read -p "Enter password for '$1' (blank for none; password will be visible): " \ password( openssl genrsa -f4 2048 | tee ${one} > ${two} ) &openssl req -new -x509 -sha1 -key ${two} -out $1.x509.pem \ -days 10000 -subj "$2" &if [ "${password}" == "" ]; then echo "creating ${1}.pk8 with no password" openssl pkcs8 -in ${one} -topk8 -outform DER -out $1.pk8 -nocryptelse echo "creating ${1}.pk8 with password [${password}]" echo $password | openssl pkcs8 -in ${one} -topk8 -outform DER -out $1.pk8 \ -passout stdinfiwaitwait
2.参数
C ---> Country Name (2 letter code)ST ---> State or Province Name (full name)L ---> Locality Name (eg, city)O ---> Organization Name (eg, company)OU ---> Organizational Unit Name (eg, section)CN ---> Common Name (eg, your name or your server’s hostname)emailAddress ---> Contact email address
development/tools/make_key testkey '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]' development/tools/make_key platform '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]' development/tools/make_key shared '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]' development/tools/make_key media '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]' The following standard test keys are currently included: testkey -- a generic key for packages that do not otherwise specify a key. platform -- a test key for packages that are part of the core platform. shared -- a test key for things that are shared in the home/contacts process. media -- a test key for packages that are part of the media/download system. These test keys are used strictly in development, and should never be assumed to convey any sort of validity. When $BUILD_SECURE=true, the code should not honor these keys in any context.
3.build releasekey
/build/core/config.mk中定义变量:
DEFAULT_SYSTEM_DEV_CERTIFICATE := build/target/product/security/releasekey
主makefile文件里面:
ifeq ($(DEFAULT_SYSTEM_DEV_CERTIFICATE),build/target/product/security/releasekey) BUILD_VERSION_TAGS += release-keys
4.check
keytool
keytool -printcert -file verity.x509.pem Owner: [email protected], CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=USIssuer: [email protected], CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=USSerial number: 970f983909aa8949Valid from: Fri Nov 07 03:07:40 CST 2014 until: Tue Mar 25 03:07:40 CST 2042Certificate fingerprints: MD5: DB:18:D3:11:F5:07:48:95:95:B5:A4:50:BB:2D:C4:95 SHA1: 14:A3:3C:EB:E3:E8:66:7B:40:9E:F8:14:2A:9D:56:25:9E:C8:32:8E SHA256: 8A:D1:27:AB:AE:82:85:B5:82:EA:36:74:5F:22:0A:B8:FE:39:7F:FB:3B:06:8D:F1:9C:A2:2D:12:2C:7B:3B:86 Signature algorithm name: SHA1withRSA
build.prop中可以查看到变量:
ro.build.tags=release-keys
5.verity
以检测到 system “发生过” 改动,比如用户使用 root 软件强行植入 su 文件,但最后删除了 su, 这种情况也能检测出来。一旦检验不过,系统就不能正常启动.
./octopus-f1/fstab.sun8i
/dev/block/by-name/system /system ext4 ro,barrier=1 wait,verify
build/target/product/verity.mk
PRODUCT_SUPPORTS_BOOT_SIGNER := truePRODUCT_SUPPORTS_VERITY := true# The dev key is used to sign boot and recovery images, and the verity# metadata table. Actual product deliverables will be re-signed by hand.# We expect this file to exist with the suffixes ".x509.pem" and ".pk8".PRODUCT_VERITY_SIGNING_KEY := build/target/product/security/verityPRODUCT_PACKAGES += \ verity_key
生成verity_key
#!/bin/bash TARGET_PATH=device/softwinner/common/verity/rsa_keyDM_MERGE=$TARGET_PATH/./../dm_mergeTABLE=$TARGET_PATH/tableSIGN=$TARGET_PATH/signRSA_KEY=$TARGET_PATH/verity_keyJAVA_TOOL=$ANDROID_HOST_OUT/framework/dumpkey.jaropenssl genrsa -out $TARGET_PATH/rsa_key.pair 2048openssl rsa -in $TARGET_PATH/rsa_key.pair -pubout -out $TARGET_PATH/rsa.pkopenssl req -new -out $TARGET_PATH/CertReq.csr -key $TARGET_PATH/rsa_key.pair -subj "/C=NC/ST=GD/L=ZH/O=W/OU=W/CN=0"openssl x509 -req -in $TARGET_PATH/CertReq.csr -out $TARGET_PATH/Cert.pem -signkey $TARGET_PATH/rsa_key.pair -sha256openssl x509 -in $TARGET_PATH/Cert.pem -inform PEM -out $TARGET_PATH/Cert.der -outform DERjava -jar ${JAVA_TOOL} $TARGET_PATH/Cert.der > $TARGET_PATH/the_keyecho " Certificat key " >$TARGET_PATH/rsa_infocat $TARGET_PATH/the_key>>$TARGET_PATH/key_infoecho "****** Dm_meger debug info ******">>$TARGET_PATH/key_info${DM_MERGE} -c $TARGET_PATH/the_key ${RSA_KEY} -d >>$TARGET_PATH/key_infoecho "*********************************">>$TARGET_PATH/key_infoecho " RSA key format in android libmincrypt " >>$TARGET_PATH/key_infocat ${RSA_KEY} >> $TARGET_PATH/key_inform -f $TARGET_PATH/CertReq.csr $TARGET_PATH/Cert.pem echo "Dm-Verity Rsa key ready !"exit 0
更多相关文章
- Android判断有无外置SD卡(TF卡),并读写文件
- java拷贝文件夹和android设置文件权限
- android studio 将文件打包成jar文件
- java|android加载src路径下面的图片文件
- 卸载android system/app 目录下文件的应用程序
- 将Android项目打包成APK文件
- android之获取系统时间并作为文件名
- android(9)(使用pull解析xml文件)