Android中,一般来说有两个地方使用加密签名。

1.每个.apk文件必须进行签名。Android的程序包管理器通过两种方式使用签名:

  •     当一个应用程序被替换时,只有相同签名的应用才能操作旧版本的数据。
  • User ID和用户数据。

2.OTA更新包必须进行签名否则更新程序无法进行安装。(注!我们制作更新包的时候如果不指定key,系统会指定默认的key进行签名,如testkey。)

 

证书和秘钥

.x509.pem的证书(公钥)和扩展名为.pk8私钥。私钥是用来对包进行签名的,不可公开,而且有必要使用一定策略的密码进行保护,仅仅是让最终发布版本的人知道密码即可。而证书(公钥)相对来说要求并没有那么严格,它通常被用来验证一个包是否进行过密钥签名。

Android通常使用下面4个秘钥,它们位于build/target/product/security目录下:

testkey

testkey进行签名。

platform

    平台使用的测试秘钥

shared

    联系人等共享测试秘钥

media

    部分多媒体、下载系统等程序包所使用的测试秘钥

 

.mk文件中通过设置LOCAL_CERTIFICATE来为我们的安装包指定秘钥(如果没有指定有效的key,系统会默认使用testkey)。

Device/yoyodyne/apps/SpecialApp/Android.mk
[...]
 LOCAL_CERTIFICATE := device/yoyodyne/security/special

device/yoyodyne/security/special.{.509.pem,pk8}来为我们的应用进行签名。编译系统只能是用没有密码保护的私钥。

 

生成秘钥

openssl工具来生成我们的秘钥(公钥和私钥),openssl工具下载地址:http://www.openssl.org/

 

# generate RSA key
% openssl genrsa -3 -out temp.pem 2048
Generating RSA private key, 2048 bit long modulus
....+++
.....................+++
 e is 3 (0x3)
# create a certificate with the public part of the key
% openssl req -new -x509 -key temp.pem -out releasekey.x509.pem \
   -days 10000 \
   -subj '/C=US/ST=California/L=San Narciso/O=Yoyodyne, Inc./OU=Yoyodyne Mobility/CN=Yoyodyne/emailAddress=yoyodyne@example.com'
# create a PKCS#8-formatted version of the private key
% openssl pkcs8 -in temp.pem -topk8 -outform DER -out releasekey.pk8 -nocrypt
# securely delete the temp.pem file
% shred --remove temp.pem

的pkcs8命令会生成一个没有密码保护的.pk8文件,这种方式适用于编译系统。如果想生成一个带有密码保护的.pk8文件,我们可以使用-passout stdin参数代替nocrypt参数即可。具体可参考http://www.openssl.org/docs/apps/openssl.html#PASS_PHRASE_ARGUMENTS。

签名APP

sign_target_files_apks脚本来对.apk文件进行签名。当我们运行该脚本时,我们需要在命令行中使用”-k src_key=dest_key来指定相应的key。我们也可以使用-d dir来制定一个目录用来替换编译系统所使用的build/target/product/security目录,这就相当于下面这种用法:



 
 
1. build/target/product/security/testkey  = dir/releasekey  
2. build/target/product/security/platform = dir/platform  
3. build/target/product/security/shared   = dir/shared  
4. build/target/product/security/media    = dir/media

tardis项目中,使用了5个具有密码保护的秘钥:4个用来替换build/target/product/security,一个用来替换上面提到的keydevice/yoyodyne/security/special,如下:


 
 
1. vendor/yoyodyne/security/tardis/releasekey.x509.pem  
2. vendor/yoyodyne/security/tardis/releasekey.pk8  
3. vendor/yoyodyne/security/tardis/platform.x509.pem  
4. vendor/yoyodyne/security/tardis/platform.pk8  
5. vendor/yoyodyne/security/tardis/shared.x509.pem  
6. vendor/yoyodyne/security/tardis/shared.pk8  
7. vendor/yoyodyne/security/tardis/media.x509.pem  
8. vendor/yoyodyne/security/tardis/media.pk8  
9. vendor/yoyodyne/security/special.x509.pem  
10. vendor/yoyodyne/security/special.pk8           # NOT password protected  
11. vendor/yoyodyne/security/special-release.x509.pem  
12. vendor/yoyodyne/security/special-release.pk8   # password protected

然后我们可以像下面的例子中描述的一样对所有的应用进行签名:


1. % ./build/tools/releasetools/sign_target_files_apks \  
2.     -d vendor/yoyodyne/security/tardis \  
3.     -k vendor/yoyodyne/special=vendor/yoyodyne/special-release \  
4.     -o \    # explained in the next section  
5.     tardis-target_files.zip signed-tardis-target_files.zip  
6. Enter password for vendor/yoyodyne/security/special-release key>  
7. Enter password for vendor/yoyodyne/security/tardis/media key>  
8. Enter password for vendor/yoyodyne/security/tardis/platform key>  
9. Enter password for vendor/yoyodyne/security/tardis/releasekey key>  
10. Enter password for vendor/yoyodyne/security/tardis/shared key>  
11.     signing: Phone.apk (vendor/yoyodyne/security/tardis/platform)  
12.     signing: Camera.apk (vendor/yoyodyne/security/tardis/media)  
13.     signing: Special.apk (vendor/yoyodyne/security/special-release)  
14.     signing: Email.apk (vendor/yoyodyne/security/tardis/releasekey)  
15.         [...]  
16.     signing: ContactsProvider.apk (vendor/yoyodyne/security/tardis/shared)  
17.     signing: Launcher.apk (vendor/yoyodyne/security/tardis/shared)  
18. rewriting SYSTEM/build.prop:  
19.   replace:  ro.build.description=tardis-user Eclair ERC91 15449 test-keys  
20.      with:  ro.build.description=tardis-user Eclair ERC91 15449 release-keys  
21.   replace: ro.build.fingerprint=generic/tardis/tardis/tardis:Eclair/ERC91/15449:user/test-keys  
22.      with: ro.build.fingerprint=generic/tardis/tardis/tardis:Eclair/ERC91/15449:user/release-keys  
23.     signing: framework-res.apk (vendor/yoyodyne/security/tardis/platform)  
24. rewriting RECOVERY/RAMDISK/default.prop:  
25.   replace:  ro.build.description=tardis-user Eclair ERC91 15449 test-keys  
26.      with:  ro.build.description=tardis-user Eclair ERC91 15449 release-keys  
27.   replace: ro.build.fingerprint=generic/tardis/tardis/tardis:Eclair/ERC91/15449:user/test-keys  
28.      with: ro.build.fingerprint=generic/tardis/tardis/tardis:Eclair/ERC91/15449:user/release-keys  
29. using:  
30.     vendor/yoyodyne/security/tardis/releasekey.x509.pem  
31. for OTA package verification  
32. done.



签名OTA包

OTA包的流程主要有下面这些:

build时所要使用的签名文件

ota包进行签名

具体命令如下:

1. % ./build/tools/releasetools/ota_from_target_files \  
2.     -k vendor/yoyodyne/security/tardis/releasekey \  
3.     signed-tardis-target_files.zip \  
4.     signed-ota_update.zip  
5. unzipping target target-files...  
6. (using device-specific extensions from target_files)  
7. Enter password for vendor/yoyodyne/security/tardis/releasekey key>  
8. done.

签名与侧面安装机制

recovery会对更新包的签名进行验证,它会验证OTA包签名的私钥是否和recovery分区存放的公钥相符。

android系统使用Android API中的RecoverySystem.verifyPackage()方法进行验证,一种是recovery系统的验证。RecoverySystem API会检查存储在Android系统中的公钥是否与/system/etc/security/otacerts.zip(默认情况下)。而recovery 系统会验证存储在recovery 分区中的/res/keys中存储的公钥。

key进行校验,通过下面的配置。

vendor/yoyodyne/tardis/products/


1. [...]  
2. PRODUCT_EXTRA_RECOVERY_KEYS := vendor/yoyodyne/security/tardis/sideload