【android12】Add system signature to third-party application APK

1. Background

Your own or your client's third-party apk requires a lot of system permissions, so it needs to be built into the system directory and become a system-built-in APP. If it is installed without the signature generated by the system file, the remote APP update will fail and prompt a signature error.

2. Environmental preparation

1.Ubuntu system (version 1804 and above recommended)

• Install JAVA-JDK11 (you can skip it if you already have it)

  Check the JDK version first. If it is not 11, read below.

  java -version
  

  Run the following command to install Jdk11, select Y where you want to select, and wait for the installation to complete.

  sudo apt install openjdk-11-jdk
  

2.A set of Android system source code

需要用到源码根目录以下几个文件
	
 - signapk.jar（系统路径：/out/host/linux-x86/framework/signapk.jar ）
 - libconscrypt_openjdk_jni.so （系统路径：/out/soong/host/linux-x86/lib64/libconscrypt_openjdk_jni.so）
 - platform.pk8 （系统路径：build/target/product/security）
 - platform.x509.pem （系统路径：build/target/product/security）

 另外需要准备不带签名的第三方APK文件
 - Test.apk

3. Operation steps

• Rename the libconscrypt_openjdk_jni.so file in step 2: conscrypt_openjdk_jni-windows-x86_64.so

• Create a new folder apk_sign in ubuntu and put all the files listed in step 2 into it

• Excuting an order

  java -Djava.library.path=. -jar signapk.jar platform.x509.pem platform.pk8 Test.apk signed.apk
  

  This step will generate a file called signed.apk, which is the APK that has been signed by the system, but this is a one-time use. The following continues to introduce the steps to generate the certificate.

• Execute the following commands in sequence
  1. Generate the shared.priv.pem file

  openssl pkcs8 -in platform.pk8 -inform DER -outform PEM -out shared.priv.pem -nocrypt
  

  2. Generate shared.pk12 file

  openssl pkcs12 -export -in platform.x509.pem -inkey shared.priv.pem -out shared.pk12 -name bubble
  

  3. Generate jks or keystone files

  keytool -importkeystore -deststorepass android -destkeypass  android -destkeystore bubble.jks -srckeystore shared.pk12 -srcstoretype PKCS12 -srcstorepass android -alias bubble
  

  Copy the generated bundle.jks to the app source code directory, and add the following configuration to build.gradle under the app folder

   android{
    
    
		signingConfigs {
    
    
	        release {
    
    
	            keyAlias 'bubble'
	            keyPassword 'android'
	            storePassword 'android'
	            storeFile file('../keystore/bubble.jks')
	        }
	    }
	}

The compiled APK can be placed in the system directory and used normally.

3. Error message

• No openssl environment

Exception in thread "main" java.lang.ExceptionInInitializerError
        at org.conscrypt.OpenSSLBIOInputStream.<init>(OpenSSLBIOInputStream.java:34)
        at org.conscrypt.OpenSSLX509Certificate.fromX509PemInputStream(OpenSSLX509Certificate.java:119)
        at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:220)
        at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:216)
        at org.conscrypt.OpenSSLX509CertificateFactory$Parser.generateItem(OpenSSLX509CertificateFactory.java:94)
        at org.conscrypt.OpenSSLX509CertificateFactory.engineGenerateCertificate(OpenSSLX509CertificateFactory.java:272)
        at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
        at com.android.signapk.SignApk.readPublicKey(SignApk.java:184)
        at com.android.signapk.SignApk.main(SignApk.java:1007)
Caused by: java.lang.IllegalArgumentException: Failed to load any of the given libraries: [conscrypt_openjdk_jni-linux-x86_64, conscrypt_openjdk_jni-linux-x86_64-fedora, conscrypt_openjdk_jni]
        at org.conscrypt.NativeLibraryLoader.loadFirstAvailable(NativeLibraryLoader.java:160)
        at org.conscrypt.NativeCryptoJni.init(NativeCryptoJni.java:49)
        at org.conscrypt.NativeCrypto.<clinit>(NativeCrypto.java:53)
Exception in thread "main" java.lang.ExceptionInInitializerError
        at org.conscrypt.OpenSSLBIOInputStream.<init>(OpenSSLBIOInputStream.java:34)
        at org.conscrypt.OpenSSLX509Certificate.fromX509PemInputStream(OpenSSLX509Certificate.java:119)
        at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:220)
        at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:216)
        at org.conscrypt.OpenSSLX509CertificateFactory$Parser.generateItem(OpenSSLX509CertificateFactory.java:94)
        at org.conscrypt.OpenSSLX509Certificat

• The JDK version is wrong, upgrade to 1.8+, 11 is recommended

Error: A JNI error has occurred, please check your installation and try again
Exception in thread "main" java.lang.UnsupportedClassVersionError: 
com/android/signapk/SignApk has been 
compiled by a more recent version of the Java Runtime (class file version 53.0), 
this version of the Java Runtime only recognizes class file versions up to 52.0

• The conscrypt_openjdk_jni-windows-x86_64.so file is missing (the system file libconscrypt_openjdk_jni.so was renamed)

Exception in thread "main" java.lang.UnsatisfiedLinkError:
 no conscrypt_openjdk_jni-linux-x86_64 in java.library.path: 
 [/usr/java/packages/lib, /usr/lib/x86_64-linux-gnu/jni, /lib/x86_64-linux-gnu, /usr/lib/x86_64-linux-gnu, /usr/lib/jni, /lib, /usr/lib]

Reference connection