1. Background
Your own or your client's third-party apk requires a lot of system permissions, so it needs to be built into the system directory and become a system-built-in APP. If it is installed without the signature generated by the system file, the remote APP update will fail and prompt a signature error.
2. Environmental preparation
1.Ubuntu system (version 1804 and above recommended)
-
Install JAVA-JDK11 (you can skip it if you already have it)
Check the JDK version first. If it is not 11, read below.
java -version
Run the following command to install Jdk11, select Y where you want to select, and wait for the installation to complete.
sudo apt install openjdk-11-jdk
2.A set of Android system source code
需要用到源码根目录以下几个文件
- signapk.jar(系统路径:/out/host/linux-x86/framework/signapk.jar )
- libconscrypt_openjdk_jni.so (系统路径:/out/soong/host/linux-x86/lib64/libconscrypt_openjdk_jni.so)
- platform.pk8 (系统路径:build/target/product/security)
- platform.x509.pem (系统路径:build/target/product/security)
另外需要准备不带签名的第三方APK文件
- Test.apk
3. Operation steps
-
Rename the libconscrypt_openjdk_jni.so file in step 2: conscrypt_openjdk_jni-windows-x86_64.so
-
Create a new folder apk_sign in ubuntu and put all the files listed in step 2 into it
-
Excuting an order
java -Djava.library.path=. -jar signapk.jar platform.x509.pem platform.pk8 Test.apk signed.apk
This step will generate a file called signed.apk, which is the APK that has been signed by the system, but this is a one-time use. The following continues to introduce the steps to generate the certificate.
-
Execute the following commands in sequence
1. Generate the shared.priv.pem fileopenssl pkcs8 -in platform.pk8 -inform DER -outform PEM -out shared.priv.pem -nocrypt
2. Generate shared.pk12 file
openssl pkcs12 -export -in platform.x509.pem -inkey shared.priv.pem -out shared.pk12 -name bubble
3. Generate jks or keystone files
keytool -importkeystore -deststorepass android -destkeypass android -destkeystore bubble.jks -srckeystore shared.pk12 -srcstoretype PKCS12 -srcstorepass android -alias bubble
Copy the generated bundle.jks to the app source code directory, and add the following configuration to build.gradle under the app folder
android{
signingConfigs {
release {
keyAlias 'bubble'
keyPassword 'android'
storePassword 'android'
storeFile file('../keystore/bubble.jks')
}
}
}
The compiled APK can be placed in the system directory and used normally.
3. Error message
- No openssl environment
Exception in thread "main" java.lang.ExceptionInInitializerError
at org.conscrypt.OpenSSLBIOInputStream.<init>(OpenSSLBIOInputStream.java:34)
at org.conscrypt.OpenSSLX509Certificate.fromX509PemInputStream(OpenSSLX509Certificate.java:119)
at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:220)
at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:216)
at org.conscrypt.OpenSSLX509CertificateFactory$Parser.generateItem(OpenSSLX509CertificateFactory.java:94)
at org.conscrypt.OpenSSLX509CertificateFactory.engineGenerateCertificate(OpenSSLX509CertificateFactory.java:272)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
at com.android.signapk.SignApk.readPublicKey(SignApk.java:184)
at com.android.signapk.SignApk.main(SignApk.java:1007)
Caused by: java.lang.IllegalArgumentException: Failed to load any of the given libraries: [conscrypt_openjdk_jni-linux-x86_64, conscrypt_openjdk_jni-linux-x86_64-fedora, conscrypt_openjdk_jni]
at org.conscrypt.NativeLibraryLoader.loadFirstAvailable(NativeLibraryLoader.java:160)
at org.conscrypt.NativeCryptoJni.init(NativeCryptoJni.java:49)
at org.conscrypt.NativeCrypto.<clinit>(NativeCrypto.java:53)
Exception in thread "main" java.lang.ExceptionInInitializerError
at org.conscrypt.OpenSSLBIOInputStream.<init>(OpenSSLBIOInputStream.java:34)
at org.conscrypt.OpenSSLX509Certificate.fromX509PemInputStream(OpenSSLX509Certificate.java:119)
at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:220)
at org.conscrypt.OpenSSLX509CertificateFactory$1.fromX509PemInputStream(OpenSSLX509CertificateFactory.java:216)
at org.conscrypt.OpenSSLX509CertificateFactory$Parser.generateItem(OpenSSLX509CertificateFactory.java:94)
at org.conscrypt.OpenSSLX509Certificat
- The JDK version is wrong, upgrade to 1.8+, 11 is recommended
Error: A JNI error has occurred, please check your installation and try again
Exception in thread "main" java.lang.UnsupportedClassVersionError:
com/android/signapk/SignApk has been
compiled by a more recent version of the Java Runtime (class file version 53.0),
this version of the Java Runtime only recognizes class file versions up to 52.0
- The conscrypt_openjdk_jni-windows-x86_64.so file is missing (the system file libconscrypt_openjdk_jni.so was renamed)
Exception in thread "main" java.lang.UnsatisfiedLinkError:
no conscrypt_openjdk_jni-linux-x86_64 in java.library.path:
[/usr/java/packages/lib, /usr/lib/x86_64-linux-gnu/jni, /lib/x86_64-linux-gnu, /usr/lib/x86_64-linux-gnu, /usr/lib/jni, /lib, /usr/lib]