前言全局说明
一、说明
1.1 环境:
Android
1.2 简介
在Android系统中,每个APK文件必须有一个有效的数字证书来证明其来源和完整性。当需要修改APK后再次发布时,原有的签名将不再有效,因此需要重新签名。
二、证书工具
2.1 路径:
android/build/tools/releasetools/sign_target_files_apks
sign_target_files_apks 是个软链接,实际指向同目录的 sign_target_files_apks.py 文件
2.2 帮助命令
./sign_target_files_apks
或
./sign_target_files_apks --help
2.2 帮助常用内容
更详细内容请查看本页最下面 - 另:帮助详细内容
verify
--print-certs #打印证书信息
-v, --verbose 显示详情(显示是否使用V1和V2签名)
三、sign_target_files_apks 工具使用
3.1 打印 apk 签名信息
./apksigner verify --print-certs <apk-name.apk>
3.2 打印 apk 用了哪个版本签名
行结尾为 true 的,是使用的签名
./apksigner verify --verbose <apk-name.apk>
下图显示用了 V3 版签名
如果只使用v1签名方案,那么它就容易受到安卓5.0-8.0上的Janus漏洞(CVE-2017-13156)的攻击。
在安卓5.0-7.0上运行的使用了v1签名方案的应用程序,以及同时使用了v2/v3签名方案的应用程序也同样存在漏洞。
四、
4.1
4.2
另:帮助详细内容
Signs all the APK files in a target-files zipfile, producing a new
target-files zip.
Usage: sign_target_files_apks [flags] input_target_files output_target_files
-e (--extra_apks) <name,name,...=key>
Add extra APK/APEX name/key pairs as though they appeared in apkcerts.txt
or apexkeys.txt (so mappings specified by -k and -d are applied). Keys
specified in -e override any value for that app contained in the
apkcerts.txt file, or the container key for an APEX. Option may be
repeated to give multiple extra packages.
--extra_apex_payload_key <name=key>
Add a mapping for APEX package name to payload signing key, which will
override the default payload signing key in apexkeys.txt. Note that the
container key should be overridden via the `--extra_apks` flag above.
Option may be repeated for multiple APEXes.
--skip_apks_with_path_prefix <prefix>
Skip signing an APK if it has the matching prefix in its path. The prefix
should be matching the entry name, which has partition names in upper
case, e.g. "VENDOR/app/", or "SYSTEM_OTHER/preloads/". Option may be
repeated to give multiple prefixes.
-k (--key_mapping) <src_key=dest_key>
Add a mapping from the key name as specified in apkcerts.txt (the
src_key) to the real key you wish to sign the package with
(dest_key). Option may be repeated to give multiple key
mappings.
-d (--default_key_mappings) <dir>
Set up the following key mappings:
$devkey/devkey ==> $dir/releasekey
$devkey/testkey ==> $dir/releasekey
$devkey/media ==> $dir/media
$devkey/shared ==> $dir/shared
$devkey/platform ==> $dir/platform
where $devkey is the directory part of the value of
default_system_dev_certificate from the input target-files's
META/misc_info.txt. (Defaulting to "build/make/target/product/security"
if the value is not present in misc_info.
-d and -k options are added to the set of mappings in the order
in which they appear on the command line.
-o (--replace_ota_keys)
Replace the certificate (public key) used by OTA package verification
with the ones specified in the input target_files zip (in the
META/otakeys.txt file). Key remapping (-k and -d) is performed on the
keys. For A/B devices, the payload verification key will be replaced
as well. If there're multiple OTA keys, only the first one will be used
for payload verification.
-t (--tag_changes) <+tag>,<-tag>,...
Comma-separated list of changes to make to the set of tags (in
the last component of the build fingerprint). Prefix each with
'+' or '-' to indicate whether that tag should be added or
removed. Changes are processed in the order they appear.
Default value is "-test-keys,-dev-keys,+release-keys".
--replace_verity_private_key <key>
Replace the private key used for verity signing. It expects a filename
WITHOUT the extension (e.g. verity_key).
--replace_verity_public_key <key>
Replace the certificate (public key) used for verity verification. The
key file replaces the one at BOOT/RAMDISK/verity_key (or ROOT/verity_key
for devices using system_root_image). It expects the key filename WITH
the extension (e.g. verity_key.pub).
--replace_verity_keyid <path_to_X509_PEM_cert_file>
Replace the veritykeyid in BOOT/cmdline of input_target_file_zip
with keyid of the cert pointed by <path_to_X509_PEM_cert_file>.
--remove_avb_public_keys <key1>,<key2>,...
Remove AVB public keys from the first-stage ramdisk. The key file to
remove is located at either of the following dirs:
- BOOT/RAMDISK/avb/ or
- BOOT/RAMDISK/first_stage_ramdisk/avb/
The second dir will be used for lookup if BOARD_USES_RECOVERY_AS_BOOT is
set to true.
--avb_{boot,init_boot,recovery,system,system_other,vendor,dtbo,vbmeta,
vbmeta_system,vbmeta_vendor}_algorithm <algorithm>
--avb_{boot,init_boot,recovery,system,system_other,vendor,dtbo,vbmeta,
vbmeta_system,vbmeta_vendor}_key <key>
Use the specified algorithm (e.g. SHA256_RSA4096) and the key to AVB-sign
the specified image. Otherwise it uses the existing values in info dict.
--avb_{apex,init_boot,boot,recovery,system,system_other,vendor,dtbo,vbmeta,
vbmeta_system,vbmeta_vendor}_extra_args <args>
Specify any additional args that are needed to AVB-sign the image
(e.g. "--signing_helper /path/to/helper"). The args will be appended to
the existing ones in info dict.
--avb_extra_custom_image_key <partition=key>
--avb_extra_custom_image_algorithm <partition=algorithm>
Use the specified algorithm (e.g. SHA256_RSA4096) and the key to AVB-sign
the specified custom images mounted on the partition. Otherwise it uses
the existing values in info dict.
--avb_extra_custom_image_extra_args <partition=extra_args>
Specify any additional args that are needed to AVB-sign the custom images
mounted on the partition (e.g. "--signing_helper /path/to/helper"). The
args will be appended to the existing ones in info dict.
--gki_signing_algorithm <algorithm>
--gki_signing_key <key>
Use the specified algorithm (e.g. SHA256_RSA4096) and the key to generate
'boot signature' in a v4 boot.img. Otherwise it uses the existing values
in info dict.
--gki_signing_extra_args <args>
Specify any additional args that are needed to generate 'boot signature'
(e.g. --prop foo:bar). The args will be appended to the existing ones
in info dict.
--android_jar_path <path>
Path to the android.jar to repack the apex file.
--allow_gsi_debug_sepolicy
Allow the existence of the file 'userdebug_plat_sepolicy.cil' under
(/system/system_ext|/system_ext)/etc/selinux.
If not set, error out when the file exists.
Global options
-p (--path) <dir>
Prepend <dir>/bin to the list of places to search for binaries run by this
script, and expect to find jars in <dir>/framework.
-s (--device_specific) <file>
Path to the Python module containing device-specific releasetools code.
-x (--extra) <key=value>
Add a key/value pair to the 'extras' dict, which device-specific extension
code may look at.
-v (--verbose)
Show command lines being executed.
-h (--help)
Display this usage message and exit.
--logfile <file>
Put verbose logs to specified file (regardless of --verbose option.)
免责声明:本号所涉及内容仅供安全研究与教学使用,如出现其他风险,后果自负。
参考、来源:
https://www.jianshu.com/p/bb5325760506 (AOSP系统签名的生成以及替换、自签名、创建证书)
https://blog.csdn.net/gitblog_00079/article/details/137450852
https://www.cnblogs.com/3clove/p/16949939.html
https://blog.csdn.net/qq_53003652/article/details/134186457 (证书攻击)
https://blog.csdn.net/mozushixin_1/article/details/144430804 (参数详细说明)
https://blog.csdn.net/yzyeilin/article/details/139968840 (问题分析)
https://source.android.google.cn/docs/core/ota/sign_builds?hl=zh-cn (对要发布的 build 进行签名)
https://magesfc.github.io/mage/6b05d90d3608239b75a55f283f5a45cc588cb157/ (sign_target_files_apks脚本执行过程分析)