Android Signature Tool
Commonly used Android signature tools include: jarsigner and apksigner. jarsigner uses keystore file, apksigner uses pk8+.
What are .pem and .pk8 files
.pem
When Android signs apk, a file like .pem is an X.509 digital certificate with information such as user's public key and other information, which is used to decrypt. The file format can not only store digital certificates, but also store various keys.
.pk8
Files with .pk8 as the extension should correspond to PKCS #8 and are used to save private keys.
Convert keystore file to pk8+pem
1. Convert keystore file to pkcs12 format
keytool -importkeystore -srckeystore -destkeystore tmp.p12 -srcstoretype JKS -deststoretype PKCS12
2. Dump PKCS12 into pem
openssl pkcs12 -in tmp.p12 -nodes -out
It is a text format that can be viewed directly.
Open the text and see the private key (PRIVATE KEY) and certificate (CERTIFICATE);
Copy "BEGIN CERTIFICATE" and "END CERTIFICATE" to (create a new file) cert.
Copy “BEGIN RSA PRIVATE KEY” “END RSA PRIVATE KEY” to (similar to)
cert. File is the last certificate file we need
3. Generate a private key in pk8 format
openssl pkcs8 -topk8 -outform DER -in -inform PEM -out private.pk8 -nocrypt
cert. private.pk8
That is the last document we need.
*Remark:
-nocrypt This parameter sets key encryption If this parameter is set, the following signature is as long as the certificate + key does not require a password. If encryption is required, it should
openssl pkcs8 -topk8 -outform
DER -in -inform PEM -out private.pk8 Next enter your password*
4. Usage
java -jar cert. private.pk8
How to use jarsigner
jarsigner -verbose -keystore -signedjar android_signed.apk
Using this method will cause an error: the certificate chain cannot be found. ×× Must refer to a valid keystore key entry containing the private key and the corresponding public key certificate chain.
jarsigner -verbose -keystore -signedjar "Alias"
Supplementary knowledge:Android creates its own pk8 and signs the app
1. Generate key
Command: keytool -genkey -v -keystore -alias gundam_wing -keyalg RSA -validity 20000
Console output:
Enter the keystore password:
Enter the new password again:
What is your first and last name?
[Unknown]: TechStone
What is your organizational unit name?
[Unknown]: Gundam
What is your organization name?
[Unknown]: Gundam
What is the name of your city or region?
[Unknown]: Shanghai
What is the name of your province/city/autonomous region?
[Unknown]: Shanghai
What is the two-letter country code for this unit?
[Unknown]: zh
Is CN=TechStone, OU=Gundam, O=Gundam, L=Shanghai, ST=Shanghai, C=zh correct?
[No]: YA 2,048-bit RSA key pair and a self-signed certificate (SHA256withRSA) are being generated for the following objects (valid for 20,000 days):
CN=TechStone, OU=Gundam, O=Gundam, L=Shanghai, ST=Shanghai, C=zh
Enter the key password for <gundam_wing>
(If the password is the same as the keystore, press Enter):
[Storing]
This command will generate a key with organization/personal information and store it in a file
2. Convert key format
Order:
keytool -importkeystore -srckeystore -destkeystore tmp.p12 -srcstoretype JKS -deststoretype PKCS12
The console will prompt the password and password of tmp.p12. After the input is correct, the tmp.p12 file will be generated.
3. Dump the key in PKCS12 format into directly readable text
Order:
openssl pkcs12 -in tmp.p12 -nodes -out
During the dump process, it will also be prompted to enter the password. After correctly input, the readable token will be stored in
4, Extract
Open with a text editor and
-----BEGIN PRIVATE KEY-----
arrive
-----END PRIVATE KEY-----The text of this paragraph (including these two tags) is copied and created as a file my_private.
Will
-----BEGIN CERTIFICATE-----
arrive
-----END CERTIFICATE-----
The text of this paragraph (including these two tags) is copied and created as a new file my. (The public key used when signing)
5. Convert, generate a private key in pk8 format
openssl pkcs8 -topk8 -outform DER -in my_private. -inform PEM -out my_private.pk8 -nocrypt
The generated my_private.pk8 is the private key used when signing
6, Sign up for apk
java -jar my. my_private.pk8 my_signed.apk
The above implementation of the Android signature file converted into pk8 and pem is all the content I have shared with you. I hope you can give you a reference and I hope you can support me more.