I want to use certificate file in the build server to sign Android aab. So I need to sign Android aab without using keystore or jks file. For this I create a pem and pk8 files with these commands :
openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -out request.pem
openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem
openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt
There are some commands for apk signing like
java -jar SignApk.jar testkey.x509.pem testkey.pk8 my.apk my.s.apk
apksigner sign --key .pk8 --cert .x509.pem file.apk
But I could not find a way for aab file. After that I will upload signed aab file to play store. How can I do that ?
Related
With OpenSSL I created a certificate using the following.
openssl req -x509 -newkey rsa:4096 -keyout myKey.pem -out cert.pem -days 365 -nodes
=> Hitting enter on all prompts
openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in cert.pem -name "alias" -passout pass:123
=>Transferring keyStore.p12 and cert.pem to my android device (S10+)
=>Checked in cert.pem in settings
Then I tried to check In keyStore.p12: android settings > Biometrics and Security > Other Security Settings > Install from device storage > VPN and app user certificate > typed in the password “123”
Android returns “Invalid Password” but I know the password is correct (double checked it on my windows machine)
I've already tried to leave the password blank, restarted my phone and computer, generated a new certificate and verified the password multiple times etc.
I´m really at a loss here. thanks for any help in advance!
Found the answer on accident.
I installed "Win64 OpenSSL v1.1.1n" and created the certificate wth that version instead of "Win64 OpenSSL v3.0.2", which resolved the problem
Try adding the option -legacy to openssl pkcs12.
I have a running Android application that implements Certificate Pinning with a SHA256 Pin. I use the https://www.ssllabs.com/ssltest tool to obtain that pin.
The current server certificate is about to expire, and a new certificate will be applied to the server. I need to generate the SHA256 Pin for the new certificate before it is applied to the server so that I can add it to the application and introduce it in an update.
I have the new certificate .crt file. Any idea how to generate the SHA256 key from the file? I have no access to the server, just the .crt file.
As per OkHttp's CertificatePinner documentation:
SHA-256 or SHA-1 hashes. Each pin is a hash of a certificate's Subject
Public Key Info, base64-encoded and prefixed with either sha256/ or
sha1/.
Try this command
openssl x509 -in my-certificate.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
Then use
"sha256/" + ${ouput hash from the command line above}.
More commands you will find at the Public Key Pinning page at the Mozilla Developer Network
I am developing an android application which can connect with multiple node server. This connection needs to be secure so i need certificates. But i cant pay to certificates. As my researches, i will create certificates for each server and sign them with my own root certificate(I also need that). Then i will pin root certificate into my android application. So i can connect multiple server from one android app. But i dont know to create this certificates and how to pin it into android application.
A CA can generate a certificate bound to an IP, but it is not usual. I agree in this case it is more appropriate to use self-generated certificates. You need
1) Create the CA certificate and SSL certificate
Extracted from here You will need openssl
Create the CA certificate
openssl genrsa -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
This will start an interactive script which will ask you for various bits of information. You will get rootCA.pem
Create one certificate for each device
openssl genrsa -out device.key 2048
openssl req -new -key device.key -out device.csr
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256
You’ll be asked various questions (Country, State/Province, etc.) in the second step insert in 'common name' the IP or name of your device. It is important to match the real name because browser or android device will validate it
2) Configure your nodejs server to use https
I have no enough knowledge of node.js to provide you a good explanation or a link, so use the official documentation. Maybe some reader could edit this and provide a link
3) add the public key and the chain of the certificate to the truststore of the android application.
Extracted here from
You will need
1) Get the public part of your CA certificate
2) Create a BKS keystore and import the certificate (only the root will be needed)
3) Use the keystore in your app. Create a Custom Apache HTTP client which uses your keystore to configure de SSL connection
The details are in the link, that is in the community wiki.
For Android Volley. Using Android Volley With Self-Signed SSL Certificate
Is this even possible? I have a key-pair that I already made with GPG but I just can't find a way to sign it with that key. I don't really want to make a new key with keytool or whatever just for this; I'd rather use the key I have now. Anybody know how I could do this? Thanks in advance.
I very much doubt that GPG generates keys that could be used by jarsigner. It might be possible to write a converter to do this, but it would be far less work to just bite the bullet and generate a new key. The command to do this is simply
keytool -genkey -alias mynickname -validity 20000 -keystore ~/.android/my-keystore
(p.s. make a backup of the key and make very sure you don't forget either the keystore password or the key password. There are far too many sad stories of people who've put apps on the market and then forgotten or lost the password.)
I just wanna manage the OpenPGP keys only too. So here is my way.
openpgp2ssh
First install it from monkeysphere.
sudo apt install monkeysphere
Note: openpgp2ssh works only if the secret key is not password-protected and RSA keys. So it might be necessary to remove the protection.
Now, export the PGP key and hand it over to openpgp2ssh:
gpg --list-keys # show your keys with keyid.
gpg --export-secret-subkeys your#email | openpgp2ssh $SubKeyId > id_rsa
openssl rsa -in id_rsa -outform pem > key.pem
openssl req -new -key key.pem -out request.pem
openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem
openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt
You do need to sign with jarsigner. But jarsigner is actually a little more flexible than you'd think. If you already have a signing key you want to use then you can export it out of gpg and import it into a java keystore then sign that way. If you want to attempt to do that you can try keytool but it's far easier to get Keytool Explorer because keytool has a lot of options.
Jarsigner is actually pretty flexible. This Document describes a process by which you can create your own providers. I'm surprised there isn't already one that uses the GPG keystores already. There is a way to do it with a Yubikey which is the only reason I am aware of all of this - my signing keys are safely locked away in my yubikey where even I can't get them (yes I have a secure backup somewhere).
As an experiment, I would like to use the platform key of my custom built Android platform to sign an arbitrary APK, that is built via the NDK. What is the process to go about doing this?
If you have your platform key/certificate pair (.pk8 + x509.pem). Which can be found under build/target/product/security in the pulbic sdk.
You can use the SignApk.jar from the command line
java -jar SignApk.jar
platform.x509.pem platform.pk8
Application.apk Application_signed.apk
Or to make automation easier, you can import the key/cert pair into your java keystore file, with the keytool-importkeypair, and use an ant makefile or eclipse for signing.
keytool-importkeypair -k
~/.android/debug.keystore -p android
-pk8 platform.pk8 -cert platform.x509.pem -alias platform
The signapk.jar (all lowercase) file mentioned in aprock' answer can be found at prebuilts/sdk/tools/lib/signapk.jar (or out/host/linux-x86/framework/signapk.jar).
Below I will describe how to manage the keystore used by Eclipse and ant release.
The following command takes the key file platform.pk8 and X509 certificate platform.x509.pem and outputs the decrypted key material in tmp.p12. The name platformkey is used to
openssl pkcs8 -inform DER -nocrypt -in platform.pk8 | \
openssl pkcs12 -export -in platform.x509.pem -inkey /dev/stdin \
-name platformkey -password pass: -out tmp.p12
Eclipse and ant debug use the keystore at ~/.android/debug.keystore which is locked with the password android. (You can also specify an other keystore file if you want to, e.g. ~/.android/mykeys.keystore.) The next command stores the key material from tmp.p12 in the keystore (without a password for the keys, if you want one, edit -srcstorepass '' below):
keytool -importkeystore -deststorepass android -srckeystore tmp.p12 \
-srcstoretype PKCS12 -srcstorepass '' -destkeystore ~/.android/debug.keystore
At this point, you can delete the tmp.p12 file because it is no longer needed.
In order to check what is in your keystore, you can run the next keytool command (the output it shown on the line thereafter):
$ keytool -list -keystore ~/.android/debug.keystore -storepass android
...
platformkey, Nov 23, 2013, PrivateKeyEntry,
Certificate fingerprint (SHA1): 12:34:56:(stripped):AB:CD:EF
When you no longer need the key, it can be removed with:
keytool -delete -keystore ~/.android/debug.keystore -storepass android -alias platformkey
In your local.properties file, put (if you omit the key.*.password options, you have to enter it every time you sign the APK):
key.store=${user.home}/.android/debug.keystore
key.alias=platformkey
key.store.password=android
key.alias.password=
Now you can run ant release to sign your APK using the platform key you stored in a keystore.