I'm building Android from Source and use custom certificates. Now I get prompted for the Password each time a app is signed by the buildsystem.
Is there any way to avoid this?
I've stumbled upon the ANDROID_PW_FILE and used it by exporting it before a build. I used an empty File and a File with the following content:
[[[ password ]]] build/target/product/security/platform.pk8
.... More lines like this with same syntax....
But without success. I get prompted everytime.
If i run
$ python
>>> import os
>>> print(os.getenv("ANDROID_PW_FILE", None))
<<< /build/target/product/security/PASSWD
I can see the envvar is set. I also exported EDITOR=vim but I don't really understand what this should do. I've just noticed that the build/tools/releasetools/common.py checks if both are set and Prompts otherwise.
Any suggestions?
I had the same problem and solved this by eliminating whitespace from the file and eliminating the extensions. I basically did a copy/paste from the password prompt.
For example, if my password is abc123 my file is
[[[abc123]]]vendor/company/security/product/releasekey
[[[abc123]]]vendor/company/security/product/platform
[[[abc123]]]vendor/company/security/product/shared
[[[abc123]]]vendor/company/security/product/media
Related
In Huawei App Gallery I have to update an existing aab application. Site redirects me to App signing page and there are steps that I have to follow in order to sign the app successfully. These are the steps provided:
Obtain the pepk.jar file from the Internet or another legitimate source.
Export and encrypt your private key and public key certificate into a ZIP file. Parameters in bold must be replaced as needed. Then, enter your data storage location and key password as prompted.
java -jar pepk.jar --keystore test.jks --alias test --output=output.zip --encryptionkey=<some_encryption_key> --include-cert
Upload the ZIP file containing the private key and public key certificate. (The ZIP file contains only certificate.pem and encryptedPrivateKey.)
Now I have 2 problems.
First one is, when I run the code in 2nd step in CMD. I get include-cert flag is not provided error. However when I write --include-cert=certificate.pem or --include-cert certificate.pem it says flag is unrecognized.
Second one is, I put certificate.pem and private key to folder and then turn it into ZIP. But when I click on submit it gives me Make sure the package contains only the certificate.pem and encryptedPrivateKey files error. Is not encryptedPrivateKey is the file that is exported by AndroidStudio when you generate an app bundle or Apk into the same location with .pepk extension?
I don't know what am I missing in order to sign my application. Any help would be appreciated, thanks in advance
If "No value provided for flag: include-cert" is displayed, the pepk.jar file is incorrect. You need to replace it with a correct one.
https://developer.huawei.com/consumer/en/doc/development/AppGallery-connect-Guides/agc-appsigning-faq-0000001052944432
I get include-cert flag is not provided error. However when I write --include-cert=certificate.pem or --include-cert certificate.pem it says flag is unrecognized.
It is recommended that you do not change the command and follow the commands in the document.
You could click here to try out.
And this is the App Signing Operation Guide video for reference.
Using Xamarin.Android 10.3 I'm trying to sign a Release package from Visual Studio 16.6.5. In order not to include the password as plaintext on the csproj file, I've added a file in the project folder called Pass.txt and exluded it in the git.ignore file
But when it comes to the signing process it fails with:
Failed to load signer "signer #1"
java.io.IOException: Failed to read Key "myapp" password for signer #1 : end of file reached in C:\Users\myuser\source\repos\MyApp.Xamarin\Pass.txt
If I remove the file:Pass.txt and past the password it works fine.
According to this release we can use file: in Xamarin 10.1 an later.
<PropertyGroup>
<AndroidSigningStorePass>file:C:\Users\Windows User\AndroidSigningPassword.txt</AndroidSigningStorePass>
<AndroidSigningKeyPass>file:C:\Users\Windows User\AndroidSigningPassword.txt</AndroidSigningKeyPass>
</PropertyGroup>
Missed "Note that if the same file is specified for both settings, the file must contain two lines. The first line must be the keystore password, and the second line must be the alias password. – Fritjof Berggren just now"
Adding the password twice on the file fixed it
Sometimes the issue just fixes and you well never know how.
This is what I did and it is fixed.
Goto Tools>> Android >> Android ADB Command Prompt
Type C:\Android\SDK>adb remove {your Package Name}
Clean Project
Build in Release Mode
after that clean and rebuild in Debug mode.
For me this issue was that I have the folder in One Drive and I have set the option for saving space, so I just have the link in my machine,as soon as I download the file, it works
So I just posted an app about 15 days before and now I want to upload a new update but while generating the Signed Apk Android studio is asking me for key store credentials... and I read that I have to provide the same credentials that I used on first submission (I did not remember anything about that)
Somehow I managed to get an backup of keystore.store file (which is stored at my project's directory inside a folder named KEY_STORE ) now when I'm putting the suspected alias and passwords I'm getting this error :
Failed to read key from myalias from store /mypath/for/keystore cannot recover key
Now what I can do to get back my credentials ???
You can't recover credentials.
The only way to do this is to try a tool like
http://maxcamillo.github.io/android-keystore-password-recover/
I've never use it.
I think it will try to brute force your credentials.
UPDATE:
I've tested it and it works.
Go to
http://maxcamillo.github.io/android-keystore-password-recover/
Add java files download from the url to a new Java Project (ex. using ItelliJ IDEA)
Add the keystore file to the root of the project
Add this option to program args in this way
-m 1 -k keystorefilename
Run the program
Alternatively, run the jar download from the url and use the same args.
Sorry bro, no way to recover now, you have to have the correct credentials. All you can do is publish a new application in the same name.
I need to be able to build the release version of my apk, using a Jenkins job.
From reading the following SO question
How to create a release signed apk file using Gradle?
I understand I can do it in one of two ways. Either get the user to enter the password at cmd prompt, or store my password details in a plain text file that doesn't get committed to git, and lives on my local machine.
Neither of these will work when running the build job on jenkins though. 1) I can't gain user input because this may be running in the middle of the night (I don't even know how to get user input from the cmd line even if the user was at their machine) 2) Anyone who can gain access to that build box, would be able to cat the contents of that file either via the cmd line or from another build.gradle job running on that jenkins server.
Does anyone know of anyway I can keep my password hidden but so that the Jenkins job can access it?
Thanks
You can use Mask Password Plugin, which does just that. Or the same functionality is included in EnvInject plugin, and sooner or later all Jenkins projects get a need for EnvInject plugin (that does many other things), so might as well start using it now.
To securely use a password from within a build/post-build step
Install EnvInject plugin.
Under Jenkins Global Configuration, find Global Passwords section.
Add a name (this will be the environment variable name) and password (will be starred **** ).
Under Job Configuration, find Build Environment section.
Checkmark Inject passwords to the build as environment variables.
Then checkmark Global passwords.
In any build step, you can now use $name (as defined earlier) to refer to a password as you would if you were typing it in plain text.
The password variable is injected only at job execution time (typing $name on command line of the server by itself will not produce anything, and like all Jenkins variables, it is not persistent).
The job console log will show **** instead of password, if it appears.
You could configure passwords per job, rather than globally, so that other jobs can't use it.
The only security concern is that if someone has administrative permissions to configure your job, they can write echo $name > secretpassword.txt into a build step, and then review the file in the workspace. But you should be careful who you assign administrative rights to.
You should take a look for this plugin
https://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin
If your Jenkins instance happens to be running on EC2, and you don't want to permanently store secrets in the file system, you can put the store and key passwords into Systems Manager Parameter Store, then query them at build time. In addition, you can put the keystore itself into external storage, such as S3, and only keep it locally for the duration of the build.
Here is a sample build script (assume that the secret parameters are named android-keystore-pass and android-signature-key-pass):
set -o errexit
set -o pipefail
keystore_file=keystore.properties
keystore=wise.jks
aws s3 cp s3://path-to-android/$keystore .
chmod go-rwx $keystore
touch $keystore_file
chmod go-rwx $keystore_file
cat > $keystore_file << EOF
storePassword=`aws ssm get-parameters --names android-keystore-pass --with-decryption | cut -f4`
keyPassword=`aws ssm get-parameters --names android-signature-key-pass --with-decryption | cut -f4`
keyAlias=android
storeFile=$WORKSPACE/$keystore
EOF
An example of the Gradle build scripts can be found in this answer. You can commit a dummy keystore.properties to source control so that (non-release) builds work on dev machines.
There are also open-source secret distribution tools that are platform-independent, e.g. Vault, but I haven't tried any of them.
The new Android Studio allows us to save keystore passwords for later use. Where are these passwords stored on my computer (OSX), and is there a way to retrieve the saved values?
EDIT
I am looking for the Alias password, not the Keystore password
You can find this in the idea.log files generated by Android Studio:
Search for "Pandroid.injected.signing.key.password" and you can see the key password.
Example logs:
2015-11-13 10:22:48,844 [ 709463] INFO -
a.gradle.invoker.GradleInvoker - Build command line options:
[--configure-on-demand, -Pandroid.injected.invoked.from.ide=true,
-Pandroid.injected.signing.st ore.file=/Users/varun/Projects/myapp/mykey.jks,
-Pandroid.injected.signing.store.password=mykeystorepassword, -Pandroid.injected.signing.key.alias=myalias, -Pandroid.injected.signing.key.password=mykeypassword , -Pandroid.injected.apk.location=/Users/varun/code/android/workspace/myapp,
--init-script, /private/var/folders/vk/z504nlhd6v30p7zvtgjp5sjm0000gn/T/asLocalRepo0.gradle]
Note 1: On OSX the idea.log file can be found at ~/Library/Logs/AndroidStudio2.0
Note 2: If you don't find the password in idea.log, then also look at the files called idea.log.1, idea.log.2 and so on.
Source
On macOS the latest versions of Android Studio (tested on 3.2) store keystore/key passwords in the Keychain under the following items:
org.jetbrains.android.exportSignedPackage.KeystoreStep$KeyStorePasswordRequestor
org.jetbrains.android.exportSignedPackage.KeystoreStep$KeyPasswordRequestor
The former stores the password of the keystore itself, and the latter – the password to the key.
You can access them using system Keychain Access app. Locate corresponding entry and double-click it. The Account field should contain the path to your keystore or the path to the key alias within the keystore in the following form:
KEY_STORE_PASSWORD__/Users/username/keystorename or KEY_STORE_PASSWORD__/Users/username/keystorename__alias
Click Show password and enter your macOS password when requested. That's it!
Method 1: Read from gradle build runtime
Step 1: add below code to app/build.gradle
afterEvaluate {
if (project.hasProperty("android.injected.signing.store.file")) {
println "key store path: ${project.property("android.injected.signing.store.file")}"
}
if (project.hasProperty("android.injected.signing.store.password")) {
println "key store password: ${project.property("android.injected.signing.store.password")}"
}
if (project.hasProperty("android.injected.signing.key.alias")) {
println "key alias: ${project.property("android.injected.signing.key.alias")}"
}
if (project.hasProperty("android.injected.signing.key.password")) {
println "key password: ${project.property("android.injected.signing.key.password")}"
}
}
Step 2: from menu Build -> Generate Signed apk/bundle to start a build.
Step 3: open Build window located in Android Studio's bottom, lookup key store info
Method 2: Read from Idea persistent storage
I wrote a Idea plugin, named RestoreKeystorePlugin
Step 1: download jar file from download link
Step 2: install the plugin to Android Studio
then restart Android Studio if required
Step 3: select Tools -> Restore Keystore Info menu, it will show key store info on a dialog
For anyone attempting keystore password recovery on more recent versions of Android Studio and Ubuntu, it seems that most documented suggestions to recover the password from logs, gradle, etc no longer work. Corneliu's excellent brute force script is great - unless you chose a 16 character password with no dictionary words in it and would like a result some time this month :) Using the Intellij security.xml solution is no longer available to retrieve saved passwords from Android Studio either, as far as I can tell.
However - having dug around a bit, Android Studio 3.1 seems to use the OS keychain in Ubuntu 18.04, so retrieving a saved keystore password is as simple as:
open 'Passwords and Keys' (use super key and search 'password')
filter results by 'android'
look at each entry, they will be
something like org.jetbrains.android...KeyPasswordRequestor, and
open each one up in turn
expand the password dropdown and select
'Show password', it will look something like:
KEY_STORE_PASSWORD__/home/pathto/keystore/keystore-name.jks#mycoolpassword
Find the keystore you're looking for and the bit after # is your missing password. Hope that helps someone out there!
Gradle stores them within your project directory in a binary file. You can get them like this (from the project directory):
strings .gradle/GRADLE_VERSION/taskArtifacts/taskArtifacts.bin | grep storePassword -A1
(Thanks to https://stackoverflow.com/a/33624636/1982087 for the taskArtifacts.bin pointer)
look for the log file from the date which you had signed your apk and you can find your key info there like below.
-Pandroid.injected.signing.store.password=[store_password],
-Pandroid.injected.signing.key.alias=[alias],
-Pandroid.injected.signing.key.password=[key_password]
you can find your log files under
C:\Users\username.AndroidStudio[versionNum]\system\log\
I had the same problem!
it makes me crazy but I found a little script that it´s saves me: https://github.com/corneliudascalu/intellij-decrypt
I think it could help you.
Good Look