如何生成release版本的Android系统
2016-01-23 · 做真实的自己 用良心做教育
千锋教育
千锋教育专注HTML5大前端、JavaEE、Python、人工智能、UI&UE、云计算、全栈软件测试、大数据、物联网+嵌入式、Unity游戏开发、网络安全、互联网营销、Go语言等培训教育。
向TA提问
关注
![]()
展开全部
1.使用platform密钥对apk进行签名
1.1.进入<Android_Source_Path>/build/target/product/security,找到【platform.pk8】和【platform.x509.pem】系统密钥。
1.2.进入<Android_Source_Path>/build/tools/signapk找到SignApk.java,运行javac编译成SignApk.class
1.3.执行命令java com.android.signapk.SignApk platform.x509.pem platform.pk8 input.apk output.apk
至此,完成。
2. 对1的补充:
<Android_Source_Path>/build/target/product/security下有多对密钥,详细如下:
The following commands were used to generate the test key pairs:
development/tools/make_key testkey '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
development/tools/make_key platform '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
development/tools/make_key shared '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
development/tools/make_key media '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
The following standard test keys are currently included:
testkey -- a generic key for packages that do not otherwise specify a key.
platform -- a test key for packages that are part of the core platform.
shared -- a test key for things that are shared in the home/contacts process.
media -- a test key for packages that are part of the media/download system.
These test keys are used strictly in development, and should never be assumed
to convey any sort of validity. When $BUILD_SECURE=true, the code should not
honor these keys in any context.
signing using the openssl commandline (for boot/system images)
--------------------------------------------------------------
1. convert pk8 format key to pem format
% openssl pkcs8 -inform DER -nocrypt -in testkey.pk8 -out testkey.pem
2. create a signature using the pem format key
% openssl dgst -binary -sha1 -sign testkey.pem FILE > FILE.sig
extracting public keys for embedding
------------------------------------
it's a Java tool
but it generates C code
take a look at commands/recovery/Android.mk
you'll see it running $(HOST_OUT_JAVA_LIBRARIES)/dumpkey.jar
3.对3的补充:
在运行第三步的命令前,请在当前的工作目录下新建如下结构的文件夹:com.android.signapk,然后将第二步编译生成的SignApk放入该目录下。或者也可以将SignApk.java的package声明删除后再运行javac编译。
命令java com.android.signapk.SignApk platform.x509.pem platform.pk8 input.apk output.apk
不单可以对apk文件进行重签名,也可以对所有的zip文件进行重签名,包括ROM文件。
网上Android数字签名大多是与Android APK相关,而介绍Android系统签名的方法却不多。正巧前段时间帮别人做CTS 认证,需要用到给Android系统签名。
为什么需要给Android系统签个名才能进行CTS认证呢?原来通过make -j4编译出来的system.img使用的是test key,这种类型的key只适用于开发阶段,而且这种秘钥是公开的,谁都可以使用。当发布一款android产品,就需要另外给整个系统签个名,防止被别人盗用。这种系统就是release版本的Android系统。
下面就详细介绍下整个过程。
1、生成加密key文件
要对Android系统进行签名,需要生成四种类型的key文件。
a)releasekey
b)media
c)shared
d)platform
就拿releasekey为例简单介绍下生成过程。
1)进入/android_src/development/tools目录。
/development/tools$ ls
apkcheck etc1tool hosttestlib jdwpspy makedict mkstubs
axl findunused idegen line_endings make_key monkeyrunner zoneinfo
2)使用make_key工具生成签名文件
development/tools$ sh make_key releasekey '/C=CN/ST=JiangSu/L=NanJing/O=Company/OU=Department/CN=YourName/emailAddress=YourE-mailAddress'
Enter password for 'releasekey' (blank for none; password will be visible): mypassword <------- 设置密码
creating platform.pk8 with password [mypassword]
Generating RSA private key, 2048 bit long modulus
...............+++
........................................................+++
e is 3 (0x3)
这里要顺便介绍下make_key的参数。第一个参数是要生成key的名字,第二个参数是关于公司的信息。
key的名字很好理解,就是前面提到的4中类型的key,公司信息的参数比较多,它们的含义如下:
C ---> Country Name (2 letter code)
ST ---> State or Province Name (full name)
L ---> Locality Name (eg, city)
O ---> Organization Name (eg, company)
OU ---> Organizational Unit Name (eg, section)
CN ---> Common Name (eg, your name or your server’s hostname)
emailAddress ---> Contact email address
这样就生成了一组releasekey,另外3种类型的key的生成方法也基本一样。
生成后的结果如下:
/development/tools$ ls
makedict media.pk8 mkstubs platform.pk8 releasekey.pk8 shared.pk8
make_key media.x509.pem platform.x509.pem releasekey.x509.pem shared.x509.pem
*.pk8是生成的私钥,而*.x509.pem是公钥,生成时两者是成对出现的.
2 、 把pk8和x509.pem文件拷贝到vendor/Modul/security/product_modul目录
/android_src/vendor/Modul/security/product_modul$ cp ../../../../development/tools/*.pk8 ./
/android_src/vendor/Modul/security/product_modul$ cp ../../../../development/tools/*.pem ./
这一部虽然不是必须的,但最好还是这样做下,由于牵涉到项目的原因,产品和产品型号就用Modul和product_modul代替了.
3 、 回到根目录android_src
/android_src/vendor/Modul/security/product_modul$ cd ../../../../
大家看后肯定觉得这一步很多余,根本没有必要单独提出来,但后来证明把这步提下还是很有必要的,因为第5步的操作必须要在根目录下执行,不然会出错.
4 、编译系统
/android_src$ make -j4 PRODUCT-product_modul-user dist
这个怎么跟平时的编译不一样,后面多了两个参数PRODUCT-product_modul-user 和 dist. 编译完成之后回在/android_src/dist/目录内生成个product_modul-target_files开头的zip文件.这就是需要进行签名的文件系统.
5 、开始签名
android_src$ ./build/tools/releasetools/sign_target_files_apks -d vendor/Modul/security/product_modul/ out/dist/product_modul-target_files.zip out/dist/signed_target_files.zip
ERROR: no key specified for:
CalendarWidget.apk
Contacts_yellowpage.apk
SnsAppMain.apk
fbandroid-1.5.0.apk
AnalogClockWidget.apk
MessageWidget.apk
NewsWidget.apk
上面的意思是使用sign_target_files_apks工具采用vendor/Modul/security/product_modul/下的key对product_modul-target_files.zip文件进行签名,并把签名结果放在out/dist/signed_target_files.zip里.
从上面的签名结果看,签名并没有成功,原因是由于有些apk程序已经签过名了或者找不到对应的key. 可以通过设置过滤,不对上面的程序进行签名.方法如下:
通过参数"-e <apkname>=" 来过滤这些程序.
android_src$ ./build/tools/releasetools/sign_target_files_apks -d vendor/Modul/security/product_modul/ -e CalendarWidget.apk= -e Contacts_yellowpage.apk= -e SnsAppMain.apk= -e fbandroid-1.5.0.apk= -e AnalogClockWidget.apk= -e MessageWidget.apk= -e NewsWidget.apk= out/dist/product_modul-target_files.zip out/dist/signed_target_files.zip
Enter password for vendor/Modul/security/product_modul//media key> <----- imput the password
Enter password for vendor/Modul/security/product_modul//platform key> <----- imput the password
Enter password for vendor/Modul/security/product_modul//releasekey key> <----- imput the password
Enter password for vendor/Modul/security/product_modul//shared key> <----- imput the password
rewriting RECOVERY/RAMDISK/default.prop:
replace: ro.build.tags=test-keys
with: ro.build.tags=release-keys
NOT signing: CalendarWidget.apk
NOT signing: Contacts_yellowpage.apk
signing: Mms.apk
signing: SoundRecorder.apk
signing: AccountAndSyncSettings.apk
signing: Camera.apk
.......................................................................
rewriting SYSTEM/build.prop:
replace: ro.build.tags=test-keys
with: ro.build.tags=release-keys
replace: ro.build.description= test-keys
with: ro.build.description= release-keys
replace: ro.build.fingerprint=...........................
with: ro.build.fingerprint=.............................
signing: framework-res.apk
done.
这样就完成了android系统的签名工作.
6 、生成image文件
android_src$ ./build/tools/releasetools/img_from_target_files out/dist/signed-target-files.zip out/dist/signed-img.zip
creating boot.img...
creating recovery.img...
creating system.img...
creating userdata.img...
cleaning up...
done.
使用img_from_target_files工具生成signed-img.zip文件.signed-img.zip文件包含了boot.img,userdate.img,system.img文件等.
7 、通过fastboot下载signed-img.zip文件
fastboot update signed-img.zip
通过fastboot就可以把签了名的系统文件下载到手机上了。
1.1.进入<Android_Source_Path>/build/target/product/security,找到【platform.pk8】和【platform.x509.pem】系统密钥。
1.2.进入<Android_Source_Path>/build/tools/signapk找到SignApk.java,运行javac编译成SignApk.class
1.3.执行命令java com.android.signapk.SignApk platform.x509.pem platform.pk8 input.apk output.apk
至此,完成。
2. 对1的补充:
<Android_Source_Path>/build/target/product/security下有多对密钥,详细如下:
The following commands were used to generate the test key pairs:
development/tools/make_key testkey '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
development/tools/make_key platform '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
development/tools/make_key shared '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
development/tools/make_key media '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
The following standard test keys are currently included:
testkey -- a generic key for packages that do not otherwise specify a key.
platform -- a test key for packages that are part of the core platform.
shared -- a test key for things that are shared in the home/contacts process.
media -- a test key for packages that are part of the media/download system.
These test keys are used strictly in development, and should never be assumed
to convey any sort of validity. When $BUILD_SECURE=true, the code should not
honor these keys in any context.
signing using the openssl commandline (for boot/system images)
--------------------------------------------------------------
1. convert pk8 format key to pem format
% openssl pkcs8 -inform DER -nocrypt -in testkey.pk8 -out testkey.pem
2. create a signature using the pem format key
% openssl dgst -binary -sha1 -sign testkey.pem FILE > FILE.sig
extracting public keys for embedding
------------------------------------
it's a Java tool
but it generates C code
take a look at commands/recovery/Android.mk
you'll see it running $(HOST_OUT_JAVA_LIBRARIES)/dumpkey.jar
3.对3的补充:
在运行第三步的命令前,请在当前的工作目录下新建如下结构的文件夹:com.android.signapk,然后将第二步编译生成的SignApk放入该目录下。或者也可以将SignApk.java的package声明删除后再运行javac编译。
命令java com.android.signapk.SignApk platform.x509.pem platform.pk8 input.apk output.apk
不单可以对apk文件进行重签名,也可以对所有的zip文件进行重签名,包括ROM文件。
网上Android数字签名大多是与Android APK相关,而介绍Android系统签名的方法却不多。正巧前段时间帮别人做CTS 认证,需要用到给Android系统签名。
为什么需要给Android系统签个名才能进行CTS认证呢?原来通过make -j4编译出来的system.img使用的是test key,这种类型的key只适用于开发阶段,而且这种秘钥是公开的,谁都可以使用。当发布一款android产品,就需要另外给整个系统签个名,防止被别人盗用。这种系统就是release版本的Android系统。
下面就详细介绍下整个过程。
1、生成加密key文件
要对Android系统进行签名,需要生成四种类型的key文件。
a)releasekey
b)media
c)shared
d)platform
就拿releasekey为例简单介绍下生成过程。
1)进入/android_src/development/tools目录。
/development/tools$ ls
apkcheck etc1tool hosttestlib jdwpspy makedict mkstubs
axl findunused idegen line_endings make_key monkeyrunner zoneinfo
2)使用make_key工具生成签名文件
development/tools$ sh make_key releasekey '/C=CN/ST=JiangSu/L=NanJing/O=Company/OU=Department/CN=YourName/emailAddress=YourE-mailAddress'
Enter password for 'releasekey' (blank for none; password will be visible): mypassword <------- 设置密码
creating platform.pk8 with password [mypassword]
Generating RSA private key, 2048 bit long modulus
...............+++
........................................................+++
e is 3 (0x3)
这里要顺便介绍下make_key的参数。第一个参数是要生成key的名字,第二个参数是关于公司的信息。
key的名字很好理解,就是前面提到的4中类型的key,公司信息的参数比较多,它们的含义如下:
C ---> Country Name (2 letter code)
ST ---> State or Province Name (full name)
L ---> Locality Name (eg, city)
O ---> Organization Name (eg, company)
OU ---> Organizational Unit Name (eg, section)
CN ---> Common Name (eg, your name or your server’s hostname)
emailAddress ---> Contact email address
这样就生成了一组releasekey,另外3种类型的key的生成方法也基本一样。
生成后的结果如下:
/development/tools$ ls
makedict media.pk8 mkstubs platform.pk8 releasekey.pk8 shared.pk8
make_key media.x509.pem platform.x509.pem releasekey.x509.pem shared.x509.pem
*.pk8是生成的私钥,而*.x509.pem是公钥,生成时两者是成对出现的.
2 、 把pk8和x509.pem文件拷贝到vendor/Modul/security/product_modul目录
/android_src/vendor/Modul/security/product_modul$ cp ../../../../development/tools/*.pk8 ./
/android_src/vendor/Modul/security/product_modul$ cp ../../../../development/tools/*.pem ./
这一部虽然不是必须的,但最好还是这样做下,由于牵涉到项目的原因,产品和产品型号就用Modul和product_modul代替了.
3 、 回到根目录android_src
/android_src/vendor/Modul/security/product_modul$ cd ../../../../
大家看后肯定觉得这一步很多余,根本没有必要单独提出来,但后来证明把这步提下还是很有必要的,因为第5步的操作必须要在根目录下执行,不然会出错.
4 、编译系统
/android_src$ make -j4 PRODUCT-product_modul-user dist
这个怎么跟平时的编译不一样,后面多了两个参数PRODUCT-product_modul-user 和 dist. 编译完成之后回在/android_src/dist/目录内生成个product_modul-target_files开头的zip文件.这就是需要进行签名的文件系统.
5 、开始签名
android_src$ ./build/tools/releasetools/sign_target_files_apks -d vendor/Modul/security/product_modul/ out/dist/product_modul-target_files.zip out/dist/signed_target_files.zip
ERROR: no key specified for:
CalendarWidget.apk
Contacts_yellowpage.apk
SnsAppMain.apk
fbandroid-1.5.0.apk
AnalogClockWidget.apk
MessageWidget.apk
NewsWidget.apk
上面的意思是使用sign_target_files_apks工具采用vendor/Modul/security/product_modul/下的key对product_modul-target_files.zip文件进行签名,并把签名结果放在out/dist/signed_target_files.zip里.
从上面的签名结果看,签名并没有成功,原因是由于有些apk程序已经签过名了或者找不到对应的key. 可以通过设置过滤,不对上面的程序进行签名.方法如下:
通过参数"-e <apkname>=" 来过滤这些程序.
android_src$ ./build/tools/releasetools/sign_target_files_apks -d vendor/Modul/security/product_modul/ -e CalendarWidget.apk= -e Contacts_yellowpage.apk= -e SnsAppMain.apk= -e fbandroid-1.5.0.apk= -e AnalogClockWidget.apk= -e MessageWidget.apk= -e NewsWidget.apk= out/dist/product_modul-target_files.zip out/dist/signed_target_files.zip
Enter password for vendor/Modul/security/product_modul//media key> <----- imput the password
Enter password for vendor/Modul/security/product_modul//platform key> <----- imput the password
Enter password for vendor/Modul/security/product_modul//releasekey key> <----- imput the password
Enter password for vendor/Modul/security/product_modul//shared key> <----- imput the password
rewriting RECOVERY/RAMDISK/default.prop:
replace: ro.build.tags=test-keys
with: ro.build.tags=release-keys
NOT signing: CalendarWidget.apk
NOT signing: Contacts_yellowpage.apk
signing: Mms.apk
signing: SoundRecorder.apk
signing: AccountAndSyncSettings.apk
signing: Camera.apk
.......................................................................
rewriting SYSTEM/build.prop:
replace: ro.build.tags=test-keys
with: ro.build.tags=release-keys
replace: ro.build.description= test-keys
with: ro.build.description= release-keys
replace: ro.build.fingerprint=...........................
with: ro.build.fingerprint=.............................
signing: framework-res.apk
done.
这样就完成了android系统的签名工作.
6 、生成image文件
android_src$ ./build/tools/releasetools/img_from_target_files out/dist/signed-target-files.zip out/dist/signed-img.zip
creating boot.img...
creating recovery.img...
creating system.img...
creating userdata.img...
cleaning up...
done.
使用img_from_target_files工具生成signed-img.zip文件.signed-img.zip文件包含了boot.img,userdate.img,system.img文件等.
7 、通过fastboot下载signed-img.zip文件
fastboot update signed-img.zip
通过fastboot就可以把签了名的系统文件下载到手机上了。
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
推荐律师服务:
若未解决您的问题,请您详细描述您的问题,通过百度律临进行免费专业咨询
