Android12 使用自定义签名key替换系统默认testkey
如何生成自定义签名密钥,在build/target/product/security/README中有介绍
The following commands were used to generate the test key pairs:
development/tools/make_key testkey '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
development/tools/make_key platform '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
development/tools/make_key shared '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
development/tools/make_key media '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
development/tools/make_key cts_uicc_2021 '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
该命令的详细解析:
-
development/tools/make_key:这是正在执行的脚本或工具。它可能是 Android 开发环境提供的一个自定义脚本,用于生成密钥。
-
testkey:这是生成的密钥的名称。在这里,密钥将被命名为 testkey。
-
‘/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com’:这是密钥的 Distinguished Name (DN) 字段,包含以下信息:
- C=US:国家(美国)
- ST=California:州(加利福尼亚)
- L=Mountain View:城市(山景城)
- O=Android:组织(Android)
- OU=Android:组织单位(Android)
- CN=Android:通用名称(Android)
- emailAddress=android@android.com:电子邮件地址
生成自定义签名releasekey
development/tools/make_key releasekey '/C=CN/ST=Guangdong/L=Shenzhen/O=Lezoneyun/OU=Lezoneyun/CN=Lezoneyun/emailAddress=wxd@lezoneyun.com'
执行命令后将会生成两个文件
- releasekey.pk8:私钥文件
- releasekey.x509.pem:证书文件
将文件复制到build/make/target/product/security/目录下
cp releasekey.pk8 build/target/product/security/releasekey.pk8
cp releasekey.x509.pem build/target/product/security/releasekey.x509.pem
配置系统使用自定义密钥
在某些情况下,Android 系统可能会通过 Android.mk 或 Android.bp 文件显式指定使用 testkey。你需要确保系统模块和应用程序使用新的密钥。
修改 Android.mk 或 Android.bp文件,例如:
-LOCAL_CERTIFICATE := testkey
+LOCAL_CERTIFICATE := releasekey
全局替换testkey
- /build/make/core/config.mk
ifdef PRODUCT_DEFAULT_DEV_CERTIFICATE
DEFAULT_SYSTEM_DEV_CERTIFICATE := $(PRODUCT_DEFAULT_DEV_CERTIFICATE)
else
- DEFAULT_SYSTEM_DEV_CERTIFICATE := build/make/target/product/security/testkey
+ DEFAULT_SYSTEM_DEV_CERTIFICATE := build/make/target/product/security/releasekey
endif
.KATI_READONLY := DEFAULT_SYSTEM_DEV_CERTIFICATE
- /build/make/core/sysprop.mk
# non-default dev keys (usually private keys from a vendor directory).
# Both of these tags will be removed and replaced with "release-keys"
# when the target-files is signed in a post-build step.
-ifeq ($(DEFAULT_SYSTEM_DEV_CERTIFICATE),build/make/target/product/security/testkey)
-BUILD_KEYS := test-keys
+ifeq ($(DEFAULT_SYSTEM_DEV_CERTIFICATE),build/make/target/product/security/releasekey)
+BUILD_KEYS := release-keys
else
BUILD_KEYS := dev-keys
endif
- /system/sepolicy/prebuilts/api/31.0/private/keys.conf
# Example of ALL TARGET_BUILD_VARIANTS
[@RELEASE]
-ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USERDEBUG