前言全局说明
一、说明
1.1 环境:
Android
1.2 简介
在Android系统中,每个APK文件必须有一个有效的数字证书来证明其来源和完整性。当需要修改APK后再次发布时,原有的签名将不再有效,因此需要重新签名。
二、证书工具
2.1 路径:
android/build/tools/releasetools/sign_target_files_apks
sign_target_files_apks 是个软链接,实际指向同目录的 sign_target_files_apks.py 文件
2.2 帮助命令
./sign_target_files_apks
或
./sign_target_files_apks --help
2.2 帮助常用内容
更详细内容请查看本页最下面 - 另:帮助详细内容
verify
--print-certs #打印证书信息
-v, --verbose 显示详情(显示是否使用V1和V2签名)
三、sign_target_files_apks 工具使用
3.1 打印 apk 签名信息
./apksigner verify --print-certs <apk-name.apk>
3.2 打印 apk 用了哪个版本签名
行结尾为 true 的,是使用的签名
./apksigner verify --verbose <apk-name.apk>
下图显示用了 V3 版签名
如果只使用v1签名方案,那么它就容易受到安卓5.0-8.0上的Janus漏洞(CVE-2017-13156)的攻击。
在安卓5.0-7.0上运行的使用了v1签名方案的应用程序,以及同时使用了v2/v3签名方案的应用程序也同样存在漏洞。
四、
4.1
4.2
另:帮助详细内容
Signs all the APK files in a target-files zipfile, producing a new
target-files zip.Usage: sign_target_files_apks [flags] input_target_files output_target_files-e (--extra_apks) <name,name,...=key>Add extra APK/APEX name/key pairs as though they appeared in apkcerts.txtor apexkeys.txt (so mappings specified by -k and -d are applied). Keysspecified in -e override any value for that app contained in theapkcerts.txt file, or the container key for an APEX. Option may berepeated to give multiple extra packages.--extra_apex_payload_key <name=key>Add a mapping for APEX package name to payload signing key, which willoverride the default payload signing key in apexkeys.txt. Note that thecontainer key should be overridden via the `--extra_apks` flag above.Option may be repeated for multiple APEXes.--skip_apks_with_path_prefix <prefix>Skip signing an APK if it has the matching prefix in its path. The prefixshould be matching the entry name, which has partition names in uppercase, e.g. "VENDOR/app/", or "SYSTEM_OTHER/preloads/". Option may berepeated to give multiple prefixes.-k (--key_mapping) <src_key=dest_key>Add a mapping from the key name as specified in apkcerts.txt (thesrc_key) to the real key you wish to sign the package with(dest_key). Option may be repeated to give multiple keymappings.-d (--default_key_mappings) <dir>Set up the following key mappings:$devkey/devkey ==> $dir/releasekey$devkey/testkey ==> $dir/releasekey$devkey/media ==> $dir/media$devkey/shared ==> $dir/shared$devkey/platform ==> $dir/platformwhere $devkey is the directory part of the value ofdefault_system_dev_certificate from the input target-files'sMETA/misc_info.txt. (Defaulting to "build/make/target/product/security"if the value is not present in misc_info.-d and -k options are added to the set of mappings in the orderin which they appear on the command line.-o (--replace_ota_keys)Replace the certificate (public key) used by OTA package verificationwith the ones specified in the input target_files zip (in theMETA/otakeys.txt file). Key remapping (-k and -d) is performed on thekeys. For A/B devices, the payload verification key will be replacedas well. If there're multiple OTA keys, only the first one will be usedfor payload verification.-t (--tag_changes) <+tag>,<-tag>,...Comma-separated list of changes to make to the set of tags (inthe last component of the build fingerprint). Prefix each with'+' or '-' to indicate whether that tag should be added orremoved. Changes are processed in the order they appear.Default value is "-test-keys,-dev-keys,+release-keys".--replace_verity_private_key <key>Replace the private key used for verity signing. It expects a filenameWITHOUT the extension (e.g. verity_key).--replace_verity_public_key <key>Replace the certificate (public key) used for verity verification. Thekey file replaces the one at BOOT/RAMDISK/verity_key (or ROOT/verity_keyfor devices using system_root_image). It expects the key filename WITHthe extension (e.g. verity_key.pub).--replace_verity_keyid <path_to_X509_PEM_cert_file>Replace the veritykeyid in BOOT/cmdline of input_target_file_zipwith keyid of the cert pointed by <path_to_X509_PEM_cert_file>.--remove_avb_public_keys <key1>,<key2>,...Remove AVB public keys from the first-stage ramdisk. The key file toremove is located at either of the following dirs:- BOOT/RAMDISK/avb/ or- BOOT/RAMDISK/first_stage_ramdisk/avb/The second dir will be used for lookup if BOARD_USES_RECOVERY_AS_BOOT isset to true.--avb_{boot,init_boot,recovery,system,system_other,vendor,dtbo,vbmeta,vbmeta_system,vbmeta_vendor}_algorithm <algorithm>--avb_{boot,init_boot,recovery,system,system_other,vendor,dtbo,vbmeta,vbmeta_system,vbmeta_vendor}_key <key>Use the specified algorithm (e.g. SHA256_RSA4096) and the key to AVB-signthe specified image. Otherwise it uses the existing values in info dict.--avb_{apex,init_boot,boot,recovery,system,system_other,vendor,dtbo,vbmeta,vbmeta_system,vbmeta_vendor}_extra_args <args>Specify any additional args that are needed to AVB-sign the image(e.g. "--signing_helper /path/to/helper"). The args will be appended tothe existing ones in info dict.--avb_extra_custom_image_key <partition=key>--avb_extra_custom_image_algorithm <partition=algorithm>Use the specified algorithm (e.g. SHA256_RSA4096) and the key to AVB-signthe specified custom images mounted on the partition. Otherwise it usesthe existing values in info dict.--avb_extra_custom_image_extra_args <partition=extra_args>Specify any additional args that are needed to AVB-sign the custom imagesmounted on the partition (e.g. "--signing_helper /path/to/helper"). Theargs will be appended to the existing ones in info dict.--gki_signing_algorithm <algorithm>--gki_signing_key <key>Use the specified algorithm (e.g. SHA256_RSA4096) and the key to generate'boot signature' in a v4 boot.img. Otherwise it uses the existing valuesin info dict.--gki_signing_extra_args <args>Specify any additional args that are needed to generate 'boot signature'(e.g. --prop foo:bar). The args will be appended to the existing onesin info dict.--android_jar_path <path>Path to the android.jar to repack the apex file.--allow_gsi_debug_sepolicyAllow the existence of the file 'userdebug_plat_sepolicy.cil' under(/system/system_ext|/system_ext)/etc/selinux.If not set, error out when the file exists.
Global options-p (--path) <dir>Prepend <dir>/bin to the list of places to search for binaries run by thisscript, and expect to find jars in <dir>/framework.-s (--device_specific) <file>Path to the Python module containing device-specific releasetools code.-x (--extra) <key=value>Add a key/value pair to the 'extras' dict, which device-specific extensioncode may look at.-v (--verbose)Show command lines being executed.-h (--help)Display this usage message and exit.--logfile <file>Put verbose logs to specified file (regardless of --verbose option.)免责声明:本号所涉及内容仅供安全研究与教学使用,如出现其他风险,后果自负。
参考、来源:
https://www.jianshu.com/p/bb5325760506 (AOSP系统签名的生成以及替换、自签名、创建证书)
https://blog.csdn.net/gitblog_00079/article/details/137450852
https://www.cnblogs.com/3clove/p/16949939.html
https://blog.csdn.net/qq_53003652/article/details/134186457 (证书攻击)
https://blog.csdn.net/mozushixin_1/article/details/144430804 (参数详细说明)
https://blog.csdn.net/yzyeilin/article/details/139968840 (问题分析)
https://source.android.google.cn/docs/core/ota/sign_builds?hl=zh-cn (对要发布的 build 进行签名)
https://magesfc.github.io/mage/6b05d90d3608239b75a55f283f5a45cc588cb157/ (sign_target_files_apks脚本执行过程分析)
