Android 替换系统签名秘钥

一、创建系统秘钥

下面是android系统代码README描述，直接按照命令操作就可以，不用输入密码

build/make/target/product/security$ cat README 
The test keys in this directory are used in development only and should
NEVER be used to sign packages in publicly released images (as that would
open a major security hole).

key generation
--------------

The following commands were used to generate the test key pairs:

  development/tools/make_key testkey  '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
  development/tools/make_key platform '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
  development/tools/make_key shared   '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
  development/tools/make_key media    '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'

二、platform签名秘钥转换成keystore类型的签名文件，给app使用，签名系统应用

有人在github上写好了工具，我们可以直接下载使用，https://github.com/getfatday/keytool-importkeypair
将系统证书 platform.x509.pem platform.pk8 放在keytool-importkeypair 目录下，执行下面命令:

./keytool-importkeypair -k  ./platform.keystore -p 12345678  -pk8 platform.pk8 -cert platform.x509.pem -alias platform

-k 表示要生成的 keystore 文件的名字，这里命名为 platform.keystore
-p 表示要生成的 keystore 的密码，这里是 android
-pk8 表示要导入的 platform.pk8 文件
-cert 表示要导入的platform.x509.pem
-alias 表示给生成的 platform.keystore 取一个别名，这是命名为 platform

三、替换系统签名秘钥

我这里是海思芯片平台，每个芯片芯片厂家存放自己的签名秘钥位置不一样，需要根据自己平台替换。

1、 device/hisilicon/xxx/device.mk定义h海思签名key位置
PRODUCT_DEFAULT_DEV_CERTIFICATE := device/hisilicon/${CHIPNAME}/security/testkey

2、用刚制作的platform, release, media, shared签名秘钥对 替换海思芯片公版签名秘钥
device/hisilicon/xxx/security/*

3、build/make/core/config.mk定义android os编译使用的key位置
696 # The default key if not set as LOCAL_CERTIFICATE
697 ifdef PRODUCT_DEFAULT_DEV_CERTIFICATE
698 DEFAULT_SYSTEM_DEV_CERTIFICATE := $(PRODUCT_DEFAULT_DEV_CERTIFICATE)
699 else
700 DEFAULT_SYSTEM_DEV_CERTIFICATE := build/target/product/security/testkey
701 endif

四、命令小结

1、查看x509.pen证书信息方法。
openssl x509 -in testkey.x509.pem -inform pem -noout -text
2、 keytool工具制作签名key方法。
/keytool -genkey -v -keystore app.keystore -alias xxx -keyalg RSA -validity 20000
3、 查看.keystore签名key方法。
/usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/keytool -list -v -keystore app.keystore
4、手动签名android升级包
java -Xmx2048m -jar -Djava.library.path=out/host/linux-x86/lib64 out/host/linux-x86/framework/signapk.jar -w device/hisilicon/xxx/security/testkey.x509.pem
device/hisilicon/xxx/security/testkey.pk8 xxx_input_file xxx_output_file

5. 手动签名android app
   java -jar -Djava.library.path= out/host/linux-x86/lib64 out/host/linux-x86/framework/signapk.jar device/hisilicon/xxx//security/platform.x509.pem device/hisilicon/xxx/security/platform.pk8 xxxinput_file $output_file"

五、参考博客

https://blog.csdn.net/XIADANXIN/article/details/113573285
https://www.cnblogs.com/wanqieddy/p/3556060.html