系统签名"/>
OpenHarmony定制系统签名
参考资料:
OpenHarmony应用签名 - 厂商私有签名
OpenHarmony应用签名 - 系统应用签名
OpenHarmony应用签名 - 厂商私有签名的配置和使用
Hap包签名工具
DevEco Studio使用指南(HarmonyOS)应用/服务发布
开发环境
开发平台:Win10
开发板:RK3568
系统版本:OpenHarmony 3.2 Release
DevEco Studio 版本:3.1.0.200
full SDK 版本:3.2.11.9
签名简介
为了保证OpenHarmony应用的完整性和来源可靠,在应用构建时需要对应用进行签名。经过签名的应用才能在真机设备上安装、运行、和调试。developtools_hapsigner仓提供了签名工具的源码,包含密钥对生成、CSR文件生成、证书生成、Profile文件签名、Hap包签名等功能。
OpenHarmony系统中有一套默认签名信息,用于应用的开发和调试。当系统厂商正式发布系统时,需要新增或替换私有签名信息,本篇文档将介绍如何生成私有签名并在系统中进行配置。本文档需准备Java和Gradle编译环境。
概念说明
- 非对称密钥对:数据签名/验签的基础,应用签名工具实现了标准的非对称密钥对生成功能(支持的密钥对类型包括ECC P384/256、RSA2048/3072/4096)
- CSR:Certificate Signing Request 证书签发请求是生成证书的前提,他包括证书的公钥、证书主题和私钥签名,在申请证书之前,需要先基于密钥对生成CSR,然后提交给CA签发证书。
- 证书:OpenHarmony采用RFC5280标准构建X509证书信任体系。用于应用签名的OpenHarmony证书共有三级,分为:根CA证书、中间CA证书、最终实体证书,其中最终实体证书分为应用签名证书和profile签名证书。应用签名证书表示应用开发者的身份,可保证系统上安装的应用来源可追溯,profile签名证书实现对profile文件的签名进行验签,保证profile文件的完整性。
- HAP:OpenHarmony Ability Package 是Ability的部署包,OpenHarmony应用代码围绕Ability组件展开,它是由一个或者多个Ability组成。
- Profile文件:HarmonyAppProvision 配置文件,hap包中的描述文件,该描述文件描述了已授权的证书权限和设备ID信息等信息。
开发者通过IDE进行应用签名时,可在SDK中会获得如下签名相关文件:
签名密钥库文件:OpenHarmony.p12
Profile签名证书:OpenHarmonyProfileRelease.pem、OpenHarmonyProfileDebug.pem
Profile模板文件:UnsgnedReleasedProfileTemplate.json、UnsgnedDebugProfileTemplate.json
签名工具:hap-sign-tool.jar
上述文件的使用场景如下图所示。
Profile签名场景
:
应用签名场景
:
准备工作
- Hap签名工具源码:developtools\hapsigner
- 待签名hap包:entry-default-unsigned.hap
- Profile模板文件:Sdk\9\toolchains\lib\UnsgnedReleasedProfileTemplate.json
Hap包签名工具
Hap包签名工具基于Java语言开发,需要在Java8以上Java环境运行 (附:一键签名等脚本文件基于Python语言开发,使用需配置环境python3.x)。
签名工具位于源码路径:developtools\hapsigner
developtools\hapsigner├── autosign # 一键签名脚本
├── dist # SDK预置文件
├── hapsigntool # 主代码├──hap_sign_tool # 主程序入口,完成输入参数的基础校验├──hap_sign_tool_lib # 签名工具库,解析命令字和参数列表,实现各模块逻辑功能
├── tools # 自动化测试脚本
仓库地址:.git
编译构建
#进入签名工具所在路径
$ cd developtools/hapsigner/hapsigntool/#签名工具基于Gradle 7.1编译构建,确认环境已安装配置Gradle环境,并且版本正确
$ gradle -v
Gradle 7.1#执行gradle build 或者 gradle jar命令编译打包
$ gradle buildBUILD SUCCESSFUL in 22s
14 actionable tasks: 14 executed#编译完成后得到:developtools\hapsigner\hapsigntool\hap_sign_tool\build\libs\hap-sign-tool.jar
hap-sign-tool.jar接口说明
- 生成密钥对
generate-keypair : 生成密钥对├── -keyAlias # 密钥别名,必填项├── -keyPwd # 密钥口令,可选项├── -keyAlg # 密钥算法,必填项,包括RSA/ECC├── -keySize # 密钥长度,必填项,RSA算法的长度为2048/3072/4096,ECC算法的长度NIST-P-256/NIST-P-384├── -keystoreFile # 密钥库文件,必填项,JKS或P12格式├── -keystorePwd # 密钥库口令,可选项
- 生成证书签名请求
generate-csr : 生成证书签名请求├── -keyAlias # 密钥别名,必填项├── -keyPwd # 密钥口令,可选项├── -subject # 证书主题,必填项├── -signAlg # 签名算法,必填项,包括SHA256withRSA / SHA384withRSA / SHA256withECDSA / SHA384withECDSA├── -keystoreFile # 密钥库文件,必填项,JKS或P12格式├── -keystorePwd # 密钥库口令,可选项├── -outFile # 输出文件,可选项,如果不填,则直接输出到控制台
- 生成根CA/中间CA证书
generate-ca : 生成根CA/中间CA证书,如果密钥不存在,一起生成密钥├── -keyAlias # 密钥别名,必填项├── -keyPwd # 密钥口令,可选项├── -keyAlg # 密钥算法,必填项,包括RSA/ECC├── -keySize # 密钥长度,必填项,RSA算法的长度为2048/3072/4096,ECC算法的长度NIST-P-256/NIST-P-384├── -issuer # 颁发者的主题,可选项,如果不填,表示根CA├── -issuerKeyAlias # 颁发者的密钥别名,可选项,如果不填,表示根CA├── -issuerKeyPwd # 颁发者的密钥口令,可选项├── -subject # 证书主题,必填项├── -validity # 证书有效期,可选项,默认为3650天├── -signAlg # 签名算法,必填项,包括SHA256withRSA / SHA384withRSA / SHA256withECDSA / SHA384withECDSA├── -basicConstraintsPathLen # 路径长度,可选项,默认为0├── -issuerKeystoreFile # 签发者密钥库文件,可选项,JKS或P12格式├── -issuerKeystorePwd # 签发者密钥库口令,可选项├── -keystoreFile # 密钥库文件,必填项,JKS或P12格式├── -keystorePwd # 密钥库口令,可选项├── -outFile # 输出文件,可选项,如果不填,则直接输出到控制台
- 生成应用调试/发布证书
generate-app-cert : 生成应用调试/发布证书├── -keyAlias # 密钥别名,必填项├── -keyPwd # 密钥口令,可选项├── -issuer # 颁发者的主题,必填项├── -issuerKeyAlias # 颁发者的密钥别名,必填项├── -issuerKeyPwd # 颁发者的密钥口令,可选项├── -subject # 证书主题,必填项├── -validity # 证书有效期,可选项,默认为3650天├── -signAlg # 签名算法,必填项,包括SHA256withECDSA / SHA384withECDSA;├── -keystoreFile # 密钥库文件,必填项,JKS或P12格式├── -keystorePwd # 密钥库口令,可选项├── -issuerKeystoreFile # 签发者密钥库文件,可选项,JKS或P12格式├── -issuerKeystorePwd # 签发者密钥库口令,可选项├── -outForm # 输出证书文件的格式,包括 cert / certChain,可选项,默认为certChain├── -rootCaCertFile # outForm为certChain时必填,根CA证书文件├── -subCaCertFile # outForm为certChain时必填,中间CA证书文件├── -outFile # 输出证书文件(证书或证书链),可选项,如果不填,则直接输出到控制台
- 生成profile调试/发布证书
generate-profile-cert : 生成profile调试/发布证书├── -keyAlias # 密钥别名,必填项├── -keyPwd # 密钥口令,可选项├── -issuer # 颁发者的主题,必填项├── -issuerKeyAlias # 颁发者的密钥别名,必填项├── -issuerKeyPwd # 颁发者的密钥口令,可选项├── -subject # 证书主题,必填项├── -validity # 证书有效期,可选项,默认为3650天├── -signAlg # 签名算法,必填项,包括SHA256withECDSA / SHA384withECDSA;├── -keystoreFile # 密钥库文件,必填项,JKS或P12格式├── -keystorePwd # 密钥库口令,可选项├── -issuerKeystoreFile # 签发者密钥库文件,可选项,JKS或P12格式├── -issuerKeystorePwd # 签发者密钥库口令,可选项├── -outForm # 输出证书文件的格式,包括 cert / certChain,可选项,默认为certChain├── -rootCaCertFile # outForm为certChain时必填,根CA证书文件├── -subCaCertFile # outForm为certChain时必填,中间CA证书文件├── -outFile # 输出证书文件(证书或证书链),可选项,如果不填,则直接输出到控制台
- 通用证书生成,可以生成自定义证书
generate-cert : 通用证书生成,可以生成自定义证书├── -keyAlias # 密钥别名,必填项├── -keyPwd # 密钥口令,可选项├── -issuer # 颁发者的主题,必填项├── -issuerKeyAlias # 颁发者的密钥别名,必填项├── -issuerKeyPwd # 颁发者的密钥口令,可选项├── -subject # 证书主题,必填项├── -validity # 证书有效期,可选项,默认为1095天├── -keyUsage # 密钥用法,必选项,包括digitalSignature, nonRepudiation, keyEncipherment,├ dataEncipherment, keyAgreement, certificateSignature, crlSignature,├ encipherOnly和decipherOnly,如果证书包括多个密钥用法,用逗号分隔├── -keyUsageCritical # keyUsage是否为关键项,可选项,默认为是├── -extKeyUsage # 扩展密钥用法,可选项,包括clientAuthentication,serverAuthentication,├ codeSignature,emailProtection,smartCardLogin,timestamp,ocspSignature├── -extKeyUsageCritical # extKeyUsage是否为关键项,可选项,默认为否├── -signAlg # 签名算法,必填项,包括SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA ├── -basicConstraints # 是否包含basicConstraints,可选项,默认为否├── -basicConstraintsCritical # basicConstraints是否包含为关键项,可选项,默认为否├── -basicConstraintsCa # 是否为CA,可选项,默认为否├── -basicConstraintsPathLen # 路径长度,可选项,默认为0├── -issuerKeystoreFile # 签发者密钥库文件,可选项,JKS或P12格式├── -issuerKeystorePwd # 签发者密钥库口令,可选项├── -keystoreFile # 密钥库文件,必填项,JKS或P12格式├── -keystorePwd # 密钥库口令,可选项├── -outFile # 输出证书文件,可选项,如果不填,则直接输出到控制台
- ProvisionProfile文件签名
sign-profile : ProvisionProfile文件签名├── -mode # 签名模式,必填项,包括localSign,remoteSign├── -keyAlias # 密钥别名,必填项├── -keyPwd # 密钥口令,可选项├── -profileCertFile # Profile签名证书(证书链,顺序为最终实体证书-中间CA证书-根证书),必填项├── -inFile # 输入的原始Provision Profile文件,必填项├── -signAlg # 签名算法,必填项,包括SHA256withECDSA / SHA384withECDSA├── -keystoreFile # 密钥库文件,localSign模式时为必填项,JKS或P12格式├── -keystorePwd # 密钥库口令,可选项├── -outFile # 输出签名后的Provision Profile文件,p7b格式,必填项
- hap应用包签名
sign-app : hap应用包签名 ├── -mode # 签名模式,必填项,包括localSign,remoteSign,remoteResign├── -keyAlias # 密钥别名,必填项├── -keyPwd # 密钥口令,可选项├── -appCertFile # 应用签名证书文件(证书链,顺序为最终实体证书-中间CA证书-根证书),必填项├── -profileFile # 签名后的Provision Profile文件名,profileSigned为1时为p7b格式,profileSigned为0时为json格式,必填项├── -profileSigned # 指示profile文件是否带有签名,1表示有签名,0表示没有签名,默认为1。可选项├── -inForm # 输入的原始文件的格式,zip格式或bin格式,默认zip格式,可选项├── -inFile # 输入的原始APP包文件,zip格式或bin格式,必填项├── -signAlg # 签名算法,必填项,包括SHA256withECDSA / SHA384withECDSA├── -keystoreFile # 密钥库文件,localSign模式时为必填项,JKS或P12格式├── -keystorePwd # 密钥库口令,可选项├── -outFile # 输出签名后的包文件,必填项
- ProvisionProfile文件验签
verify-profile : ProvisionProfile文件验签├── -inFile # 已签名的Provision Profile文件,p7b格式,必填项├── -outFile # 验证结果文件(包含验证结果和profile内容),json格式,可选项;如果不填,则直接输出到控制台
- hap应用包文件验签
verify-app : hap应用包文件**验签**├── -inFile # 已签名的应用包文件,zip格式或bin格式,必填项├── -outCertChain # 签名的证书链文件,必填项├── -outProfile # 应用包中的profile文件,必填项
命令行签名,生成签名文件
注意
:为了方便后续将签名配置导入IDE,在设置密码时需遵守IDE密码规范:
密码必须至少包含8个字符,并包括以下任何两项:
1.小写字母:a-z
2.大写字母: A-Z
3.数字: 0-9
4.特殊字符: `~!@#$%^&*()-_=+\|[{}];:'",<.>/?
1、生成密钥对(xxx.p12),keystorePwd为密钥库口令
generate-keypair : 生成密钥对├── -keyAlias # 密钥别名,【OpenHarmony-ABC】├── -keyPwd # 密钥口令,【keypair123】├── -keyAlg # 密钥算法,【ECC】├── -keySize # 密钥长度,【NIST-P-256】├── -keystoreFile # 密钥库文件,【OpenHarmony-ABC.p12】├── -keystorePwd # 密钥库口令,【keystore123】$ java -jar hap-sign-tool.jar generate-keypair -keyAlias "OpenHarmony-ABC" -keyPwd "keypair123" -keyAlg "ECC" -keySize "NIST-P-256" -keystoreFile "./result/OpenHarmony-ABC.p12" -keystorePwd "keystore123"
#运行成功结果如下
INFO - Start generate-keypair
INFO - generate-keypair success
2、生成RootCA证书,subject为RootCA的证书主题,用于配置trusted_root_ca.json。
generate-ca : 生成根CA证书,如果密钥不存在,一起生成密钥├── -keyAlias # 密钥别名,【OpenHarmony-ABC-rootCA】├── -keyPwd # 密钥口令,【rootCA123】├── -keyAlg # 密钥算法,【ECC】├── -keySize # 密钥长度,【NIST-P-256】├── -subject # 证书主题,【C=CN, O=OpenHarmony-ABC-rootCA, OU=OpenHarmony-ABC-rootCA Community, CN=OpenHarmony Application Root CA】├── -validity # 证书有效期,【365】(1年)├── -signAlg # 签名算法,【SHA256withECDSA】├── -keystoreFile # 密钥库文件,【./result/OpenHarmony-ABC.p12】├── -keystorePwd # 密钥库口令,【keystore123】├── -outFile # 输出文件,【./result/OpenHarmony-ABC-rootCA.cer】$ java -jar hap-sign-tool.jar generate-ca -keyAlias "OpenHarmony-ABC-rootCA" -keyPwd "rootCA123" -keyAlg "ECC" -keySize "NIST-P-256" -subject "C=CN, O=OpenHarmony-ABC-rootCA, OU=OpenHarmony-ABC-rootCA Community, CN=OpenHarmony Application Root CA" -validity "365" -signAlg "SHA256withECDSA" -keystoreFile "./result/OpenHarmony-ABC.p12" -keystorePwd "keystore123" -outFile "./result/OpenHarmony-ABC-rootCA.cer"#运行成功结果如下
INFO - Start generate-ca
INFO - ./result/OpenHarmony-ABC.p12 is exist. Try to load it with given passwd
INFO - generate-ca success
3、生成SubCA证书
generate-ca : 生成根CA证书,如果密钥不存在,一起生成密钥├── -keyAlias # 密钥别名,【OpenHarmony-ABC-subCA】├── -keyPwd # 密钥口令,【subCA123】├── -keyAlg # 密钥算法,【ECC】├── -keySize # 密钥长度,【NIST-P-256】├── -issuer # 颁发者的主题,【C=CN, O=OpenHarmony-ABC-rootCA, OU=OpenHarmony-ABC-rootCA Community, CN=OpenHarmony Application Root CA】├── -issuerKeyAlias # 颁发者的密钥别名,【OpenHarmony-ABC-rootCA】├── -issuerKeyPwd # 颁发者的密钥口令,【rootCA123】├── -subject # 证书主题,【C=CN, O=OpenHarmony-ABC-subCA, OU=OpenHarmony-ABC-subCA Community, CN=OpenHarmony Application Sub CA】├── -validity # 证书有效期,【365】(1年)├── -signAlg # 签名算法,【SHA256withECDSA】├── -keystoreFile # 密钥库文件,【./result/OpenHarmony-ABC.p12】├── -keystorePwd # 密钥库口令,【keystore123】├── -outFile # 输出文件,【./result/OpenHarmony-ABC-subCA.cer】$ java -jar hap-sign-tool.jar generate-ca -keyAlias "OpenHarmony-ABC-subCA" -keyPwd "subCA123" -keyAlg "ECC" -keySize "NIST-P-256" -issuer "C=CN, O=OpenHarmony-ABC-rootCA, OU=OpenHarmony-ABC-rootCA Community, CN=OpenHarmony Application Root CA" -issuerKeyAlias "OpenHarmony-ABC-rootCA" -issuerKeyPwd "rootCA123" -subject "C=CN, O=OpenHarmony-ABC-subCA, OU=OpenHarmony-ABC-subCA Community, CN=OpenHarmony Application Sub CA" -validity "365" -signAlg "SHA256withECDSA" -keystoreFile "./result/OpenHarmony-ABC.p12" -keystorePwd "keystore123" -outFile "./result/OpenHarmony-ABC-subCA.cer"#运行成功结果如下
INFO - Start generate-ca
INFO - ./result/OpenHarmony-ABC.p12 is exist. Try to load it with given passwd
INFO - generate-ca success
4、生成应用调试/发布证书,subject用于配置trusted_apps_sources.json中的app-signing-cert项。
generate-app-cert : 生成应用调试/发布证书├── -keyAlias # 密钥别名,【OpenHarmony-ABC-subCA】├── -keyPwd # 密钥口令,【subCA123】├── -issuer # 颁发者的主题,【C=CN, O=OpenHarmony-ABC-subCA, OU=OpenHarmony-ABC-subCA Community, CN=OpenHarmony Application Sub CA" -issuerKeyAlias "OpenHarmony-ABC-subCA】├── -issuerKeyAlias # 颁发者的密钥别名,【OpenHarmony-ABC-subCA】├── -issuerKeyPwd # 颁发者的密钥口令,【subCA123】├── -subject # 证书主题,【C=CN, O=OpenHarmony-ABC-app-cert, OU=OpenHarmony-ABC-app-cert Community, CN=OpenHarmony Application Release】├── -validity # 证书有效期,【365】├── -signAlg # 签名算法,【SHA256withECDSA】├── -keystoreFile # 密钥库文件,【./result/OpenHarmony-ABC.p12】├── -keystorePwd # 密钥库口令,【keystore123】├── -rootCaCertFile # outForm为certChain时必填,根CA证书文件【./result/OpenHarmony-ABC-rootCA.cer】├── -subCaCertFile # outForm为certChain时必填,中间CA证书文件【./result/OpenHarmony-ABC-subCA.cer】├── -outFile # 输出证书文件(证书或证书链),【./result/OpenHarmony-ABC-app-cert.pem】$ java -jar hap-sign-tool.jar generate-app-cert -keyAlias "OpenHarmony-ABC-subCA" -keyPwd "subCA123" -issuer "C=CN, O=OpenHarmony-ABC-subCA, OU=OpenHarmony-ABC-subCA Community, CN=OpenHarmony Application Sub CA" -issuerKeyAlias "OpenHarmony-ABC-subCA" -issuerKeyPwd "subCA123" -subject "C=CN, O=OpenHarmony-ABC-app-cert, OU=OpenHarmony-ABC-app-cert Community, CN=OpenHarmony Application Release" -validity "365" -signAlg "SHA256withECDSA" -keystoreFile "./result/OpenHarmony-ABC.p12" -keystorePwd "keystore123" -rootCaCertFile "./result/OpenHarmony-ABC-rootCA.cer" -outForm "certChain" -subCaCertFile "./result/OpenHarmony-ABC-subCA.cer" -outFile "./result/OpenHarmony-ABC-app-cert.pem"#运行成功结果如下
INFO - Start generate-app-cert
INFO - ./result/OpenHarmony-ABC.p12 is exist. Try to load it with given passwd
INFO - generate-app-cert success
5、生成ProfileCA证书,subject用于配置trusted_apps_sources.json中的issuer-ca项
generate-ca : 生成ProfileCA证书,如果密钥不存在,一起生成密钥├── -keyAlias # 密钥别名,【OpenHarmony-ABC-profileCA】├── -keyPwd # 密钥口令,【profileCA123】├── -keyAlg # 密钥算法,【ECC】├── -keySize # 密钥长度,【NIST-P-256】├── -issuer # 颁发者的主题,【C=CN, O=OpenHarmony-ABC-rootCA, OU=OpenHarmony-ABC-rootCA Community, CN=OpenHarmony Application Root CA】├── -issuerKeyAlias # 颁发者的密钥别名,【OpenHarmony-ABC-rootCA】├── -issuerKeyPwd # 颁发者的密钥口令,【rootCA123】├── -subject # 证书主题,【C=CN, O=OpenHarmony-ABC-subCA, OU=OpenHarmony-ABC-subCA Community, CN=OpenHarmony Application Sub CA】├── -validity # 证书有效期,【365】(1年)├── -signAlg # 签名算法,【SHA256withECDSA】├── -keystoreFile # 密钥库文件,【./result/OpenHarmony-ABC.p12】├── -keystorePwd # 密钥库口令,【keystore123】├── -outFile # 输出文件,【./result/OpenHarmony-ABC-profileCA.cer】$ java -jar hap-sign-tool.jar generate-ca -keyAlias "OpenHarmony-ABC-profileCA" -keyPwd "profileCA123" -keyAlg "ECC" -keySize "NIST-P-256" -issuer "C=CN, O=OpenHarmony-ABC-rootCA, OU=OpenHarmony-ABC-rootCA Community, CN=OpenHarmony Application Root CA" -issuerKeyAlias "OpenHarmony-ABC-rootCA" -issuerKeyPwd "rootCA123" -subject "C=CN, O=OpenHarmony-ABC-subCA, OU=OpenHarmony-ABC-subCA Community, CN=OpenHarmony Application CA" -validity "365" -signAlg "SHA256withECDSA" -keystoreFile "./result/OpenHarmony-ABC.p12" -keystorePwd "keystore123" -outFile "./result/OpenHarmony-ABC-profileCA.cer"#运行成功结果如下
INFO - Start generate-ca
INFO - ./result/OpenHarmony-ABC.p12 is exist. Try to load it with given passwd
INFO - generate-ca success
6、生成应用Release版profile调试/发布证书,subject用于配置trusted_apps_sources.json中的profile-signing-certificate项。
generate-profile-cert : 生成Release版本profile调试/发布证书├── -keyAlias # 密钥别名,【OpenHarmony-ABC-profileCA】├── -keyPwd # 密钥口令,【profileCA123】├── -issuer # 颁发者的主题,【C=CN, O=OpenHarmony-ABC-subCA, OU=OpenHarmony-ABC-subCA Community, CN=OpenHarmony Application CA】├── -issuerKeyAlias # 颁发者的密钥别名,【OpenHarmony-ABC-profileCA】├── -issuerKeyPwd # 颁发者的密钥口令,【profileCA123】├── -subject # 证书主题,【C=CN, O=OpenHarmony-ABC-profile-cert, OU=OpenHarmony-ABC-profile-cert Community, CN=OpenHarmony Application Profile Release】├── -validity # 证书有效期,【365】├── -signAlg # 签名算法,【SHA256withECDSA】├── -keystoreFile # 密钥库文件,【./result/OpenHarmony-ABC.p12】├── -keystorePwd # 密钥库口令,【keystore123】├── -outForm # 输出证书文件的格式,包括 cert / certChain,【certChain】├── -rootCaCertFile # outForm为certChain时必填,根CA证书文件【./result/OpenHarmony-ABC-rootCA.cer】├── -subCaCertFile # outForm为certChain时必填,中间CA证书文件【./result/OpenHarmony-ABC-profileCA.cer】├── -outFile # 输出证书文件(证书或证书链),【./result/OpenHarmony-ABC-profile-cert-release.pem】$ java -jar hap-sign-tool.jar generate-profile-cert -keyAlias "OpenHarmony-ABC-profileCA" -keyPwd "profileCA123" -issuer "C=CN, O=OpenHarmony-ABC-subCA, OU=OpenHarmony-ABC-subCA Community, CN=OpenHarmony Application CA" -issuerKeyAlias "OpenHarmony-ABC-profileCA" -issuerKeyPwd "profileCA123" -subject "C=CN, O=OpenHarmony-ABC-profile-cert, OU=OpenHarmony-ABC-profile-cert Community, CN=OpenHarmony Application Profile Release" -validity "365" -signAlg "SHA256withECDSA" -keystoreFile "./result/OpenHarmony-ABC.p12" -keystorePwd "keystore123" -outForm "certChain" -rootCaCertFile "./result/OpenHarmony-ABC-rootCA.cer" -subCaCertFile "./result/OpenHarmony-ABC-profileCA.cer" -outFile "./result/OpenHarmony-ABC-profile-cert-release.pem"#运行成功结果如下
INFO - Start generate-profile-cert
INFO - ./result/OpenHarmony-ABC.p12 is exist. Try to load it with given passwd
INFO - generate-profile-cert success
7、生成应用Debug版profile调试/发布证书,subject用于配置trusted_apps_sources.json中的profile-debug-signing-certificate项
generate-profile-cert : 生成Debug版本profile调试/发布证书├── -keyAlias # 密钥别名,【OpenHarmony-ABC-profileCA】├── -keyPwd # 密钥口令,【profileCA123】├── -issuer # 颁发者的主题,【C=CN, O=OpenHarmony-ABC-subCA, OU=OpenHarmony-ABC-subCA Community, CN=OpenHarmony Application CA】├── -issuerKeyAlias # 颁发者的密钥别名,【OpenHarmony-ABC-profileCA】├── -issuerKeyPwd # 颁发者的密钥口令,【profileCA123】├── -subject # 证书主题,【C=CN, O=OpenHarmony-ABC-profile-cert, OU=OpenHarmony-ABC-profile-cert Community, CN=OpenHarmony Application Profile Debug】├── -validity # 证书有效期,【365】├── -signAlg # 签名算法,【SHA256withECDSA】├── -keystoreFile # 密钥库文件,【./result/OpenHarmony-ABC.p12】├── -keystorePwd # 密钥库口令,【keystore123】├── -outForm # 输出证书文件的格式,包括 cert / certChain,【certChain】├── -rootCaCertFile # outForm为certChain时必填,根CA证书文件【./result/OpenHarmony-ABC-rootCA.cer】├── -subCaCertFile # outForm为certChain时必填,中间CA证书文件【./result/OpenHarmony-ABC-profileCA.cer】├── -outFile # 输出证书文件(证书或证书链),【./result/OpenHarmony-ABC-profile-cert-debug.pem】$ java -jar hap-sign-tool.jar generate-profile-cert -keyAlias "OpenHarmony-ABC-profileCA" -keyPwd "profileCA123" -issuer "C=CN, O=OpenHarmony-ABC-subCA, OU=OpenHarmony-ABC-subCA Community, CN=OpenHarmony Application CA" -issuerKeyAlias "OpenHarmony-ABC-profileCA" -issuerKeyPwd "profileCA123" -subject "C=CN, O=OpenHarmony-ABC-profile-cert, OU=OpenHarmony-ABC-profile-cert Community, CN=OpenHarmony Application Profile Debug" -validity "365" -signAlg "SHA256withECDSA" -keystoreFile "./result/OpenHarmony-ABC.p12" -keystorePwd "keystore123" -outForm "certChain" -rootCaCertFile "./result/OpenHarmony-ABC-rootCA.cer" -subCaCertFile "./result/OpenHarmony-ABC-profileCA.cer" -outFile "./result/OpenHarmony-ABC-profile-cert-debug.pem"#运行成功结果如下
INFO - Start generate-profile-cert
INFO - ./result/OpenHarmony-ABC.p12 is exist. Try to load it with given passwd
INFO - generate-profile-cert success
经过以上步骤得到签名文件如下:
$ ls -al result/
OpenHarmony-ABC-app-cert.pem
OpenHarmony-ABC.p12
OpenHarmony-ABC-profileCA.cer
OpenHarmony-ABC-profile-cert-debug.pem
OpenHarmony-ABC-profile-cert-release.pem
OpenHarmony-ABC-rootCA.cer
OpenHarmony-ABC-subCA.cer
8、将OpenHarmony-ABC-app-cert.pem中第一部分的密钥,把回车转换为\n字符,放入UnsgnedReleasedProfileTemplate.json的distribution-certificate中
-----BEGIN CERTIFICATE-----
MIICZjCCAgygAwIBAgIEXPrigDAKBggqhkjOPQQDAjCBgDELMAkGA1UEBhMCQ04x
HjAcBgNVBAoMFU9wZW5IYXJtb255LUFCQy1zdWJDQTEoMCYGA1UECwwfT3Blbkhh
cm1vbnktQUJDLXN1YkNBIENvbW11bml0eTEnMCUGA1UEAwweT3Blbkhhcm1vbnkg
QXBwbGljYXRpb24gU3ViIENBMB4XDTIzMDYyODA1MjgwMloXDTI0MDYyNzA1Mjgw
MlowgYcxCzAJBgNVBAYTAkNOMSEwHwYDVQQKDBhPcGVuSGFybW9ueS1BQkMtYXBw
LWNlcnQxKzApBgNVBAsMIk9wZW5IYXJtb255LUFCQy1hcHAtY2VydCBDb21tdW5p
dHkxKDAmBgNVBAMMH09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJlbGVhc2UwWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAARvPLo0HPZroleu81PSWDEmB2cGI+EHUM7b
w95BBsaThBfjbtt37oNICJRGaBWSxmCSxbU557Ci7IRE7o/vJaM0o2swaTAdBgNV
HQ4EFgQUUvatlguoLp2hFrlme6a0KrlNF2AwCQYDVR0TBAIwADAOBgNVHQ8BAf8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwGAYMKwYBBAGPWwKCeAEDBAgwBgIB
AQoBADAKBggqhkjOPQQDAgNIADBFAiAcH26/JhsRiHqDEX7A95Vb2VkIm8xUYJs5
pz2Nzde6yAIhAJrYHxuTVuhdgkJ7IL5WNmU+YwJdp6Li+rIb0JFe2ZmR
-----END CERTIFICATE-----
转换后:
-----BEGIN CERTIFICATE-----\nMIICZjCCAgygAwIBAgIEXPrigDAKBggqhkjOPQQDAjCBgDELMAkGA1UEBhMCQ04x\nHjAcBgNVBAoMFU9wZW5IYXJtb255LUFCQy1zdWJDQTEoMCYGA1UECwwfT3Blbkhh\ncm1vbnktQUJDLXN1YkNBIENvbW11bml0eTEnMCUGA1UEAwweT3Blbkhhcm1vbnkg\nQXBwbGljYXRpb24gU3ViIENBMB4XDTIzMDYyODA1MjgwMloXDTI0MDYyNzA1Mjgw\nMlowgYcxCzAJBgNVBAYTAkNOMSEwHwYDVQQKDBhPcGVuSGFybW9ueS1BQkMtYXBw\nLWNlcnQxKzApBgNVBAsMIk9wZW5IYXJtb255LUFCQy1hcHAtY2VydCBDb21tdW5p\ndHkxKDAmBgNVBAMMH09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJlbGVhc2UwWTAT\nBgcqhkjOPQIBBggqhkjOPQMBBwNCAARvPLo0HPZroleu81PSWDEmB2cGI+EHUM7b\nw95BBsaThBfjbtt37oNICJRGaBWSxmCSxbU557Ci7IRE7o/vJaM0o2swaTAdBgNV\nHQ4EFgQUUvatlguoLp2hFrlme6a0KrlNF2AwCQYDVR0TBAIwADAOBgNVHQ8BAf8E\nBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwGAYMKwYBBAGPWwKCeAEDBAgwBgIB\nAQoBADAKBggqhkjOPQQDAgNIADBFAiAcH26/JhsRiHqDEX7A95Vb2VkIm8xUYJs5\npz2Nzde6yAIhAJrYHxuTVuhdgkJ7IL5WNmU+YwJdp6Li+rIb0JFe2ZmR\n-----END CERTIFICATE-----\n
将转换后的密钥写入UnsgnedReleasedProfileTemplate.json的distribution-certificate中
注意:
bundle-name需与应用包名匹配,否则安装时:
error: failed to install bundle. error: verify signature failed.
"bundle-info": {"developer-id": "OpenHarmony","distribution-certificate": "-----BEGIN CERTIFICATE-----\nMIICZjCCAgygAwIBAgIEXPrigDAKBggqhkjOPQQDAjCBgDELMAkGA1UEBhMCQ04x\nHjAcBgNVBAoMFU9wZW5IYXJtb255LUFCQy1zdWJDQTEoMCYGA1UECwwfT3Blbkhh\ncm1vbnktQUJDLXN1YkNBIENvbW11bml0eTEnMCUGA1UEAwweT3Blbkhhcm1vbnkg\nQXBwbGljYXRpb24gU3ViIENBMB4XDTIzMDYyODA1MjgwMloXDTI0MDYyNzA1Mjgw\nMlowgYcxCzAJBgNVBAYTAkNOMSEwHwYDVQQKDBhPcGVuSGFybW9ueS1BQkMtYXBw\nLWNlcnQxKzApBgNVBAsMIk9wZW5IYXJtb255LUFCQy1hcHAtY2VydCBDb21tdW5p\ndHkxKDAmBgNVBAMMH09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJlbGVhc2UwWTAT\nBgcqhkjOPQIBBggqhkjOPQMBBwNCAARvPLo0HPZroleu81PSWDEmB2cGI+EHUM7b\nw95BBsaThBfjbtt37oNICJRGaBWSxmCSxbU557Ci7IRE7o/vJaM0o2swaTAdBgNV\nHQ4EFgQUUvatlguoLp2hFrlme6a0KrlNF2AwCQYDVR0TBAIwADAOBgNVHQ8BAf8E\nBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwGAYMKwYBBAGPWwKCeAEDBAgwBgIB\nAQoBADAKBggqhkjOPQQDAgNIADBFAiAcH26/JhsRiHqDEX7A95Vb2VkIm8xUYJs5\npz2Nzde6yAIhAJrYHxuTVuhdgkJ7IL5WNmU+YwJdp6Li+rIb0JFe2ZmR\n-----END CERTIFICATE-----\n","bundle-name": "com.example.mysigndemo","apl": "system_basic","app-feature": "hos_system_app"}
9、ProvisionProfile文件签名
sign-profile : ProvisionProfile文件签名├── -mode # 签名模式,【localSign】├── -keyAlias # 密钥别名,【OpenHarmony-ABC-profileCA】├── -keyPwd # 密钥口令,【profileCA123】├── -profileCertFile # Profile签名证书,【./result/OpenHarmony-ABC-profile-cert-release.pem】├── -inFile # 输入的原始Provision Profile文件,【UnsgnedReleasedProfileTemplate.json】├── -signAlg # 签名算法,【SHA256withECDSA】├── -keystoreFile # 密钥库文件,【./result/OpenHarmony-ABC.p12】├── -keystorePwd # 密钥库口令,【keystore123】├── -outFile # 输出签名后的Provision Profile文件,p7b格式,【./result/Openharmony-signtest.p7b】$ java -jar hap-sign-tool.jar sign-profile -mode "localSign" -keyAlias "OpenHarmony-ABC-profileCA" -keyPwd "profileCA123" -profileCertFile "./result/OpenHarmony-ABC-profile-cert-release.pem" -inFile "UnsgnedReleasedProfileTemplate.json" -signAlg "SHA256withECDSA" -keystoreFile "./result/OpenHarmony-ABC.p12" -keystorePwd "keystore123" -outFile "./result/Openharmony-signtest.p7b"#运行成功结果如下
INFO - Start sign-profile
INFO - ./result/OpenHarmony-ABC.p12 is exist. Try to load it with given passwd
INFO - sign-profile success#ProvisionProfile文件验签verify-profile : ProvisionProfile文件验签├── -inFile # 已签名的Provision Profile文件,【】├── -outFile # 验证结果文件(包含验证结果和profile内容),【】$ java -jar hap-sign-tool.jar verify-profile -inFile "./result/Openharmony-signtest.p7b" -outFile "./result/Openharmony-verify-profile-result.json"#运行成功结果如下,详细结果见Openharmony-verify-profile-result.json
INFO - Start verify-profile
INFO - verify-profile success
10、hap应用包签名
sign-app : hap应用包签名 ├── -mode # 签名模式,【localSign】├── -keyAlias # 密钥别名,【OpenHarmony-ABC-subCA】├── -keyPwd # 密钥口令,【subCA123】├── -appCertFile # 应用签名证书文件(证书链,顺序为最终实体证书-中间CA证书-根证书),【./result/OpenHarmony-ABC-app-cert.pem】├── -profileFile # 签名后的Provision Profile文件名,profileSigned为1时为p7b格式,profileSigned为0时为json格式,【./result/Openharmony-signtest.p7b】├── -inFile # 输入的原始APP包文件,【entry-default-unsigned.hap】├── -signAlg # 签名算法,【SHA256withECDSA】├── -keystoreFile # 密钥库文件,【OpenHarmony-ABC.p12】├── -keystorePwd # 密钥库口令,【keystore123】├── -outFile # 输出签名后的包文件,【./result/entry-default-signed.hap】$ java -jar hap-sign-tool.jar sign-app -mode "localSign" -keyAlias "OpenHarmony-ABC-subCA" -keyPwd "subCA123" -appCertFile "./result/OpenHarmony-ABC-app-cert.pem" -profileFile "./result/Openharmony-signtest.p7b" -signAlg "SHA256withECDSA" -inFile "entry-default-unsigned.hap" -keystoreFile "./result/OpenHarmony-ABC.p12" -keystorePwd "keystore123" -outFile "./result/entry-default-signed.hap"#运行成功结果如下
INFO - Start sign-app
INFO - certificate in profile: OpenHarmony Application Release
INFO - ./result/OpenHarmony-ABC.p12 is exist. Try to load it with given passwd
INFO - Add sign data in sign info list success.
INFO - Generate signing block success, begin write it to output file
INFO - Sign Hap success!
INFO - sign-app successverify-app : hap应用包文件验签├── -inFile # 已签名的应用包文件,【./result/entry-default-signed.hap】├── -outCertChain # 签名的证书链文件,【./result/OpenHarmony-ABC-subCA.cer】├── -outProfile # 应用包中的profile文件,【Openharmony-signtest.p7b】$ java -jar hap-sign-tool.jar verify-app -inFile "./result/entry-default-signed.hap" -outCertChain "./result/OpenHarmony-ABC-subCA.cer" -outProfile "Openharmony-signtest.p7b" > ./result/OpenHarmony-verify-app-result.json#运行成功结果如下,详细结果见OpenHarmony-verify-app-result.json
06-28 16:26:35 WARN - Missing parameter: outproof
得到Profile签名文件
和已签名的hap
Openharmony-signtest.p7b
entry-default-signed.hap
验证定制签名
验证定制签名主要通过
- hdc安装已签名的hap
- IDE导入签名配置,编译安装hap
hdc验证
上述步骤生成的entry-default-signed.hap为定制签名的hap,与系统默认签名配置不同,因此直接安装会失败:
> hdc install xxx\ohos_signtest\result\entry-default-signed.hap[Info]App install path:ohos_signtest\result\entry-default-signed.hap, queuesize:0, msg:error: failed to install bundle. error: fail to verify pkcs7 file.
AppMod finish
因此需要修改默认系统证书配置文件trusted_apps_sources.json
和trusted_root_ca.json
设备路径:/etc/security/trusted_apps_sources.json、/etc/security/trusted_root_ca.json
源码路径:base/security/appverify/interfaces/innerkits/appverify/config/OpenHarmony/trusted_apps_sources.json、
base/security/appverify/interfaces/innerkits/appverify/config/OpenHarmony/trusted_root_ca.json
- trusted_apps_sources.json修改如下:
#兼容则新添加一下配置项,强制则替换默认OpenHarmony apps配置
{"name":"OpenHarmony-ABC apps","app-signing-cert":"C=CN, O=OpenHarmony-ABC-app-cert, OU=OpenHarmony-ABC-app-cert Community, CN=OpenHarmony Application Release","profile-signing-certificate":"C=CN, O=OpenHarmony-ABC-profile-cert, OU=OpenHarmony-ABC-profile-cert Community, CN=OpenHarmony Application Profile Release","profile-debug-signing-certificate":"C=CN, O=OpenHarmony-ABC-profile-cert, OU=OpenHarmony-ABC-profile-cert Community, CN=OpenHarmony Application Profile Debug","issuer-ca":"C=CN, O=OpenHarmony-ABC-subCA, OU=OpenHarmony-ABC-subCA Community, CN=OpenHarmony Application CA","max-certs-path":3,"critialcal-cert-extension":["keyusage"]
}
其中
name:授信应用群名称,无特殊要求,可自定义
app-signing-cert:应用签名证书主题,与OpenHarmony-ABC-app-cert.pem subject保持一致
profile-signing-certificate:profile Release签名证书主题,与OpenHarmony-ABC-profile-cert-release.pem subject保持一致
profile-debug-signing-certificate:profile Debug签名证书主题,与OpenHarmony-ABC-profile-cert-debug.pem subject保持一致
issuer-ca:profileCA主题,与OpenHarmony-ABC-profileCA.cer subject保持一致subject中的C、O、OU、CN含义如下:
C:国家/地区代码,如CN
O:组织名称,如HUAWEI
OU:组织单位名称,如HUAWEI IDE
CN:名字与姓氏,建议与别名一致
- 修改trusted_root_ca.json 文件:
将 OpenHarmony-ABC-rootCA.cer 密钥信息处理后加入到文件中。
-----BEGIN CERTIFICATE-----
MIICQDCCAeagAwIBAgIFANIukcQwCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYTAkNO
MR8wHQYDVQQKDBZPcGVuSGFybW9ueS1BQkMtcm9vdENBMSkwJwYDVQQLDCBPcGVu
SGFybW9ueS1BQkMtcm9vdENBIENvbW11bml0eTEoMCYGA1UEAwwfT3Blbkhhcm1v
bnkgQXBwbGljYXRpb24gUm9vdCBDQTAeFw0yMzA2MjgwMzE3NTlaFw0yNDA2Mjcw
MzE3NTlaMIGDMQswCQYDVQQGEwJDTjEfMB0GA1UECgwWT3Blbkhhcm1vbnktQUJD
LXJvb3RDQTEpMCcGA1UECwwgT3Blbkhhcm1vbnktQUJDLXJvb3RDQSBDb21tdW5p
dHkxKDAmBgNVBAMMH09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJvb3QgQ0EwWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/IK5FcvYOsKF8OpuiHRcR6zawSiPmVYp2
AKahLN5CxjMTpVj14t23yG8RScJEOjuKUxh8SAqYr7lB0riOWJodo0UwQzAdBgNV
HQ4EFgQUeb2WbI8s7xczwXlsuk8fo9eqmQUwEgYDVR0TAQH/BAgwBgEB/wIBADAO
BgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIhANv5RhH5UtH0SXOh7k7+
AVcBkn3Dqfdbu/LTShclS+APAiBpEe3s49fxpW7pNbGzdMEgaqXafuf5+YTT5VqF
8PYydA==
-----END CERTIFICATE-----
处理后:
-----BEGIN CERTIFICATE-----\nMIICQDCCAeagAwIBAgIFANIukcQwCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYTAkNO\nMR8wHQYDVQQKDBZPcGVuSGFybW9ueS1BQkMtcm9vdENBMSkwJwYDVQQLDCBPcGVu\nSGFybW9ueS1BQkMtcm9vdENBIENvbW11bml0eTEoMCYGA1UEAwwfT3Blbkhhcm1v\nbnkgQXBwbGljYXRpb24gUm9vdCBDQTAeFw0yMzA2MjgwMzE3NTlaFw0yNDA2Mjcw\nMzE3NTlaMIGDMQswCQYDVQQGEwJDTjEfMB0GA1UECgwWT3Blbkhhcm1vbnktQUJD\nLXJvb3RDQTEpMCcGA1UECwwgT3Blbkhhcm1vbnktQUJDLXJvb3RDQSBDb21tdW5p\ndHkxKDAmBgNVBAMMH09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJvb3QgQ0EwWTAT\nBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/IK5FcvYOsKF8OpuiHRcR6zawSiPmVYp2\nAKahLN5CxjMTpVj14t23yG8RScJEOjuKUxh8SAqYr7lB0riOWJodo0UwQzAdBgNV\nHQ4EFgQUeb2WbI8s7xczwXlsuk8fo9eqmQUwEgYDVR0TAQH/BAgwBgEB/wIBADAO\nBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIhANv5RhH5UtH0SXOh7k7+\nAVcBkn3Dqfdbu/LTShclS+APAiBpEe3s49fxpW7pNbGzdMEgaqXafuf5+YTT5VqF\n8PYydA==\n-----END CERTIFICATE-----\n
写入trusted_root_ca.json
#兼容则新添加一下配置项,强制则替换默认rootCA配置
{"C=CN, O=OpenHarmony-ABC-rootCA, OU=OpenHarmony-ABC-rootCA Community, CN=OpenHarmony Application Root CA":"-----BEGIN CERTIFICATE-----\nMIICQDCCAeagAwIBAgIFANIukcQwCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYTAkNO\nMR8wHQYDVQQKDBZPcGVuSGFybW9ueS1BQkMtcm9vdENBMSkwJwYDVQQLDCBPcGVu\nSGFybW9ueS1BQkMtcm9vdENBIENvbW11bml0eTEoMCYGA1UEAwwfT3Blbkhhcm1v\nbnkgQXBwbGljYXRpb24gUm9vdCBDQTAeFw0yMzA2MjgwMzE3NTlaFw0yNDA2Mjcw\nMzE3NTlaMIGDMQswCQYDVQQGEwJDTjEfMB0GA1UECgwWT3Blbkhhcm1vbnktQUJD\nLXJvb3RDQTEpMCcGA1UECwwgT3Blbkhhcm1vbnktQUJDLXJvb3RDQSBDb21tdW5p\ndHkxKDAmBgNVBAMMH09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJvb3QgQ0EwWTAT\nBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/IK5FcvYOsKF8OpuiHRcR6zawSiPmVYp2\nAKahLN5CxjMTpVj14t23yG8RScJEOjuKUxh8SAqYr7lB0riOWJodo0UwQzAdBgNV\nHQ4EFgQUeb2WbI8s7xczwXlsuk8fo9eqmQUwEgYDVR0TAQH/BAgwBgEB/wIBADAO\nBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIhANv5RhH5UtH0SXOh7k7+\nAVcBkn3Dqfdbu/LTShclS+APAiBpEe3s49fxpW7pNbGzdMEgaqXafuf5+YTT5VqF\n8PYydA==\n-----END CERTIFICATE-----\n"
}
将更新后的trusted_apps_sources.json和trusted_root_ca.json推送至系统中并重启:
> hdc shell "mount -o remount,rw /"
> hdc file send xxx\test\ohos_signtest\trusted_apps_sources.json /etc/security/trusted_apps_sources.json
FileTransfer finish, Size:2168, File count = 1, time:21ms rate:103.24kB/s
> hdc file send xxx\test\ohos_signtest\trusted_root_ca.json /etc/security/trusted_root_ca.json
FileTransfer finish, Size:1847, File count = 1, time:17ms rate:108.65kB/s
> hdc shell reboot
安装签名应用
> hdc install xxx\test\ohos_signtest\demo\entry-default-signed.hap
[Info]App install path:xxx\test\ohos_signtool\demo\entry-default-signed.hap, queuesize:0, msg:install bundle successfully.
AppMod finish
5、IDE验证
将生成的定制系统签名配置文件导入IDE,使用定制签名对hap进行签名,编译后直接可安装至设备。
打开IDE进行签名配置:
IDE->File->ProjectStructure->Signing Configs
其中:
- Store file(*.p12):密钥库文件,选择OpenHarmony-ABC.p12
- Store password:密钥库密码,keystore123
- Key alias:密钥别名,OpenHarmony-ABC-subCA
- Key password:密钥密码,subCA123
- Sign alg:签名算法,默认为SHA256withECDSA
- Profile file(*.p7b):profile签名文件,选择Openharmony-signtest.p7b
- Certpath file(*.cer):应用调试/发布证书,
将OpenHarmony-ABC-app-cert.
pem
重命名为OpenHarmony-ABC-app-cert.
cer
查看项目build-profile.json5签名配置是否已更新
"signingConfigs": [{"name": "default","material": {"storePassword": "0000001BD38A4D685B71DC9660538FE27BFDFFA31735901B6EF4690690D4AF8E91936D04D6571E60B56376","certpath": "C:/Users/xxx/Desktop/result/OpenHarmony-ABC-app-cert.cer","keyAlias": "OpenHarmony-ABC-subCA","keyPassword": "000000183110ABA8E0FE869D85057E2EADA895DDBE7C2CF30A292A217AFA8239B547506E250FD5F1","profile": "C:/Users/xxx/Desktop/result/Openharmony-signtest.p7b","signAlg": "SHA256withECDSA","storeFile": "C:/Users/xxx/Desktop/result/OpenHarmony-ABC.p12"}}],
点击编译,编译完成后自动hap自动安装至设备中。
定制签名配置导入源码
详细步骤可参考OpenHarmony应用签名 - 厂商私有签名的配置和使用
参考文档中对于当前版本(3.2 Release)源码中签名配置不完善之处也给出了说明。本文这里以替换源码默认签名配置
方式介绍导入定制签名配置的大致步骤,详细过程可以参见上述资料。
准备工作
#相关定制签名配置文件
hap签名工具包:hap-sign-tool.jar
定制签名密钥库:OpenHarmony-ABC.p12
定制签名密钥库密码:keystore123
Key alias密钥别名:OpenHarmony-ABC-subCA
密钥密码:subCA123
应用profile签名文件:OpenHarmony-ABC-app-cert.pem或OpenHarmony-ABC-app-cert.cer
profile签名模板:UnsgnedReleasedProfileTemplate.jsonOpenHarmony 3.2 Release源码一份
配置源码私有源签名信息
根据前文【验证定制签名】章节方式修改trusted_apps_sources.json和trusted_root_ca.json文件,替换源码默认私有源签名信息。
base/security/appverify/interfaces/innerkits/appverify/config/OpenHarmony/trusted_apps_sources.json
{"name":"OpenHarmony-ABC apps","app-signing-cert":"C=CN, O=OpenHarmony-ABC-app-cert, OU=OpenHarmony-ABC-app-cert Community, CN=OpenHarmony Application Release","profile-signing-certificate":"C=CN, O=OpenHarmony-ABC-profile-cert, OU=OpenHarmony-ABC-profile-cert Community, CN=OpenHarmony Application Profile Release","profile-debug-signing-certificate":"C=CN, O=OpenHarmony-ABC-profile-cert, OU=OpenHarmony-ABC-profile-cert Community, CN=OpenHarmony Application Profile Debug","issuer-ca":"C=CN, O=OpenHarmony-ABC-subCA, OU=OpenHarmony-ABC-subCA Community, CN=OpenHarmony Application CA","max-certs-path":3,"critialcal-cert-extension":["keyusage"]
}
base/security/appverify/interfaces/innerkits/appverify/config/OpenHarmony/trusted_root_ca.json
{"C=CN, O=OpenHarmony-ABC-rootCA, OU=OpenHarmony-ABC-rootCA Community, CN=OpenHarmony Application Root CA":"-----BEGIN CERTIFICATE-----\nMIICQDCCAeagAwIBAgIFANIukcQwCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYTAkNO\nMR8wHQYDVQQKDBZPcGVuSGFybW9ueS1BQkMtcm9vdENBMSkwJwYDVQQLDCBPcGVu\nSGFybW9ueS1BQkMtcm9vdENBIENvbW11bml0eTEoMCYGA1UEAwwfT3Blbkhhcm1v\nbnkgQXBwbGljYXRpb24gUm9vdCBDQTAeFw0yMzA2MjgwMzE3NTlaFw0yNDA2Mjcw\nMzE3NTlaMIGDMQswCQYDVQQGEwJDTjEfMB0GA1UECgwWT3Blbkhhcm1vbnktQUJD\nLXJvb3RDQTEpMCcGA1UECwwgT3Blbkhhcm1vbnktQUJDLXJvb3RDQSBDb21tdW5p\ndHkxKDAmBgNVBAMMH09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJvb3QgQ0EwWTAT\nBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ/IK5FcvYOsKF8OpuiHRcR6zawSiPmVYp2\nAKahLN5CxjMTpVj14t23yG8RScJEOjuKUxh8SAqYr7lB0riOWJodo0UwQzAdBgNV\nHQ4EFgQUeb2WbI8s7xczwXlsuk8fo9eqmQUwEgYDVR0TAQH/BAgwBgEB/wIBADAO\nBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIhANv5RhH5UtH0SXOh7k7+\nAVcBkn3Dqfdbu/LTShclS+APAiBpEe3s49fxpW7pNbGzdMEgaqXafuf5+YTT5VqF\n8PYydA==\n-----END CERTIFICATE-----\n"
}
为了确保后续步骤的正确性,这里先进行简单的验证:编译源码,烧录images更新软件。
安装使用定制签名的demo应用,若安装成功则说明上述json文件修改有效,否则需要检查上述json配置文件修改参数或demo应用定制签名配置。
替换源码默认编译签名配置
OpenHarmony-ABC.p12替换developtools\hapsigner\dist\OpenHarmony.p12
OpenHarmony-ABC-app-cert.pem替换developtools\hapsigner\dist\OpenHarmonyApplication.pem
注意:
为了方便后续更新应用签名配置,仅更新上述两个签名配置内容,文件名不做更新,仍保留源码默认文件名OpenHarmony.p12和OpenHarmonyApplication.pem。
修改默认编译签名信息
build/ohos_var.gni
default_hap_private_key_path = "OpenHarmony-ABC-subCA" //更新定制签名密钥别名
default_signature_algorithm = "SHA256withECDSA"
default_key_alias = "subCA123" //更新定制签名签名密钥密码
default_keystore_password = "keystore123" //更新定制签名密钥库密码
default_keystore_path = "//developtools/hapsigner/dist/OpenHarmony.p12"
default_hap_certificate_file ="//developtools/hapsigner/dist/OpenHarmonyApplication.pem"
更新系统应用及其定制签名配置文件
到这里源码BUILD.gn编译出的应用为使用定制签名配置签名应用。但源码中部分应用采用直接预置hap的方式,故需要另外使用定制签名配置生成hap后更新hap文件
。
需更新hap的应用:
输入法选择框:
base/inputmethod/imf/services/dialog/input_method_choose_dialog.hap
webview应用:
base\web\webview\ohos_nweb\prebuilts\arm64\NWeb.hap
系统默认部分预置应用:
applications\standard\hap\*.hap
这里以更新BUILD.gn编译方式permissionmanager的应用和IDE编译的KikaInput输入法为例。
配置permissionmanager系统应用定制签名
applications\standard\permission_manager\signature
从permissionmanager原始pm.p7b中获取UnsgnedReleasedProfileTemplate.json信息
java -jar hap-sign-tool.jar verify-profile -inFile pm.p7b -outFile PM_UnsgnedReleasedProfileTemplate.json
将PM_UnsgnedReleasedProfileTemplate.json的bundle-name、apl、app-feature、allowed-acls、permissions字段信息更新至用于重新生成pm.p7b的UnsgnedReleasedProfileTemplate.json。
通过文本查看的方式打开pm.p7b将app-privilege-capabilities字段信息填入UnsgnedReleasedProfileTemplate.json。
注意:
UnsgnedReleasedProfileTemplate.json字段distribution-certificate需与上文第8小节distribution-certificate保持一致。详细见【8、将OpenHarmony-ABC-app-cert.pem中第一部分的密钥,把回车转换为\n字符,放入UnsgnedReleasedProfileTemplate.json的distribution-certificate中】。
生成新的pm.p7b
java -jar hap-sign-tool.jar sign-profile -mode "localSign" -keyAlias "OpenHarmony-ABC-profileCA" -keyPwd "profileCA123" -profileCertFile "./result/OpenHarmony-ABC-profile-cert-release.pem" -inFile "UnsgnedReleasedProfileTemplate.json" -signAlg "SHA256withECDSA" -keystoreFile "./result/OpenHarmony-ABC.p12" -keystorePwd "keystore123" -outFile "./result/pm.p7b"
将pm.p7b和UnsgnedReleasedProfileTemplate.json一同更新至
applications\standard\permission_manager\signature
接下来进行验证:
使用hb命令模块编译permissionmanager:
hb build -T applications/standard/permission_manager/permissionmanager:permission_manager
#得到签名hap
out\zp37a\obj\applications\standard\permission_manager\permissionmanager\permission_manager.hap
更新vendor\hihope\rk3568\preinstall-config\install_list_capability.json或vendor\hihope\rk3568\preinstall-config\install_list_permissions.json中permisson_manager的app_signature,简单验证可修改后拷贝至设备/system/etc/app/。
将out\zp37a\obj\applications\standard\permission_manager\permissionmanager\permission_manager.hap替换设备中的/system/app/com.ohos.permissionmanager/permission_manager.hap,删除data/分区后重启设备。
重启后bm dump -a若查看到com.ohos.permissionmanager则说明签名后的permission_manager.hap已验签成功并重新安装。
配置KikaInput系统应用定制签名
同上方式,从
applications\standard\app_samples\CompleteApps\KikaInput原始p7b中获取profile信息,并更新至UnsgnedReleasedProfileTemplate.json。
使用UnsgnedReleasedProfileTemplate.json生成新的kikakeyboard.p7b
java -jar hap-sign-tool.jar sign-profile -mode "localSign" -keyAlias "OpenHarmony-ABC-profileCA" -keyPwd "profileCA123" -profileCertFile "./result/OpenHarmony-ABC-profile-cert-release.pem" -inFile "UnsgnedReleasedProfileTemplate.json" -signAlg "SHA256withECDSA" -keystoreFile "./result/OpenHarmony-ABC.p12" -keystorePwd "keystore123" -outFile "./result/kikakeyboard.p7b"
将applications\standard\app_samples\CompleteApps\KikaInput导入IDE工程,并使用定制签名配置文件OpenHarmony.p12、kikakeyboard.p7b、OpenHarmony-ABC-app-cert.cer
编译生成新的签名hap,替换设备/system/app/com.example.kikakeyboard/kikaInput.hap,更新vendor\hihope\rk3568\preinstall-config\install_list_capability.json或vendor\hihope\rk3568\preinstall-config\install_list_permissions.json中kikakeyboard的app_signature,修改后拷贝至设备/system/etc/app/。
删除data分期后重启设备,重启后bm dump -a若查看到com.example.kikakeyboard则说明签名后的kikaInput.hap已验签成功并重新安装。
总结定制签名导入源码步骤:
1、更新配置源码私有源签名信息文件trusted_apps_sources.json和trusted_root_ca.json
base/security/appverify/interfaces/innerkits/appverify/config/OpenHarmony/trusted_apps_sources.json
base/security/appverify/interfaces/innerkits/appverify/config/OpenHarmony/trusted_root_ca.json
2、替换源码默认编译签名配置
developtools\hapsigner\dist\OpenHarmony.p12
developtools\hapsigner\dist\OpenHarmonyApplication.pem
build/ohos_var.gni
3、更新预置应用p7b签名配置及hap
对于以预置hap方式的应用需收到生成定制签名的hap并将hap更新至源码中。
4、更新应用的app_signature签名指纹信息
vendor\hihope\rk3568\preinstall-config\install_list_capability.json
vendor\hihope\rk3568\preinstall-config\install_list_permissions.json中
5、编译源码验证,bm dump -a查看各应用是否已安装上,各应用运行情况。
hap-sign-tool.jar帮助手册
$ java -jar hap-sign-tool.jar -h
06-27 19:28:02 INFO - /** Copyright (c) 2021-2022 Huawei Device Co., Ltd.* Licensed under the Apache License, Version 2.0 (the "License");* you may not use this file except in compliance with the License.* You may obtain a copy of the License at** .0** Unless required by applicable law or agreed to in writing, software* distributed under the License is distributed on an "AS IS" BASIS,* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.* See the License for the specific language governing permissions and* limitations under the License.*/USAGE: <generate-keypair|generate-csr|generate-cert|generate-ca|generate-app-cert|generate-profile-cert> [options]
USAGE: <sign-profile|verify-profile|sign-app|verify-app> [options]generate-keypair [options]:-keyAlias : key alias, required fields;-keyPwd : key password, optional fields;-keyAlg : key algorithm, required fields, including RSA/ECC;-keySize : key size, required fields, the size of the RSA algorithm is 2048/3072/4096, and the size of the ECC algorithm is NIST-P-256/NIST-P-384;-keystoreFile : keystore file, required fields, JKS or P12 format;-keystorePwd : keystore password, optional fields;-extCfgFile : Extend Profile, optional fields;EXAMPLE:generate-keypair -keyAlias "oh-app1-key-v1" -keyPwd ****** -keyAlg ECC -keySize NIST-P-256 -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ******generate-keypair -keyAlias "oh-profile-key-v1" -keyPwd ****** -keyAlg RSA -keySize 2048 -keystoreFile "D:\OH\profile-keypair.jks" -keystorePwd ******generate-csr [options]:-keyAlias : key alias, required fields;-keyPwd : key password, optional fields;-subject : certificate subject, required fields;-signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA;-keystoreFile : keystore file, required fields, JKS or P12 format;-keystorePwd : keystore password, optional fields;-outFile : output file, optional fields, if not filled, it will be directly output to the console;-extCfgFile : Extend Profile, optional fields;EXAMPLE:generate-csr -keyAlias "oh-app1-key-v1" -keyPwd ****** -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=App1 Release" -signAlg SHA256withECDSA -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outFile "D:\OH\oh-app1-key-v1.csr"generate-cert [options]:-keyAlias : key alias, required fields;-keyPwd : key password, optional fields;-issuer : issuer subject, required fields;-issuerKeyAlias : issuer key alias, required fields;-issuerKeyPwd : issuer key password, optional fields;-subject : certificate subject, required fields;-validity : certificate validity, optional fields, the default is 1095 days;-keyUsage : key usage, required fields, including digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, certificateSignature, crlSignature, encipherOnly and decipherOnly, if the certificate includes multiple key usages, separate them with commas;-keyUsageCritical : whether keyUsage is a key item, optional fields, the default is true;-extKeyUsage : extended key usage, optional fields, including clientAuthentication, serverAuthentication, codeSignature, emailProtection, smartCardLogin, timestamp, ocspSignature;-extKeyUsageCritical : whether extKeyUsage is a key item, optional fields, the default is false;-signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA;-basicConstraints : whether to include basicConstraints, optional fields, the default is false;-basicConstraintsCritical : whether basicConstraints is a key item, optional fields, the default is false;-basicConstraintsCa : whether it is CA, optional fields, the default is false;-basicConstraintsPathLen : basicConstraints path length, optional fields, the default is 0;-keystoreFile : keystore file, required fields, JKS or P12 format;-keystorePwd : keystore password, optional fields;-outFile : output file, optional fields, if not filled, it will be directly output to the console;-extCfgFile : Extend Profile, optional fields;-issuerKeystoreFile : issuer keystore file, optional fields, JKS or P12 format;-issuerKeystorePwd : issuer keystore password, optional fields;EXAMPLE:generate-cert -keyAlias "oh-app1-key-v1" -keyPwd ****** -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Application Signature Service CA" -issuerKeyAlias "oh-app-sign-srv-ca-key-v1" -issuerKeyPwd ****** -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=App1 Release" -validity 365 -keyUsage digitalSignature -extKeyUsage codeSignature -signAlg SHA256withECDSA -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outFile "D:\OH\app1.cer"generate-ca [options]:-keyAlias : key alias, required fields;-keyPwd : key password, optional fields;-keyAlg : key algorithm, required fields, including RSA/ECC;-keySize : key size, required fields, the size of the RSA algorithm is 2048/3072/4096, and the size of the ECC algorithm is NIST-P-256/NIST-P-384;-issuer : issuer subject, optional fields, if it is empty, it means root CA;-issuerKeyAlias : issuer key alias, optional fields, if it is empty, it means root CA;-issuerKeyPwd : issuer key password, optional fields;-subject : certificate subject, required fields;-validity : certificate validity, optional fields, the default is 3650 days;-signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA;-basicConstraintsPathLen : basicConstraints path length, optional fields, the default is 0;-keystoreFile : keystore file, required fields, JKS or P12 format;-keystorePwd : keystore password, optional fields;-outFile : output file, optional fields, if not filled, it will be directly output to the console;-extCfgFile : Extend Profile, optional fields;-issuerKeystoreFile : issuer keystore file, optional fields, JKS or P12 format;-issuerKeystorePwd : issuer keystore password, optional fields;EXAMPLE:generate-ca -keyAlias "oh-root-ca-key-v1" -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Root CA" -validity 365 -signAlg SHA384withECDSA -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outFile "D:\OH\root-ca.cer" -keyAlg RSA -keySize 2048generate-ca -keyAlias "oh-app1-key-v1" -keyAlg RSA -keySize 2048 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Root CA" -issuerKeyAlias "oh-sub-app-ca-key-v1" -issuerKeyPwd ****** -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN= Application Signature Service CA" -validity 365 -signAlg SHA384withECDSA -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outFile "D:\OH\sub-app-sign-srv-ca.cer"generate-ca -keyAlias "oh-profile-key-v1" -keyAlg RSA -keySize 4096 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Root CA" -issuerKeyAlias "oh-sub-profile-ca-key-v1" -issuerKeyPwd ****** -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN= Profile Signature Service CA" -validity 365 -signAlg SHA384withECDSA -keystoreFile "D:\OH\profile-keypair.jks" -keystorePwd ****** -outFile "D:\OH\sub-profile-sign-srv-ca.cer"generate-app-cert [options]:-keyAlias : key alias, required fields;-keyPwd : key password, optional fields;-issuer : issuer subject, required fields;-issuerKeyAlias : issuer key alias, required fields;-issuerKeyPwd : issuer key password, optional fields;-subject : certificate subject, required fields;-validity : certificate validity, optional fields, the default is 1095 days;-signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA;-keystoreFile : keystore file, required fields, JKS or P12 format;-keystorePwd : keystore password, optional fields;-outForm : the format of the output certificate file, including cert/certChain, optional fields, the default is cert;-rootCaCertFile : root CA certificate file, required when outForm is certChain;-subCaCertFile : secondary sub-CA certificate file, required when outForm is certChain;-outFile : output certificate file (certificate or certificate chain), optional fields, if not filled, it will be directly output to the console;-extCfgFile : Extend Profile, optional fields;-issuerKeystoreFile : issuer keystore file, optional fields, JKS or P12 format;-issuerKeystorePwd : issuer keystore password, optional fields;EXAMPLE:generate-app-cert -keyAlias "oh-app1-key-v1" -keyPwd ****** -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Application Debug Signature Service CA" -issuerKeyAlias "oh-app-sign-debug-srv-ca-key-v1" -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=App1 Debug" -validity 365 -signAlg SHA256withECDSA -rootCaCertFile "D:\OH\root-ca.cer" -subCaCertFile "D:\OH\sub-app-sign-srv-ca.cer" -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outForm certChain -outFile "D:\OH\app-debug-cert.cer"generate-app-cert -keyAlias "oh-app1-key-v1" -keyPwd ****** -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Application Release Signature Service CA" -issuerKeyAlias "oh-app-sign-release-srv-ca-key-v1" -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=App1 Release" -validity 365 -signAlg SHA256withECDSA -rootCaCertFile "D:\OH\root-ca.cer" -subCaCertFile "D:\OH\sub-app-sign-srv-ca.cer" -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outForm certChain -outFile "D:\OH\app-release-cert.cer"generate-profile-cert [options]:-keyAlias : key alias, required fields;-keyPwd : key password, optional fields;-issuer : issuer subject, required fields;-issuerKeyAlias : issuer key alias, required fields;-issuerKeyPwd : issuer key password, optional fields;-subject : certificate subject, required fields;-validity : certificate validity, optional fields, the default is 1095 days;-signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA;-keystoreFile : keystore file, required fields, JKS or P12 format;-keystorePwd : keystore password, optional fields;-outForm : the format of the output certificate file, including cert/certChain, optional fields, the default is cert;-rootCaCertFile : root CA certificate file, required when outForm is certChain;-subCaCertFile : secondary sub-CA certificate file, required when outForm is certChain;-outFile : output file, optional fields, if not filled, it will be directly output to the console;-extCfgFile : Extend Profile, optional fields;-issuerKeystoreFile : issuer keystore file, optional fields, JKS or P12 format;-issuerKeystorePwd : issuer keystore password, optional fields;EXAMPLE:generate-profile-cert -keyAlias "oh-profile-key-v1" -keyPwd ****** -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Provision Profile Debug Signature Service CA" -issuerKeyAlias "oh-profile-sign-debug-srv-ca-key-v1" -issuerKeyPwd ****** -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Provision Profile Debug" -validity 365 -signAlg SHA256withECDSA -rootCaCertFile "D:\OH\root-ca.cer" -subCaCertFile "D:\OH\sub-profile-sign-srv-ca.cer" -keystoreFile "D:\OH\profile-keypair.jks" -keystorePwd ****** -outForm certChain -outFile "D:\OH\provision-profile-debug.cer"generate-profile-cert -keyAlias "oh-profile-key-v1" -keyPwd ****** -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Provision Profile Release Signature Service CA" -issuerKeyAlias "oh-profile-sign-release-srv-ca-key-v1" -issuerKeyPwd ****** -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Provision Profile Release" -validity 365 -signAlg SHA256withECDSA -rootCaCertFile "D:\OH\root-ca.cer" -subCaCertFile "D:\OH\sub-profile-sign-srv-ca.cer" -keystoreFile "D:\OH\profile-keypair.jks" -keystorePwd ****** -outForm certChain -outFile "D:\OH\provision-profile-release.cer"sign-profile [options]:-mode : signature mode, required fields, including localSign/remoteSign;-keyAlias : key alias, required fields;-keyPwd : key password, optional fields;-profileCertFile : profile signing certificate (certificate chain, the order is three-level-two-root), required fields;-inFile : input original Provision Profile file, required fields;-signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA;-keystoreFile : keystore file, if signature mode is localSign, required fields, JKS or P12 format;-keystorePwd : keystore password, optional fields;-outFile : output the signed Provision Profile file, p7b format, required fields;-extCfgFile : Extend Profile, optional fields;EXAMPLE:sign-profile -mode localSign -keyAlias "oh-profile-key-v1" -keyPwd ****** -profileCertFile "D:\OH\provision-profile-release.cer" -inFile "D:\OH\app1-profile-release.json" -signAlg SHA256withECDSA -keystoreFile "D:\OH\profile-keypair.jks" -keystorePwd ****** -outFile "D:\OH\signed-profile.p7b"verify-profile [options]:-inFile : signed Provision Profile file, p7b format, required fields;-outFile : Verification result file (including verification result and profile content), json format, optional; if not filled, it will be directly output to the console;-extCfgFile : Extend Profile, optional fields;EXAMPLE:verify-profile -inFile "D:\OH\signed-profile.p7b" -outFile "D:\OH\VerifyResult.json"sign-app [options]:-mode : signature mode, required fields, including localSign/remoteSign/remoteResign;-keyAlias : key alias, required fields;-keyPwd : key password, optional fields on localSign mode;-appCertFile : application signature certificate file, required fields on localSign mode, optional fields on remoteSign mode;-profileFile : signed Provision Profile file, p7b format, required fields;-profileSigned : indicates whether the profile file has a signature.The options are as follows: 1:yes; 0:no; default value:1. optional fields;-inFile : input original application package file, hap or bin format, required fields;-signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA;-keystoreFile : keystore file, if signature mode is localSign, required fields on localSign mode, JKS or P12 format;-keystorePwd : keystore password, optional fields on localSign mode;-outFile : output the signed Provision Profile file, required fields;-extCfgFile : Extend Profile, optional fields;-inForm : enter the format of the original file, the format is .zip or .bin;-compatibleVersion : min compatible api version for running app, required fields while input original application package file format is hap;-signServer : remote signer plugin, required fields on remoteSign mode;-signerPlugin : remote sign service url, required fields on remoteSign mode;-onlineAuthMode : remote sign auth mode, required fields on remoteSign mode, including account;-username : user account for online auth, required fields on remoteSign mode with account auth mode;-userPwd : user password for online auth, required fields on remoteSign mode with account auth mode;-ext : extend parameters for remote signer plugin, optional fields;EXAMPLE:sign-app -mode localSign -keyAlias "oh-app1-key-v1" -appCertFile "D:\OH\app-release-cert.cer" -profileFile "D:\OH\signed-profile.p7b" -inFile "D:\OH\app1-unsigned.hap" -signAlg SHA256withECDSA -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outFile "D:\OH\app1-signed.hap -compatibleVersion 8"verify-app [options]:-inFile : signed application package file, hap or bin format, required fields;-outCertChain : signed certificate chain file, required fields;-outProfile : profile file in application package, required fields;-extCfgFile : Extend Profile, optional fields;EXAMPLE:verify-app -inFile "D:\OH\app1-signed.hap" -outCertChain "outCertChain.cer" -outProfile "outprofile.p7b"COMMANDS:generate-keypair : generate key pairgenerate-csr : generate certificate signing requestgenerate-cert : generate certificate in full, large and complete, any certificate can be generatedgenerate-ca : generate root/subject CA certificate, if the key does not exist, generate the key togethergenerate-app-cert : generate application debug/release certificategenerate-profile-cert : generate application debug/release certificatesign-profile : Provision Profile file signatureverify-profile : Provision Profile file verificationsign-app : application package signatureverify-app : application package file verification
更多推荐
OpenHarmony定制系统签名
发布评论