Android apk系列2-------系统签名（生成release版本的系统）

通过make -j4编译出来的system.img使用的是test key,这种类型的key只适用于开发阶段，而且这种秘钥是公开的，谁都可以使用。当发布一款android产品，就需要另外给整个系统签个名，防止被别人盗用。这种系统就是release版本的Android系统。

下面就详细介绍下整个过程。

1、生成加密key文件

要对Android系统进行签名，需要生成四种类型的key文件。

a)releasekey

b)media

c)shared

d)platform

我们就拿releasekey为例简单介绍下生成过程。

1）进入/android_src/development/tools目录。

/development/tools$ ls

apkcheck etc1tool hosttestlib jdwpspy makedict mkstubs

axl findunused idegen line_endings
make_key monkeyrunner zoneinfo

2）使用make_key工具生成签名文件

development/tools$ sh make_key releasekey '/C=CN/ST=JiangSu/L=NanJing/O=Company/OU=Department/CN=YourName/emailAddress=YourE-mailAddress'

Enter password for 'releasekey' (blank for none; password will be visible): mypassword
<------- 设置你的密码

creating platform.pk8 with password [mypassword]

Generating RSA private key, 2048 bit long modulus

...............+++

........................................................+++

e is 3 (0x3)

这里要顺便介绍下make_key的参数。第一个参数是要生成key的名字，第二个参数是关于你公司的信息。

key的名字很好理解，就是前面提到的4中类型的key，公司信息的参数比较多，它们的含义如下：

C ---> Country Name (2 letter code)

ST ---> State or Province Name (full name)

L ---> Locality Name (eg, city)

O ---> Organization Name (eg, company)

OU ---> Organizational Unit Name (eg, section)

CN ---> Common Name (eg, your name or your server’s hostname)

emailAddress ---> Contact email address

这样就生成了一组releasekey,另外3种类型的key的生成方法也基本一样。

生成后的结果如下：

/development/tools$ ls

makedict media.pk8 mkstubs platform.pk8 releasekey.pk8 shared.pk8

make_key media.x509.pem platform.x509.pem releasekey.x509.pem shared.x509.pem

*.pk8是生成的私钥，而*.x509.pem是公钥,生成时两者是成对出现的.

2、把pk8和x509.pem文件拷贝到vendor/sprd/security/product_modul目录

4、编译系统

/android_src$ make -j4 PRODUCT-product_modul-user dist

后面多了两个参数PRODUCT-product_modul-user 和 dist. 编译完成之后回在/android_src/dist/目录内生成个product_modul-target_files开头的zip文件.这就是我们需要进行签名的文件系统.

5、开始签名

android_src$ ./build/tools/releasetools/sign_target_files_apks -d vendor/sprd/security/product_modul/ out/dist/product_modul-target_files.zip out/dist/signed_target_files.zip

ERROR: no key specified for:

CalendarWidget.apk

Contacts_yellowpage.apk

SnsAppMain.apk

fbandroid-1.5.0.apk

AnalogClockWidget.apk

MessageWidget.apk

NewsWidget.apk

上面的意思是使用sign_target_files_apks工具采用vendor/sprd/security/product_modul/下的key对product_modul-target_files.zip文件进行签名,并把签名结果放在out/dist/signed_target_files.zip里.

从上面的签名结果看,签名并没有成功,原因是由于有些apk程序已经签过名了或者找不到对应的key. 可以通过设置过滤,不对上面的程序进行签名.方法如下:

通过参数"-e <apkname>=" 来过滤这些程序.

android_src$ ./build/tools/releasetools/sign_target_files_apks -d vendor/sprdl/security/product_modul/ -e CalendarWidget.apk= -e Contacts_yellowpage.apk= -e SnsAppMain.apk= -e fbandroid-1.5.0.apk=
-e AnalogClockWidget.apk= -e MessageWidget.apk= -e NewsWidget.apk= out/dist/product_modul-target_files.zip out/dist/signed_target_files.zip

Enter password for vendor/Modul/security/product_modul//media key>
<----- imput the password

Enter password for vendor/Modul/security/product_modul//platform key>
<----- imput the password

Enter password for vendor/Modul/security/product_modul//releasekey key> <----- imput the password

Enter password for vendor/Modul/security/product_modul//shared key>
<----- imput the password

rewriting RECOVERY/RAMDISK/default.prop:

replace: ro.build.tags=test-keys

with: ro.build.tags=release-keys

NOT signing: CalendarWidget.apk

NOT signing: Contacts_yellowpage.apk

signing: Mms.apk

signing: SoundRecorder.apk

signing: AccountAndSyncSettings.apk

signing: Camera.apk

.......................................................................

rewriting SYSTEM/build.prop:

replace: ro.build.tags=test-keys

with: ro.build.tags=release-keys

replace: ro.build.description= test-keys

with: ro.build.description= release-keys

replace: ro.build.fingerprint=...........................

with: ro.build.fingerprint=.............................

signing: framework-res.apk

done.

这样就完成了android系统的签名工作.

6、生成image文件

android_src$ ./build/tools/releasetools/img_from_target_files out/dist/signed-target-files.zip out/dist/signed-img.zip

creating boot.img...

creating recovery.img...

creating system.img...

creating userdata.img...

cleaning up...

done.

使用img_from_target_files工具生成signed-img.zip文件.signed-img.zip文件包含了boot.img、userdata img、system.img文件等.

7、通过fastboot下载signed-img.zip文件

fastboot update signed-img.zip

通过fastboot就可以把签了名的系统文件下载到手机上了。