8

Well as the title states, I am trying to sign my app using the platform.x509.pem and platform.pk8. The problem is that I get errors when using keytool-importkeypairs to add these like this:

keytool-importkeypair -k ~/.android/debug.keystore -p android -pk8 platform.pk8 -cert platform.x509.pem -alias platform


And I also get an error when trying to directly sign the APK using SignApk.jar like this:

java -jar SignApk.jar platform.x509.pem platform.pk8 test-app.apk test-app-signed.apk


Keytool-importkeypairs error:

Error decrypting key
3074042056:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
3074042056:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS8_PRIV_KEY_INFO
unable to load private key
3074091208:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY
Importing "platform" with unable to load certificate
3073755336:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
keytool error: java.lang.Exception: Source keystore file exists, but is empty: /tmp/keytool-importkeypair.vDOP/p12


Sources Used: Apk with system privileges, How to sign Android app with system signature? (SO), and How to update the android dev phone 2 from 1.6 to 2.1
Neither of the methods described in the links above work now, as you can see. Thanks in advance.

Community
  • 1
  • 1
cnexus
  • 454
  • 1
  • 3
  • 14
  • Why do you need system privileges? – 0909EM Dec 26 '12 at 02:40
  • I am creating an app that needs access to the "reboot" command from [PowerManager](http://developer.android.com/reference/android/os/PowerManager.html#reboot(java.lang.String)) in order to run a series of tests specifically at boot and determine whether a specific brand of phone can be rooted, and if it can, then the owner of this phone can use a computer-side utility (created by me) to do so. – cnexus Dec 26 '12 at 02:48
  • @9090EM Obviously this app would not be distributed on the Play Store, but I have reputation on XDA so the people using this would know what they are doing, and I would not do anything harmful to their system. – cnexus Dec 26 '12 at 03:01
  • 1
    The keys your using are likely only there for testing... I imagine samsung, for example, would use their own keys – 0909EM Dec 26 '12 at 11:09
  • Yes, but my confusion is as to why I'm getting errors while signing them. I will do what @Nikolay suggested, do you know if there is any way I could obtain HTC signing keys, or is this not possible? Short of working for HTC myself I mean lol – cnexus Dec 27 '12 at 18:02
  • It would defeat the purpose if you could – 0909EM Dec 28 '12 at 01:38
  • Then again if your testing and have a device and you don't want to distribute build your own ROM from the sources and use your own keys? – 0909EM Dec 28 '12 at 01:39

1 Answers1

12

Check the format of the files first (with cat, etc.), the error suggests they are not in the expected format (ASN.1/PEM).

More importantly, using those keys rarely makes any sense. Those are just sample keys, and any self-respecting custom ROM will use its own private keys. Otherwise just about anyone can sign their APK with the public keys in AOSP and get whatever privilege they want. Which is, needless to say, a very bad thing. If you need to develop an app that uses system privileges and want it to work on all (or most) rooted phones and custom ROMs, the right way to do it is to request root access with su and execute whatever you need to do in a root shell. If the user grants you the permission, of course.

EDIT:

To debug the import error, run this step by step. It does work with the default AOSP keys. 

$ openssl pkcs8 -inform DER -nocrypt -in platform.pk8 -out platform.pem
$ openssl pkcs12 -export -in platform.x509.pem -inkey platform.pem -out platform.p12 -password pass:android -name platform 
$ keytool -importkeystore -deststorepass android -destkeystore test.keystore -srckeystore platform.p12 -srcstoretype PKCS12 -srcstorepass android 
$ keytool -list -v -keystore test.keystore

What it does:

  1. Converts the PKCS#8 format binary key to PEM (openssl pkcs8)
  2. Creates a PKCS#12 file that includes both the private key and certificate (openssl pkcs12)
  3. Since Java's keytool can read PKCS#12 files as keystore, it imports your PKCS#12 file to effectively convert it to the native format (BKS or JKS) (keytool -importkeystore)
  4. (bonus) Uses keytool to list the contents in order to make sure everything worked. (keytool -list)
Plinio.Santos
  • 1,709
  • 24
  • 31
Nikolay Elenkov
  • 52,576
  • 10
  • 84
  • 84
  • Yes, I realize that I could request access with "su", but the point is that the device running this app would not YET have root privileges. Is there any way to obtain the manufacturers signing keys? Unfortunately so far it seems like there isn't. – cnexus Dec 27 '12 at 17:48
  • 1
    Of course there is no way to get manufacturer keys directly. You can have your app included in a ROM by its manager though. Also, the whole point of 'root apps' is that they only work on *already* rooted devices. – Nikolay Elenkov Dec 28 '12 at 01:41
  • As for your actual error, what do the key files look like? Did you check. – Nikolay Elenkov Dec 28 '12 at 01:42
  • Weird. How it worked for you when you just run the commands that keytool-importkeypair does, I was going to try that next – cnexus Dec 28 '12 at 17:45
  • But can you post the link/upload the files you used? I found several copies and I'm not sure which to use, I ran both tools with every single copy I found and it gave me an error, and they weren't the same files either because I checked their md5sums against each other. Also, yes I understand what root means but I thought that this would work as that article and google groups post had said that they found a way to bypass this and have an app be installed as system...but anyway, thanks for being consistent and not disappearing after answering. – cnexus Dec 28 '12 at 17:48
  • I used the files from AOSP, but it doesn't matter really. You can generate new ones if you want. They are only special if they are used to sign an actual ROM, and those you most probably can't get. Although there are probably a bunch of ROMs signed with default keys, but you wouldn't want to use any of those. Again: there is no 'hack', there is no way to 'bypass' anything. Either you sign with the actual platform key, or use `su` to get root access and run whatever you need to run with elevated privileges. – Nikolay Elenkov Dec 29 '12 at 16:36
  • Could you post the link to where you got the keys? I found the `froyo` branch and also a `froyo-release` branch, just trying to get one that I know worked and save some time. And again, I understand root, I'm just trying to experiment. – cnexus Jan 06 '13 at 05:46
  • @NikolayElenkov: can you pls share how one can get system privileges for usb access using 'su'for an app on a rooted device.I am stuck with this for two weeks.(For more : http://stackoverflow.com/questions/24902643/grant-default-usb-access-permission-to-android-app-using-super-user) – Basher51 Jul 23 '14 at 05:38
  • Does Factory Images for Nexus Devices use the same sample private key as ASOP to sign system APK? – osexp2000 Jul 24 '14 at 05:29
  • Of course not, because the factory images are used on production devices. – Nikolay Elenkov Jul 24 '14 at 14:34