轉貼本網站文章請註明出處 from Awaysu
https://awaysu-programming.blogspot.com
在Android裡預設是有一個預設的test key (build/target/product/security/testkey),我們必須去產生屬於自己的release key,當別人也有source code時,才能避免裝置被置換成他的映像檔。
1. Android有二個地方需要加密簽名:
1) image裡面所有的apk
2) OTA image
2. 建構自己release key
請使用下面指令,請將下續換成自己的資訊
1) image裡面所有的apk
2) OTA image
2. 建構自己release key
請使用下面指令,請將下續換成自己的資訊
subject='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
mkdir ~/.android-certs
for x in testkey releasekey platform shared media networkstack; do \
./development/tools/make_key ~/.android-certs/$x "$subject"; \
done
C ---> Country Name (2 letter code)
ST ---> State or Province Name (full name)
L ---> Locality Name (eg, city)
O ---> Organization Name (eg, company)
OU ---> Organizational Unit Name (eg, section)
CN ---> Common Name (eg, your name or your server’s hostname)
emailAddress ---> Contact email address
L ---> Locality Name (eg, city)
O ---> Organization Name (eg, company)
OU ---> Organizational Unit Name (eg, section)
CN ---> Common Name (eg, your name or your server’s hostname)
emailAddress ---> Contact email address
產生後可以得到公鑰 (X509)和私鑰 (PK8):
media.pk8 networkstack.pk8 platform.pk8 releasekey.pk8 shared.pk8
media.x509.pem networkstack.x509.pem platform.x509.pem releasekey.x509.pem shared.x509.pem testkey.pk8 testkey.x509.pem
3. 加入或修改下列到.mk中
ifeq ($(TARGET_BUILD_VARIANT),user)
PRODUCT_DEFAULT_DEV_CERTIFICATE := ~/.android-certs/releasekey
else
PRODUCT_DEFAULT_DEV_CERTIFICATE := build/target/product/security/testkey
PRODUCT_EXTRA_RECOVERY_KEYS := ~/.android-certs/releasekey
endif
PRODUCT_EXTRA_RECOVERY_KEYS會把key包到recovery image裡面。
當你使用recovery mode更新時,裝置就可以檢查該key來決定是否可以從userdebug build的軟體更新user build的image。
當你使用recovery mode更新時,裝置就可以檢查該key來決定是否可以從userdebug build的軟體更新user build的image。
4. fingerprint和build number
xTS中會檢查fingerprint和build number
xTS中會檢查fingerprint和build number
我寫一個script來讓他們一致
#NEW_NUMBER=y
#NEW_NUMBER=y
if [ "$NEW_NUMBER" == "y" ] || [ ! -f "${ANDROID_BUILD_TOP}/build_number.txt" ]; then
echo ${USER}${INCREMENTAL_NUMBER} > ${ANDROID_BUILD_TOP}/build_number.txt
else
INCREMENTAL_NUMBER=`cat build_number.txt | cut -c5-12`
fi
export DISPLAY_BUILD_NUMBER=true
export BUILD_NUMBER=${USER}${INCREMENTAL_NUMBER}
5. 建構映像檔
下載code請參考 Android Open Source Project
在下載完AOSP/晶片廠商SDK和建構好release key後,就可以利用下列指令來產生image。
source build/envsetup.sh
lunch {project name}-userdebug
make -j8
make -j8 otapackage
-j的數量是你要用幾個tread去build,當然越多的話越短時間build好,但這也是取決於你CPU的核心數,可以使用nprocx指令來查詢。
make是產生每個partition的image出來,make otapackage則是產生出OTA image和target file。target file是包含了所有image和所需檔案,在後續sign的時候會用到。
6. 置換簽章image裡所有的apk指令
6. 置換簽章image裡所有的apk指令
build/tools/releasetools/sign_target_files_apks -o -d \
~/.android-certs \
out/target/product/{project name}/obj/PACKAGING/target_files_intermediates/{project name}-target_files-root06061605.zip \
out/target/product/{project name}/obj/PACKAGING/target_files_intermediates/{project name}-target_files-signed-root06061605.zip
7. 產生出簽章過的OTA image,最終生成的映像檔
build/tools/releasetools/ota_from_target_files -v --block -p /out/host/linux-x86 -k \ ~/.android-certs \
out/target/product/{project name}/obj/PACKAGING/target_files_intermediates/{project name}-target_files-signed-root06061605.zip \
{project name}-ota-signed-06061605.zip
8. fingerprint名稱的變化
1) userdebug build 用AOSP預設key
google/redfin/redfin:11/RQ3A.210905.001/7511028:userdebug/test-keys
2) user build 用自己的key
google/redfin/redfin:11/RQ3A.210905.001/7511028:user/dev-keys
3) user build 用自己的key然後經過自己的key加密簽證
google/redfin/redfin:11/RQ3A.210905.001/7511028:user/release-keys
只要用AOSP預設key出來就是test-keys
如果用自己key就是dev-keys
只要有做加密簽證就會變成release-key
可參考:
https://source.android.com/devices/tech/ota/sign_builds
沒有留言:
張貼留言