使用Adobe Air证书签署Android Native APK [英] Sign Android Native apk with Adobe Air certificate
问题描述
我需要使用为Adobe Air生成的现有.p12证书签署Android Native应用程序方面的帮助。申请是在几年前在Adobe Air中完成的,并签名并发布到Google Play。现在,当从Adobe Air迁移到Android Native时,为了将应用升级到商店中的新版本,需要使用相同的私钥对其进行签名。问题是在较新版本的Java上无法通过keytool打开/读取密钥。尝试读取.p12证书将返回:
I need help with signing Android Native app with existing .p12 certificate generated for Adobe Air. Application was done in Adobe Air few years ago, signed and published to Google play. Now when moving from Adobe Air to Android Native, in order to upgrade app to the new version on store, it needs to be signed with the same private key. The problem is that it is not possible to open/read the key via keytool on newer versions of java. Trying to read the .p12 certificate will return:
java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): Redundant length bytes found
或
keytool error: java.io.IOException: Invalid keystore format
取决于我要执行的命令。
depending on a command I'm trying to execute.
(1)询问老朋友Google没有带来很多,但更多的是挫败感。我确实喜欢在 OpenSSL以这种方式修复冗余字节:
(1) Asking old friend Google didn't bring much, but more frustration. I did like it was suggested in jira ticket of openjdk, i tried to use OpenSSL to fix redundant bytes in this way:
openssl pkcs12 -in pkcs12-file -out key-and-cert -nodes -passin pass:abcXYZ
openssl pkcs12 -in key-and-cert -export -out new-pkcs12-file -passout pass:abcXYZ
此命令将成功执行,但是生成的SHA1密钥(...:F7)将与原始密钥(...:E5)不同!这实际上不足为奇,因为更改文件的任何部分(例如删除冗余字节)将以不同的SHA密钥结尾。好的,所以显然这不是解决方案。
This commands will execute successfully, BUT, the generated SHA1 key (...:F7) will not be the same as original one (...:E5)! That actually is not a surprise, since changing any part of the file(like removing redundant bytes) will end in different SHA key. Ok, so obviously this is not a solution.
(2)接下来,我尝试从我的原始.p12文件中提取私钥和证书作为纯文本(.pem)文件。证书,以尝试创建新的.jks文件。因此,我设法将我的私钥和我的证书从原始的.p12证书提取为纯文本。然后使用keytools和openssl尝试使用此处提到的原始数据创建新的.jks文件:
如何从现有私有密钥和证书创建JKS KeyStore文件
以创建新的.jks文件的方式,但是SHA1密钥(再次是...:F7)与原始密钥不相同(...:E5)。
(2) Next thing I tried, was to extract private key and certs as plain text(.pem) files from my original .p12 certificate, in order to try to create a new .jks file. So I managed to extract my private key, and my certs from original .p12 certificate into plain text. Then using keytools and openssl I tried to create my new .jks file with original data as mentioned here: How to Creat JKS KeyStore file from existing private key and certificate Well, it worked in a way that my new .jks file was created, BUT the SHA1 key (again ...:F7) was not the same as the original one (...:E5).
(3)我的下一步是阅读并在互联网上查找更多内容。找到一些建议转换的最后解决方案是在Java 1.8.0_111中解决的,上面的每个Java发行版都存在相同的问题。因此,让我们安装Java 1.8.0_111并试一试。当然可以,它没有用。问题保持不变。在Java 1.10和Oracle版本中也尝试过
(3) My next step was reading and looking a much more over the internet. Found some solutions that are suggesting that conversion was last working in java 1.8.0_111, and every distribution of java above that had the same problem. So, let's install java 1.8.0_111 and give it a shot. Sure, it didn't worked. The problem stayed the same. Also tried in java 1.10, and Oracle versions, still not working
(4)最后一件事,我安装了Java 1.6并尝试了它,并且没有问题,它完美地工作了,我设法毫无问题地读取了.p12,将其毫无问题地转换为.jks,就像一个魅力。生成的SHA1密钥(...:E5)与原始密钥(...:E5)相同!!!
(4) Last thing I did, I installed java 1.6 and tried with it, and there was no problem, it worked perfectly, i managed to read the .p12 with no problem, convert it to .jks with no problems at all, worked like a charm. Generated SHA1 key (...:E5) was the same as the original one (...:E5)!!!
但是,问题是我需要使用该证书签名的应用程序是使用Java 1.8开发的,而Java 1.8无法读取该证书。因此,我已经很沮丧了,因为已经几天了,我在这个问题上迷失了。
BUT, the problem is that application I need to sign with that certificate is developed with java 1.8, and java 1.8 can't read that certificate. So I'm quite frustrated at this point, since it's already couple of days I'm losing on this problem.
因此,无法读取,无法重新生成,无法对应用程序进行签名...
So, can't read it, can't regenerate it, can't sign the app ...
所以我的问题是:是否可以,如果可以,如何使用.p12证书签署Android apk?
So my question is: is it possible, and if it is, how to sign Android apk with .p12 certificate?
我不确定这有多常见问题是,但是欢迎提供任何可能的帮助。
I'm not sure how common this problem is, but any possible help is more then welcome.
推荐答案
我终于设法找到了解决该问题的最佳方法,我正面临着。实际上,解决方案就在我眼前,需要一点点努力。
I finally did manage to find the best solution to this problem that I was facing. And actually the solution was right in front of me, with a little bit of effort.
我试图切换到Java 1.6版本只是为了对该应用程序进行签名,实际上我确实设法进行了签名。后记之后,我将应用程序再次转移到1.8 Java环境中,并成功完成了zipalign!当我处理完所有这些时,我真的很高兴,希望Google Play最终会接受apk。
将apk上传到商店后,我的希望就消失了。 Google Play表示并非所有文件均已签名,我需要上传所有文件均已签名的apk。您能想象受挫的程度吗?
I tried switching to java 1.6 version just to sign the app, and actually I did manage to do the signing. Afterwords i would transfer the app again to 1.8 java environment and did the zipalign, successfully! When I managed all of this, i was really happy, hoping Google Play will finally accept the apk. My hope died as soon as I uploaded the apk to the store. Google Play said that not all the files were signed and that I need to upload apk with all files signed. Can you imagine the level of frustration?
我的问题是我有旧的.p12证书,无法在AndroidStudio中读取或转换为jks,但是我能够从该文件中提取我的私钥和证书。
My problem was i had old .p12 certificate that was not possible to read in AndroidStudio or to convert to jks, but I was able to extract my private key, and my certificate from that file.
尝试多看了一遍之后,我设法用 apksigner工具。
After I tried to look around a bit more, I managed to find the solution with apksigner tool.
实际上我确实,我构建了一个用调试密钥签名的.apk,然后仅使用了包含我的私钥和证书文件的apksigner工具,最后对apk进行了签名。然后我就可以将apk毫无问题地上传到Google Play商店。
Actually what i did was, I built an .apk signed with debug key, and after that just used apksigner tool, provided with my private key and certificate file, and finally the apk was signed. Then I was able to upload the apk to the Google Play Store with no problems.
我以前使用apksigner工具对apk进行签名的命令是:
The command that I used to sign the apk with apksigner tool is:
./apksigner sign --key <your_private_key_in_.pcks8> --cert <your_certificate_in.der> <your_debug_signed_application_in.apk>
在此必须注意您的密钥必须为.pcks8格式,否则命令不会工作。另外apksigner在Linux上以脚本形式运行,这就是为什么apksigner之前是 ./的原因。如果您在Windows上使用此工具或以其他方式安装了该工具,则最好仅使用apksigner.exe或apksigner启动命令。
Here it is necessary to notice that your key has to be in .pcks8 format, otherwise the command wont work. Also apksigner was run as script on linux, thats why "./" before apksigner. If you have this tool on windows or installed on some other way, you should be good to start command just with apksigner.exe or apksigner.
如果您的密钥为纯文本(.pem)格式,则可以使用openssl命令将其传输为.pcks8格式:
If you have your key in plain text (.pem) format, transfering it to the .pcks8 format can be done with openssl command:
openssl pkcs8 -topk8 -inform PEM -outform DER -in <your_private_key_in.pem> -out <your_private_key_in.pcks8> -nocrypt
这篇关于使用Adobe Air证书签署Android Native APK的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
