Android开发：Keytool，创建一个密钥库？ [英] Android Development: Keytool, creating a keystore?

问题描述

我正在尝试为Google市场准备我的应用程序，但它比预期的更具挑战性。我似乎无法掌握签名应用程序的整个概念，但更具体地说，我的问题是，我已经安装了eclipse的keytool插件，但是当我想创建一个证书时，它要求我选择一个密钥库（输入文件名和密钥库密码），我不明白我应该作为一个文件输入什么，因为它实际上希望我通过浏览选择文件，如何继续导出文件，Google已经不幸的是提出非常好或明确的答案

I am trying to prepare my app for the google market, but it is proving a lot more challenging than expected. I cannot seem to grasp the whole concept of signing the app, but to be more specific my problem is that I have installed the keytool plugin for eclipse, but when I want to create a certificate it asks me to select a keystore (Enter the filename and keystore password), I don't understand what I am supposed to enter as a file, because it actually wants me to select the file through browse and how do I proceed with the exporting of the file, Google has sadly not come up with very good or clear answers

推荐答案

您需要为新的密钥库文件提供位置和文件名你正在创建一个新的。或者，您可以选择使用现有密钥库并浏览现有密钥库文件位置。

You need to provide location and filename for your new keystore file in case you are creating a new one. Alternatively, you could choose "use existing keystore" and browse to existing keystore file location.

修改：我以为我会提供精心设计的答案。希望这个信息会很有用。

Edit: I thought I would provide elaborate answer. Hope this info would be useful.

apk签名机制android使用的例子是应用于应用程序的字节码和资源的数字签名的使用确保：

The apk signature mechanism used by android is an example usage of digital signature applied to bytecode and resources of the application to ensure :

• 完整性（下载后不会篡改您的应用）


• 真实性 - 您是将应用发布到GooglePlay的人

为了更好地理解数字签名我建议您还可以通过公钥加密。

To better understand digital signature I suggest you also skim through public-key cryptography.

Android使用相同的标准JDK工具用于标准Java应用程序的签名/验证：

Android uses same standard JDK tools used for signature/verification of standard java apps:

• jarsigner - 使用提供的私钥签署数据，并使用证书（即公钥绑定到你的身份）


• keytool - 在密钥库中管理私钥和证书。 jarsigner 需要这些密钥。

• jarsigner - signs data with provided private key, and verifies data with certificate (i.e. public key bound to your identity)
• keytool - manages private keys and certificates in your keystore. Those keys are needed for jarsigner.

手动签名您的应用程序后或使用您的IDE导出签名的应用程序（使用 keytool 和 jarsigner 在引擎盖下），然后您可以找到放置在您签名的.apk存档的 META-INF 目录中的签名相关文件：

After you sign your application manually with jarsigner or export signed application using your IDE (which uses keytool and jarsigner under the hood anyway), you can then locate signature-related files placed in META-INF directory of your signed .apk archive :

• CERT.SF - 包含 SHA 的应用程序组件散列的文件


• CERT.RSA（或.DSA） - 上述文件+公共证书的数字签名，以验证此签名。
  您可以阅读更多有关歌唱作品的详细信息这里。

• CERT.SF - file containing SHA hashes of your app components and
• CERT.RSA (or .DSA) - digital signature of above mentioned file + public certificate to verify this signature. You can read more details about how singing works here.

这篇文章很好地描述了您的步骤需要遵循。

This article very well describes steps you need to follow.

注意：请先考虑重要的预发布步骤，然后再继续进行签名：logs / critical string literals removal，obfuscation with proguard 等。

Note: Please consider important pre-release steps before you proceed with signing : logs/ critical string literals removal, obfuscation with proguard, etc.

下面我将提供一些关键点：

Below I will provide some key points for the process :

如果没有o，可能需要创建 keystore 东北。创建 keystore 时，需要创建密钥库密码，用于确保密钥库的完整性数据（即，您会被警告，您的密钥库在某人之后被篡改 - 不是您已经添加了新的证书）。实际上，如果您保持您的密钥库文件安全，则此密码不是至关重要的。如果你有一天忘记了，你可以离开。

This may require creating keystore first if you don't have one. When creating keystore you need to create Keystore password, that is used to ensure integrity of keystore data (i.e. you will be warned that your keystore is tampered with after someone - not you -has added new certificate to it). Practically, this password is not super crucial if you keep your keystore file safe. You can get away if you forget it some day.

当生成私钥时，你将会还要求创建将用于加密密钥库内的私钥的 PrivateKey密码。 这是您需要保留的非常重要的密码，因为它确保

When generating private key, you will be also asked to create PrivateKey password that will be used to encrypt your private key inside the keystore. This is the very important password you need to keep as it ensures

• 您的私人密钥真的是私人。最重要的是，如果没有此密码，您将无法使用私钥签名并发布应用程序的未来更新;
  

• your private key is really private. and most importantly
• without this password you won't be able to use you private key to sign and release future updates for your application;
  

当您在Eclipse中生成新的私钥时，还会要求您提供用于创建自签名证书的身份信息。

When you generate your new private key in Eclipse, you will also be asked to provide identity information that is used to create your self-signed certificate.

作为下一步，您的私钥从指定的密钥库文件将被用于签署申请，您的 .apk 将使用以上解释的签名相关文件进行更新。

As the next step your private key from specified keystore file will be used to sign the application and your .apk will be updated with signature-related files explained above.

密钥库只是一个特定格式的私钥/证书的二进制文件保存列表。它可以使用API​​ KeyStore.java 。您的密钥库可以包含多个私钥条目，每个密钥条目由其别名标识。

在大多数情况下，您的密钥库将具有单个私钥，单个自签名证书与此私钥匹配。

Keystore is simply a single binary file keeping list of your private keys / certificates in a specific format. It is programmatically accessible using API provided by KeyStore.java. Your keystore can contain multiple private key entries, each identified by its alias.
In majority of cases your keystore will have single private key with single self-signed certificate matching this private key.

密钥库密码用于密钥存储内容的完整性检查。
如果您丢失此密码，但您仍然有密码存储在，您可以通过运行以下命令克隆您的密钥库并提供新的密钥库密码：

Keystore password is used for integrity check of the keystore content.
If you loose this password, but you still have password for private key stored inside, you can "clone" your keystore and provide new keystore password by running the following cmd:

keytool -importkeystore -srckeystore
path / to / keystore / with /被遗忘/ pw -destkeystore
path / to / my / new / keystore

keytool -importkeystore -srckeystore path/to/keystore/with/forgotten/pw -destkeystore path/to/my/new/keystore

提供新密码，并将旧的密钥库密码留空 - 您只会收到警告。然后，您可以使用新的密钥库，并删除旧的密钥库。

还有其他方法可以在不使用密钥库密码的情况下检索您的私钥。

provide new password, and leave old keystore password blank - you will only get warning. You can then use your new keystore and get rid of old one.
There are other ways you can retrieve your private key without using keystore password.

私钥密码 - 保护（加密）私钥 keystore 。这是非常重要的，因为它允许您访问您的私钥，除其他外，为您的应用程序签名更新。通常很难恢复它。

Private key password - protects(by encrypting) private key inside keystore. It is extremely important as it allows you to access your private key to, among other things, sign updates for your application. It is generally very hard to recover it.

自签名证书 - 非常简单的证书将您的身份（姓名/组织/电子邮件）绑定到你的公钥此证书在签名操作期间添加到 .apk 文件中，并将在安装之前用于用户设备上验证 .apk 。

Self-signed ceritificate - very simple certificate binding your identity(name/organization/email) to your public key. This certificate is added to .apk file during signing operation and will be used on user's device to verify .apk before installation.

这篇关于Android开发：Keytool，创建一个密钥库？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！