如何在Android中签署AAR工件？ [英] How to sign AAR Artifacts in Android?

问题描述

我正在开发一个.AAR安卓库，我想用我自己的密钥签署已发布的工件，以便我可以确定是否已经发布了具有相同名称和功能的假aar。

I'm currently developing a .AAR android library and I would like to sign the released artifacts with my own key, so that I can determine if a fake aar with the same name and functionality has been released by mine or not.

通知1：

我希望能够检查其真实性我的程序库，即使是一个假的，也只是伪造我的aar文件的一部分功能。

I want to be able to check the authenticity of my library programmatically, even if a fakely-cooked one, is forging just part of the functionality of my aar file.

通知2：

我不要将此aar发布到maven，sonatype或任何其他公共存储库。因此，我将签署一个典型的发布流程，如签署apk文件。

I am not going to publish this aar into maven, sonatype or any other public repository. So I'm going to sign it for a typical release flow like signing an apk file.

推荐答案

您可以使用 jarsigner 为您签名 aar 库，您可以使用 keytool 来生成签名密钥。这两个工具都位于Android Studio附带的嵌入式JDK中。执行以下操作以对您的库进行签名。

You can use jarsigner to sign you aar library, and you can use keytool to generate the signing keys. Both tools are located in the embedded JDK that comes with Android Studio. Do the following to sign your library.

使用密钥对生成密钥库。您需要提供证书字段：

Generate a keystore with a key pair. You'll need to provide the certificate fields:

keytool -genkeypair -alias aarsign -keypass mypassword -keystore aarsign.keystore -storepass mypassword -v

将生成的证书导出到PEM文件中：

Export the generated certificate into a PEM file:

keytool -exportcert -rfc -alias aarsign -file aarsign-public.pem -keystore aarsign.keystore -storepass mypassword -v

创建一个包含证书的密钥库：

Create a keystore containing the certificate:

keytool -importcert -alias aarsign -file aarsign-public.pem -keystore aarsign-public.keystore -storepass mypassword -v

签署图书馆：

jarsigner -keystore aarsign.keystore -storepass mypassword -keypass mypassword -signedjar lib-signed.aar -verbose lib.aar aarsign

验证

任何希望证明真实性的人库需要以可靠的方式获取您的证书（或带有它的密钥库），并输入以下命令：

Verifying

Anyone who wishes to attest the authenticity of the library needs to obtain your certificate (or the keystore with it) in a reliable way, and enter this command:

jarsigner -keystore aarsign-public.keystore -storepass mypassword -verify -verbose -certs lib-signed.aar aarsign

它会给出消息

jar verified.

有一些关于证书过期和签名时间戳的警告。您可以通过创建更严格的证书来摆脱这些警告。请参阅 keytool 和 jarsigner 文档。

with some warnings about certificate expiration and signature timestamp. You can get rid of these warnings by creating a stricter certificate. Refer to keytool and jarsigner documentation.

您可以通过两种方式查看您的图书馆是否已被篡改：不匹配的摘要或不匹配的证书。如果有人从不同的源代码或使用不同的资源生成 aar ，则摘要将不匹配，并且 jarsigner 将警告，例如：

There are two ways in which you can find out whether your library has been tampered: unmatching digests or unmatching certificate. If someone generates an aar from a different source code or with different resources, the digest won't match and jarsigner will warn, for example:

jarsigner: java.lang.SecurityException: invalid SHA-256 signature file digest for <file>

并且，如果有人提供的证书与您自己的证书不同， jarsigner 将发出警告：

And, if someone provides a different certificate than your own, jarsigner will warn:

Warning: 
This jar contains entries whose certificate chain is not validated.
This jar contains signed entries which are not signed by the specified alias(es).
This jar contains signed entries that are not signed by alias in this keystore.

这篇关于如何在Android中签署AAR工件？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！