Android requires that each application be signed with the developer's digital keys to enforce signature permissions and application request to use shared user ID or target process. For more information on the general Android security principles and signing requirements, see the Android Security and Permissions section in the Android Developer Guide). The core Android platform uses four keys to maintain security of core platform components:
- platform: a key for packages that are part of the core platform.
- shared: a key for things that are shared in the
- media: a key for packages that are part of the
- releasekey: the default key to sign with if not otherwise specified
These keys are used to sign applications separately for release images and are not used by the Android build system. The build system signs packages with the testkeys provided in
build/target/product/security/. Because the testkeys are part of the standard Android open source distribution, they should never be used for production devices. Instead, device manufacturers should generate their own private keys for shipping release builds.
A device manufacturer's keys for each product should be stored under
<product_name> represent the manufacturer and product names. To simplify key creation, copy the script below to this directory in a file called
mkkey.sh. To customize your keys, change the line that starts with AUTH to reflect the correct information for your company:
if [ "$1" == "" ]; then
echo "Create a test certificate key."
echo "Usage: $0 NAME"
echo "Will generate NAME.pk8 and NAME.x509.pem"
echo " $AUTH"
openssl genrsa -3 -out $1.pem 2048
openssl req -new -x509 -key $1.pem -out $1.x509.pem -days 10000 \
echo "Please enter the password for this key:"
openssl pkcs8 -in $1.pem -topk8 -outform DER -out $1.pk8 -passout stdin
mkkey.sh is a helper script to generate the platform's keys. NOTE: the password you type will be visible in your terminal window. Note the passwords you use as you will need them to sign release builds.
To generate the required 4 platform keys, run
mkkey.sh four times specifying the key name and password for each:
sh mkkey.sh platform # enter password
sh mkkey.sh media # enter password
sh mkkey.sh shared # enter password
sh mkkey.sh release # enter password
You should now have new keys for your product.
Signing a build for release
Signing a build for a release is a two-step process.
- Sign all the individual parts of the build.
- Put the parts back together into image files.
build/tools/releasetools/sign_target_files_apks to sign a
target_files package. The
target_files package isn't built by default, you need to make sure to specify the "dist" target when you call make. For example:
make -j4 PRODUCT-<product_name>-user dist
The command above creates a a file under
<product_name>-target_files.zip. This is the file you need to pass to the
You would typically run the script like this:
./build/tools/releasetools/sign_target_files_apks -d vendor/<vendor_name>/security/<product_name> <product_name>-target_files.zip signed-target-files.zip
If you have prebuilt and pre-signed apk's in your build that you don't want re-signed, you must explicitly ignore them by adding
-e Foo.apk= to the command line for each apk you wish to ignore.
sign_target_files_apks also has many other options that could be useful for signing release builds. Run it with
-h as the only option to see the full help.
Creating image files
Once you have
signed-target-files.zip, create the images so you can put it onto a device with the command below:
build/tools/releasetools/img_from_target_files signed-target-files.zip signed-img.zip
signed-img.zip contains all the
.img files. You can use
fastboot update signed-img.zip to use fastboot to get them on the device.