Creating Release Keys and Signing Builds (안드로이드 릴리즈 이미지 만들기)
Introduction
Android requires that each application be signed with the developer's digital keys to enforce signature permissions and application request to use shared user ID or target process. For more information on the general Android security principles and signing requirements, see the Android Security and Permissions section in the Android Developer Guide). The core Android platform uses four keys to maintain security of core platform components:
- platform: a key for packages that are part of the core platform.
- shared: a key for things that are shared in the
home/contacts
process. - media: a key for packages that are part of the
media/download
system. - releasekey: the default key to sign with if not otherwise specified
These keys are used to sign applications separately for release images and are not used by the Android build system. The build system signs packages with the testkeys provided inbuild/target/product/security/
. Because the testkeys are part of the standard Android open source distribution, they should never be used for production devices. Instead, device manufacturers should generate their own private keys for shipping release builds.
Generating keys
A device manufacturer's keys for each product should be stored under vendor/<vendor_name>/security/<product_name>
, where <vendor_name>
and <product_name>
represent the manufacturer and product names. To simplify key creation, copy the script below to this directory in a file called mkkey.sh
. To customize your keys, change the line that starts with AUTH to reflect the correct information for your company:
#!/bin/sh AUTH='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com' if [ "$1" == "" ]; then echo "Create a test certificate key." echo "Usage: $0 NAME" echo "Will generate NAME.pk8 and NAME.x509.pem" echo " $AUTH" exit fi openssl genrsa -3 -out $1.pem 2048 openssl req -new -x509 -key $1.pem -out $1.x509.pem -days 10000 \ -subj "$AUTH" echo "Please enter the password for this key:" openssl pkcs8 -in $1.pem -topk8 -outform DER -out $1.pk8 -passout stdin
mkkey.sh
is a helper script to generate the platform's keys. NOTE: the password you type will be visible in your terminal window. Note the passwords you use as you will need them to sign release builds.
To generate the required 4 platform keys, run mkkey.sh
four times specifying the key name and password for each:
sh mkkey.sh platform # enter password sh mkkey.sh media # enter password sh mkkey.sh shared # enter password sh mkkey.sh release # enter password
You should now have new keys for your product.
Signing a build for release
Signing a build for a release is a two-step process.
- Sign all the individual parts of the build.
- Put the parts back together into image files.
Signing applications
Use build/tools/releasetools/sign_target_files_apks
to sign a target_files
package. The target_files
package isn't built by default, you need to make sure to specify the "dist" target when you call make. For example:
make -j4 PRODUCT-<product_name>-user dist
The command above creates a a file under out/dist
called <product_name>-target_files.zip
. This is the file you need to pass to the sign_target_files_apks
script.
You would typically run the script like this:
./build/tools/releasetools/sign_target_files_apks -d vendor/<vendor_name>/security/<product_name> <product_name>-target_files.zip signed-target-files.zip
If you have prebuilt and pre-signed apk's in your build that you don't want re-signed, you must explicitly ignore them by adding -e Foo.apk=
to the command line for each apk you wish to ignore.
sign_target_files_apks
also has many other options that could be useful for signing release builds. Run it with -h
as the only option to see the full help.
Creating image files
Once you have signed-target-files.zip
, create the images so you can put it onto a device with the command below:
build/tools/releasetools/img_from_target_files signed-target-files.zip signed-img.zip
signed-img.zip
contains all the .img
files. You can use fastboot update signed-img.zip
to use fastboot to get them on the device.
'Android' 카테고리의 다른 글
Updating the kernel on the Nexus S (0) | 2011.04.04 |
---|---|
Nexus S 루팅하는 방법 (0) | 2011.04.01 |
Android build system (0) | 2011.04.01 |