Clever Geek Handbook

How to sign AAR Artifacts in Android?

I am currently developing an android .AAR library and I would like to sign the released artifacts with my own key so that I can determine if a fake AAR with the same name and functionality was released that was released by mine or not.

Note 1:

I want to be able to authenticate my library programmatically, even if fax-prepared, only creates a fraction of the functionality of my aar file.

Note 2:

I am not going to publish this aar to maven, sonatype or any other public repository. So I'm going to sign it for a typical release stream like signing an apk file.

+4


source to share


5 answers


You can use jarsigner

to sign the library for you aar

and you can use keytool

to create signing keys. Both tools are located in the built-in JDK that ships with Android Studio. To sign your library, follow these steps.

Conclusion

Create a key store using a key pair. You will need to provide certificate fields:

keytool -genkeypair -alias aarsign -keypass mypassword -keystore aarsign.keystore -storepass mypassword -v

Export the generated certificate to a PEM file:

keytool -exportcert -rfc -alias aarsign -file aarsign-public.pem -keystore aarsign.keystore -storepass mypassword -v

Create a keystore containing the certificate:

keytool -importcert -alias aarsign -file aarsign-public.pem -keystore aarsign-public.keystore -storepass mypassword -v

Enter the library:

jarsigner -keystore aarsign.keystore -storepass mypassword -keypass mypassword -signedjar lib-signed.aar -verbose lib.aar aarsign


Check

Anyone who wants to authenticate a library should have a reliable way to obtain a certificate (or keystore) and enter the following command:

jarsigner -keystore aarsign-public.keystore -storepass mypassword -verify -verbose -certs lib-signed.aar aarsign

It issues a message

jar verified.

with some warnings about certificate expiration and signing time stamp. You can get rid of these warnings by creating a stricter certificate. Refer to the documentation keytool

and jarsigner

.

There are two ways to find out if your library has changed: revoking digests or revoking a certificate. If someone generates aar

from different source code or with different resources, the digest will not match, but jarsigner

will warn, for example:

jarsigner: java.lang.SecurityException: invalid SHA-256 signature file digest for <file>

And, if someone provides a different certificate than yours, it jarsigner

will warn you:

Warning: 
This jar contains entries whose certificate chain is not validated.
This jar contains signed entries which are not signed by the specified alias(es).
This jar contains signed entries that are not signed by alias in this keystore.
+12


source


You can generate it by running:

./gradlew assembleRelease


Or from the gradle menu on the right side of Android Studio select YourLibraryProject-> Tasks-> Build-> AssembleRelease.

But of course you need to add the signing key to the library project. Please read Sign your app

0


source


I haven't tried it, but this "should" work:

Create a block like this in the gradle config file for the aar you are about to create:

signedAar {
    signedConfig{
        storeFile file("path/to/keystore")
        storePassword "Password"
        keyAlias "Alias"
        keyPassword "AliasPassword"
    }
}

then add this to the buildTypes -> release block of the same config file:

signingConfig  signedAar.signedConfig

Let us know if it works

0


source


Why don't you sha-256

hash your file aar

? even if someone is messing around, the hash aar

changes and you will find out. I like ;)

0


source


Since variant.signingConfig

doesn't work for me, I used

apply plugin: 'com.android.library'

...

android {
    ...

    signingConfigs {
        release {
            storeFile file("${rootProject.projectDir}/keystore.jks")
            storePassword "XXXX"
            keyAlias "alias"
            keyPassword "XXXX"
        }
    }

    ...
}

tasks.whenTaskAdded { task ->
    if (task.name == 'assembleRelease') {
        def aarPath = "${project.buildDir}/outputs/aar/XXX-release.aar"

        task.doLast {
            ant.signjar(
                    alias: android.signingConfigs.release.keyAlias,
                    jar: aarPath,
                    keystore: android.signingConfigs.release.storeFile,
                    storepass: android.signingConfigs.release.storePassword,
                    keypass: android.signingConfigs.release.keyPassword,
                    preservelastmodified: 'true')

            ant.verifyjar(
                    alias: android.signingConfigs.release.keyAlias,
                    jar: aarPath,
                    keystore: android.signingConfigs.release.storeFile,
                    storepass: android.signingConfigs.release.storePassword,
                    keypass: android.signingConfigs.release.keyPassword)
        }
    }
}
0


source






More articles:


All Articles