在Amlogic T950平台上用公司的OTA 签名key替换Android默认的testkey,过程记录如下:
1.生成key系统默认的key如下,首先需要产生以下4种我们项目自己的OTA签名key文件,每一种类型的key都是成对生成的,.509.pem后缀名的是公钥,.pk8后缀名的是私钥。
testkey -- a generic key for packages that do not otherwise specify a key.
platform -- a test key for packages that are part of the core platform.
shared -- a test key for things that are shared in the home/contacts process.
media -- a test key for packages that are part of the media/download system.
Android 源码包里面提供了生成key的工具,development/tools/make_key, 命令如下:
./make_key releasekey '/C=CN/ST=ShangHai/L=ShangHai/O=XXX/OU=XXX/CN=XXXV/emailAddress=XXX' rsa
./make_key platform '/C=CN/ST=ShangHai/L=ShangHai/O=XXX/OU=XXX/CN=XXXV/emailAddress=XXX' rsa
./make_key shared '/C=CN/ST=ShangHai/L=ShangHai/O=XXX/OU=XXX/CN=XXXV/emailAddress=XXX' rsa
./make_key media '/C=CN/ST=ShangHai/L=ShangHai/O=XXX/OU=XXX/CN=XXXV/emailAddress=XXX' rsa
将XXX替换为自己公司信息。
生成文件如下:
media.pk8 media.x509.pem platform.pk8 platform.x509.pem
releasekey.pk8 releasekey.x509.pem shared.pk8 shared.x509.pem
将生成的key 文件放到项目相关的目录下,针对Amlogic项目放到device/amlogic/p341/sign_keys。这样我们公司的key就生成了。
2.更改编译规则,使编译过程中使用我们新生成的key对OTA进行签名
首先在build/core/Makefile里搜索testkey, 查看testkey是怎么用到编译系统的,看到如下编译选项:
ifeq ($(DEFAULT_SYSTEM_DEV_CERTIFICATE),build/target/product/security/testkey)
BUILD_KEYS := test-keys
else
BUILD_KEYS := dev-keys
endif
继续查看DEFAULT_SYSTEM_DEV_CERTIFICATE,可以看到在build/core/config.mk文件里有如下:
# The default key if not set as LOCAL_CERTIFICATE
ifdef PRODUCT_DEFAULT_DEV_CERTIFICATE
DEFAULT_SYSTEM_DEV_CERTIFICATE := $(PRODUCT_DEFAULT_DEV_CERTIFICATE)
else
DEFAULT_SYSTEM_DEV_CERTIFICATE := build/target/product/security/testkey
endif
因此要想使用releasekey,只需要指定PRODUCT_DEFAULT_DEV_CERTIFICATE的值即可,因此在device/amlogic/p341/p341.mk中指定项目特定变量
PRODUCT_DEFAULT_DEV_CERTIFICATE := device/amlogic/p341/sign_keys/releasekey
同时在根据规则,在build/core/Makefile改动如下:
ifeq ($(DEFAULT_SYSTEM_DEV_CERTIFICATE),device/amlogic/p341/sign_keys/releasekey)BUILD_KEYS := release-keys
endif
这样在编译的最后阶段会使用我们的key对OTA包签名。3. 补充
对于apk的签名,系统会根据apk里指定的key进行签名。如果系统中的apk的android.mk中没有设置LOCAL_CERTIFICATE的值,就默认使用testkey。
ifeq ($(LOCAL_CERTIFICATE),)
LOCAL_CERTIFICATE := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
endif
private_key := $(LOCAL_CERTIFICATE).pk8
certificate := $(LOCAL_CERTIFICATE).x509.pem
而如果设置成:
LOCAL_CERTIFICATE := platform
就代表使用platform来签名,这样的话这个apk就拥有了和system相同的签名