Android 9 支持 APK 密钥轮替,使得应用能够在 APK 更新过程中更改其签名密钥。为了实现轮替,APK 必须指示新旧签名密钥之间的信任级别。为了支持密钥轮替,我们将 APK 签名方案从 v2 更新为 v3,以允许使用新旧密钥。
V3 签名特性
在 Android 9 及更高版本中,可以根据 APK 签名方案 v3、v2 或 v1 验证 APK。较旧的平台会忽略 v3 签名而尝试验证 v2 签名,然后尝试验证 v1 签名。
签名轮替后,android 9 上升级到新版本后,不能再安装旧版签名的 apk,会提示签名不一致
生成新签名
使用 android studio 生成新签名,release.jks
轮替签名
使用 apksigner 轮替签名文件。
$ ~/android/sdk/build-tools/30.0.3/apksigner rotate --out keyline --old-signer --ks platform.keystore --new-signer --ks geniex.jks Keystore password for old signer: Keystore password for new signer: 分别输入旧新签名的密码,生成 keyline 文件,用于后续签名 签名 Android studio 或者 gradle 暂不支持 v3 签名,需要使用 apksigner 进行签名: 先对齐后签名。 ~/android/sdk/build-tools/30.0.3/demo-release-unsign.apk demo-release.apk ~/android/sdk/build-tools/30.0.3/apksigner sign --ks old.keystore --next-signer --ks release.jks --lineage keyline build/outputs/apk/release/demo-release.apk Keystore password for signer #1: Keystore password for signer #2:
查看签名是否正确: apksigner verify -v --print-certs demo.apk
$ ~/android/sdk/build-tools/30.0.3/apksigner verify -v
--print-certs build/outputs/apk/release/demo-release.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
Signer #1 certificate DN: CN=xx, OU=xx, O=xx, L=bj, ST=china, C=ch
这里可以看见已经使用了 v3 版本签名
对比查看旧版的签名
~/android/sdk/build-tools/30.0.3/apksigner verify -v --print-certs orig-sign.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
Signer #1 certificate DN: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain
验证
安装旧签名的 apk,adb install orig-sign.apk
安装用 v3 签名的 apk,adb install demo-release.apk
再安装旧版的 apk,提示签名错误,表示不能降级
使用最新的签名 release.jks 签名 apk,采用 v2 模式,可以安装成功
$ adb install orig-sign.apk
Performing Streamed Install
Success
$ adb install demo-release.apk
Performing Streamed Install
Success
$ adb install orig-sign.apk
Performing Streamed Install
adb: failed to install orig-sign.apk: Failure [INSTALL_FAILED_
UPDATE_INCOMPATIBLE: Package com.exam.demo signatures
do not match previously installed version; ignoring!]
$ adb install demo-new-v2-sign.apk
Performing Streamed Install
Success