10
1.3
System APK signing
☛
When the
ISV
wants to design, on the TAB10s, some APK not requiring
system
rights to be executed, in this case no APK signing is required.
To design an APK having
system
privileges like the surround light driving, reboot control or URL launcher, the ISV needs to sign its APK with a
Java Keystore
having a
certificate
signed by
Qeedji
.
☛
The ISV may use his
Java Keystore
for all its
system
applica ons and the same cer ficate for all the ISV TAB10s devices. When APK signing is required, each
ISV
must
apply this procedure once.
Procedure to create a system Java Keystore
☛
In the example, it is considered that the company name is Contoso. ISD means IT Service Department. In the procedure, it is required to use the generic email of the
Chief Informa on Security Officer (CISO) of the company, for example
.
◬
In the following procedure, the following example values have been used.
Label type
Label value examples
C
US
ST
California
L
San-Francisco
O
Contoso
OU
Contoso_ISD
CN
CISO
E
Passphrase
1234
Java_keystore basename file
contoso_qeedji_java_keystore
Java_keystore password
567890
Friendly_name / name / key_alias
qeedji_aosp_key
1 . GENERATE YOUR PRIVATE KEY
◬
Y ou are responsible for your private key storing which has to be never communicated to a third party.
Generate your private key with a length of 2048 bits with the
R SA 2 0 4 8 Bits
key type.
For example:
openssl genrsa -f4 2048 > contoso_private_key_for_android.key
2 . GENERATE YOUR OWN CSR (CERTIFICATE SIGNING REQUEST)
Generate your own
.csr
cer ficate signing request thanks to your private key and some applicant iden fica on used to digitally sign the request. Thanks to match the
filename pa ern by replacing contoso by your own organiza on name.
For example:
openssl req -new -key contoso_private_key_for_android.key -subj '/C=US/ST=California/L=San-
Francisco/O=Contoso/OU=Contoso_ISD/CN=CISO/[email protected]' > contoso-for_qeedji_aosp.csr
3 . SEND YOUR CSR TO QEEDJI
Once generated, send a email to the
csr@ qeedji.tech
with your
CSR
(
contoso-for_qeedji_aosp.csr
file for example) in a achment.
4 . WAIT FOR THE QEEDJI ANSWER
Qeedji
should then return an answer within 7 days.
◬
Qeedji will send its answer to the email defi ned into the CSR fi le ( ciso@ contoso.com for example) , which may be not the same email used to send the CSR to Qeedji.
Qeedji
sends 2 files: the signed cer ficate (extension .crt) and the CA file (extension .pem).
For example:
contoso-qeedji_aosp-certificate-001A.crt
,
contoso-qeedji_aosp-certificate_authority-001A.pem
5 . GENERATE YOUR PUBLIC CERTIFICATE KEY
You have first to generate your public cer ficate key. For example:
openssl pkcs12 -export -in contoso-qeedji_aosp-cer ficate-001A.crt -inkey contoso_private_key_for_android.key -out
contoso_cer ficate_and_key_for_qeedji_aosp.pk12 -password pass:1234 -name qeedji_aosp_key -chain -CAfile contoso-qeedji_aosp-cer ficate_authority-001A.pem
6 . GENERATE THE JAVA KEYSTORE
Generate then a
Java Keystore
from your public cer ficate key with the
keytool
¹ toolbox.
The
Java Keystore
system is now usable in
Android Studio
.
For example:
keytool -importkeystore -deststorepass 567890 -destkeystore contoso_qeedji_java_keystore.jks -srckeystore contoso_cer ficate_and_key_for_qeedji_aosp.pk12 -
srcstoretype PKCS12 -srcstorepass 1234
¹
Keytool is a toolbox to handle cer fi cates for J ava products. It is provided by default in the J DK since version 1 .1 .