Android 开发:Keytool,创建密钥库?
我正在努力为谷歌市场准备我的应用程序,但事实证明它比预期更具挑战性.我似乎无法掌握签署应用程序的整个概念,但更具体地说,我的问题是 我已经为 eclipse 安装了 keytool 插件,但是当我想创建一个证书时,它要求我选择一个密钥库(输入文件名和密钥库密码),我不明白我应该作为文件输入什么,因为它实际上希望我通过浏览选择文件以及如何继续导出文件,遗憾的是谷歌没有提出非常好的或明确的答案
I am trying to prepare my app for the google market, but it is proving a lot more challenging than expected. I cannot seem to grasp the whole concept of signing the app, but to be more specific my problem is that I have installed the keytool plugin for eclipse, but when I want to create a certificate it asks me to select a keystore (Enter the filename and keystore password), I don't understand what I am supposed to enter as a file, because it actually wants me to select the file through browse and how do I proceed with the exporting of the file, Google has sadly not come up with very good or clear answers
推荐答案
您需要提供新密钥库文件的位置和文件名,以防创建新密钥库文件.或者,您可以选择使用现有密钥库"并浏览到现有密钥库文件位置.
You need to provide location and filename for your new keystore file in case you are creating a new one. Alternatively, you could choose "use existing keystore" and browse to existing keystore file location.
编辑:我想我会提供详细的答案.希望这些信息有用.
Edit: I thought I would provide elaborate answer. Hope this info would be useful.
android使用的apk签名机制是数字签名的使用的例子应用程序的字节码和资源,以确保:
The apk signature mechanism used by android is an example usage of digital signature applied to bytecode and resources of the application to ensure :
- 完整性(下载后不会篡改您的应用)
- 真实性 - 是您将应用发布到 GooglePlay 的人
为了更好地理解数字签名我建议你也浏览一下公钥加密.
To better understand digital signature I suggest you also skim through public-key cryptography.
Android 使用与标准 Java 应用程序签名/验证相同的标准 JDK 工具:
Android uses same standard JDK tools used for signature/verification of standard java apps:
- jarsigner - 用提供
私钥
,并使用证书(即公钥)验证数据绑定到您的身份) - keytool - 管理私钥和您的
keystore
中的证书.jarsigner
需要这些密钥.
- jarsigner - signs data with provided
private key
, and verifies data with certificate (i.e. public key bound to your identity) - keytool - manages private keys and certificates in your
keystore
. Those keys are needed forjarsigner
.
在您使用 jarsigner
手动签署您的应用程序或使用您的 IDE 导出已签署的应用程序之后(无论如何,它在后台使用 keytool
和 jarsigner
),然后您可以找到放置在已签名 .apk 存档的 META-INF
目录中的与签名相关的文件:
After you sign your application manually with jarsigner
or export signed application using your IDE (which uses keytool
and jarsigner
under the hood anyway), you can then locate signature-related files placed in META-INF
directory of your signed .apk archive :
- CERT.SF - 包含您的应用组件的
SHA
哈希值和 的文件 - CERT.RSA(或 .DSA)- 上述文件的数字签名 + 用于验证此签名的公共证书.您可以在这里阅读更多关于唱歌工作原理的详细信息.
- CERT.SF - file containing
SHA
hashes of your app components and - CERT.RSA (or .DSA) - digital signature of above mentioned file + public certificate to verify this signature. You can read more details about how singing works here.
这篇文章很好地描述了你需要的步骤跟随.
This article very well describes steps you need to follow.
注意:在继续签名之前,请考虑重要的预发布步骤:删除日志/关键字符串文字,使用 proguard等
Note: Please consider important pre-release steps before you proceed with signing : logs/ critical string literals removal, obfuscation with proguard, etc.
下面我将提供该过程的一些要点:
Below I will provide some key points for the process :
如果您没有keystore
,这可能需要先创建.创建 keystore
时,您需要创建 Keystore 密码
,用于确保 keystore
数据的完整性(即您将被警告您的 keystore 是在某人(不是您)向其添加新证书后被篡改).实际上,如果您保证 keystore
文件的安全,那么这个密码并不是非常重要的.如果有一天你忘记了它,你可以逃脱.
This may require creating keystore
first if you don't have one. When creating keystore
you need to create Keystore password
, that is used to ensure integrity of keystore
data (i.e. you will be warned that your keystore is tampered with after someone - not you -has added new certificate to it). Practically, this password is not super crucial if you keep your keystore
file safe. You can get away if you forget it some day.
在生成 private key
时,您还将被要求创建 PrivateKey 密码
,用于在密钥库中加密您的私钥.这是您需要保留的非常重要的密码,因为它可以确保
When generating private key
, you will be also asked to create PrivateKey password
that will be used to encrypt your private key inside the keystore. This is the very important password you need to keep as it ensures
- 您的 private 密钥确实是 private.最重要的是
- 如果没有此密码,您将无法使用您的私钥为您的应用签署和发布未来的更新;
- your private key is really private. and most importantly
- without this password you won't be able to use you private key to sign and release future updates for your application;
当您在 Eclipse 中生成新的私钥时,您还将被要求提供用于创建自签名证书的身份信息.
When you generate your new private key in Eclipse, you will also be asked to provide identity information that is used to create your self-signed certificate.
下一步,您将使用指定 keystore
文件中的 private key
对应用程序进行签名,并且您的 .apk
将更新为上面解释的与签名相关的文件.
As the next step your private key
from specified keystore
file will be used to sign the application and your .apk
will be updated with signature-related files explained above.
Keystore 只是一个二进制文件,以特定格式保存您的私钥/证书列表.它可以使用 KeyStore.java.您的密钥库可以包含多个私钥条目,每个都由其 alias
标识.
在大多数情况下,您的 keystore
将有一个私钥和一个与此私钥匹配的自签名证书.
Keystore is simply a single binary file keeping list of your private keys / certificates in a specific format. It is programmatically accessible using API provided by KeyStore.java. Your keystore can contain multiple private key entries, each identified by its alias
.
In majority of cases your keystore
will have single private key with single self-signed certificate matching this private key.
密钥库密码用于密钥库内容的完整性检查.
如果您丢失了此密码,但您仍然有其中存储的私钥密码,您可以通过运行以下 cmd 来克隆"您的密钥库并提供新的密钥库密码:
Keystore password is used for integrity check of the keystore content.
If you loose this password, but you still have password for private key stored inside, you can "clone" your keystore and provide new keystore password by running the following cmd:
keytool -importkeystore -srckeystore路径/到/keystore/with/forgotten/pw -destkeystore路径/to/my/new/keystore
keytool -importkeystore -srckeystore path/to/keystore/with/forgotten/pw -destkeystore path/to/my/new/keystore
提供新密码,并将旧密钥库密码留空 - 您只会收到警告.然后,您可以使用新的密钥库并摆脱旧的密钥库.
还有其他方法可以在不使用密钥库密码的情况下检索您的私钥.
provide new password, and leave old keystore password blank - you will only get warning. You can then use your new keystore and get rid of old one.
There are other ways you can retrieve your private key without using keystore password.
私钥密码 - 保护(通过加密)keystore
内的private key
.这非常重要,因为它允许您访问您的私钥,除其他外,为您的应用程序签名更新.通常很难恢复.
Private key password - protects(by encrypting) private key
inside keystore
. It is extremely important as it allows you to access your private key to, among other things, sign updates for your application. It is generally very hard to recover it.
自签名证书 - 将您的身份(姓名/组织/电子邮件)绑定到您的公钥的非常简单的证书.此证书在签名操作期间添加到 .apk
文件中,将在用户设备上用于在安装前验证 .apk
.
Self-signed ceritificate - very simple certificate binding your identity(name/organization/email) to your public key. This certificate is added to .apk
file during signing operation and will be used on user's device to verify .apk
before installation.
相关文章