OpenHarmony应用签名 - 厂商私有签名的配置和使用 原创 精华
概述
文档环境
开发环境:Windows 11
DevEco Studio 版本:DevEco Studio 3.1.1 Release(3.1.0.501)
SDK 版本:3.2.14.1(Full SDK)
开发板型号:DAYU 200
系统版本:OpenHarmony 3.2 Release(3.2.14.5)
涉及仓库:Hap包签名工具[developtools_hapsigner]
功能简介
OpenHarmony应用签名 - 厂商私有签名文章介绍如何生成厂商私有签名和修改运行系统中的配置文件,使私有签名签出的应用可以正常在系统中安装和使用。
本文我们将介绍:
- 私有签名信息和密钥如何在系统源码中进行配置,使系统原生支持私有厂商签名签出的应用安装。
- 部分的系统应用是由编译子系统编译成hap装入系统中,如何配置这些系统应用的签名。
- 如何使用Debug级别的签名文件给应用签名。
- 厂商私有签名如何在DevEco Studio的工程中进行配置。
说明:本文档使用的签名文件和密钥等信息已由OpenHarmony应用签名 - 厂商私有签名文档生成。
配置源码私有签名验证信息
1. 配置trusted_apps_sources.json文件,增加私有签名信息。注意“,”符号后面需要加入空格才可正常匹配。文件源码位置:
base/security/appverify/interfaces/innerkits/appverify/config/OpenHarmony/trusted_apps_sources.json
{
"name":"OpenHarmony-Tizi apps",
"app-signing-cert":"C=CN, O=OpenHarmony-Tizi-app-cert, OU=OpenHarmony-Tizi-app-cert Community, CN=OpenHarmony Application Release",
"profile-signing-certificate":"C=CN, O=OpenHarmony-Tizi-profile-cert, OU=OpenHarmony-Tizi-profile-cert Community, CN=OpenHarmony Application Profile Release",
"profile-debug-signing-certificate":"C=CN, O=OpenHarmony-Tizi-profile-cert, OU=OpenHarmony-Tizi-profile-cert Community, CN=OpenHarmony Application Profile Debug",
"issuer-ca":"C=CN, O=OpenHarmony-Tizi-subCA, OU=OpenHarmony-Tizi-subCA Community, CN=OpenHarmony Application CA",
"max-certs-path":3,
"critialcal-cert-extension":["keyusage"]
}2. 配置trusted_root_ca.json文件,将OpenHarmony-Tizi-rootCA.cer密钥信息处理后加入到文件中。文件源码位置:
base/security/appverify/interfaces/innerkits/appverify/config/OpenHarmony/trusted_root_ca.json
"C=CN, O=OpenHarmony-Tizi-rootCA, OU=OpenHarmony-Tizi-rootCA Community, CN=OpenHarmony Application Root CA":"-----BEGIN CERTIFICATE-----\nMIICQzCCAemgAwIBAgIEUwKY8TAKBggqhkjOPQQDAjCBhTELMAkGA1UEBhMCQ04x\nIDAeBgNVBAoMF09wZW5IYXJtb255LVRpemktcm9vdENBMSowKAYDVQQLDCFPcGVu\nSGFybW9ueS1UaXppLXJvb3RDQSBDb21tdW5pdHkxKDAmBgNVBAMMH09wZW5IYXJt\nb255IEFwcGxpY2F0aW9uIFJvb3QgQ0EwHhcNMjMwNTIxMTQwNTI2WhcNMjQwNTIw\nMTQwNTI2WjCBhTELMAkGA1UEBhMCQ04xIDAeBgNVBAoMF09wZW5IYXJtb255LVRp\nemktcm9vdENBMSowKAYDVQQLDCFPcGVuSGFybW9ueS1UaXppLXJvb3RDQSBDb21t\ndW5pdHkxKDAmBgNVBAMMH09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJvb3QgQ0Ew\nWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARoC3C5WijOQkLq/AjmtEWkZ+Ooso1p\nRl34qPpEPH0b6iun5wpAlDe20bcCvsiFda2RNXFsqHIl+cj59bnLh83Ro0UwQzAd\nBgNVHQ4EFgQUAIpcSDCk3q3hZ+qwobekzT9vLHAwEgYDVR0TAQH/BAgwBgEB/wIB\nADAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIhANKbxPqFT5PwURVf\n1Oxa8cf1udcgO0ntULei/GhaQIobAiBH787oVyJtKxMuPw9K6zzhJjBNjZzW0DrK\n/NOyuKLetw==\n-----END CERTIFICATE-----\n"3. 重新编译系统镜像,烧录至设备,使用私有签名签出的应用安装测试。
配置源码编译应用的签名文件
以权限管理应用(com.ohos.permissionmanager)为例,其他应用可根据需求配置。
应用源码位置:applications/standard/permission_manager
应用编译信息:
// applications/standard/permission_manager/permissionmanager/BUILD.gn
ohos_hap("permission_manager") {
hap_profile = "src/main/module.json"
deps = [
":permission_manager_js_assets",
":permission_manager_resources",
]
certificate_profile = "../signature/pm.p7b"
hap_name = "permission_manager"
part_name = "prebuilt_hap"
subsystem_name = "applications"
js_build_mode = "debug"
module_install_dir = "app/com.ohos.permissionmanager"
}1. 使用hap-sign-tool.jar查看原权限管理应用p7b签名文件信息对应的Profile签名证书信息。
p7b文件位置:applications/standard/permission_manager/signature/pm.p7b
java -jar hap-sign-tool.jar verify-profile -inFile pm.p7b -outFil
e pm.json
2. 将bundle-name、apl、app-feature和allowed-acls字段分别复制到UnsgnedReleasedProfileTemplate.json文件中。
3. 通过文本查看的方式打开p7b文件,把app-privilege-capabilities字段信息拷贝到UnsgnedReleasedProfileTemplate.json文件中。
说明:验签JSON未输出app-privilege-capabilities字段,已与开发反馈,步骤3为临时方案,后续如有修改会进行文档更新。
4. 替换distribution-certificate为私有签名OpenHarmony-Tizi-app-cert.pem文件中第一部分的密钥。把回车转换为\n字符,替换UnsgnedReleasedProfileTemplate.json文件的distribution-certificate字段。例如:
转换前:
-----BEGIN CERTIFICATE-----
MIICazCCAhGgAwIBAgIFAPERF2IwCgYIKoZIzj0EAwIwgYIxCzAJBgNVBAYTAkNO
MR8wHQYDVQQKDBZPcGVuSGFybW9ueS1UaXppLXN1YkNBMSkwJwYDVQQLDCBPcGVu
SGFybW9ueS1UaXppLXN1YkNBIENvbW11bml0eTEnMCUGA1UEAwweT3Blbkhhcm1v
bnkgQXBwbGljYXRpb24gU3ViIENBMB4XDTIzMDUyMTE0MDU0M1oXDTI0MDUyMDE0
MDU0M1owgYkxCzAJBgNVBAYTAkNOMSIwIAYDVQQKDBlPcGVuSGFybW9ueS1UaXpp
LWFwcC1jZXJ0MSwwKgYDVQQLDCNPcGVuSGFybW9ueS1UaXppLWFwcC1jZXJ0IENv
bW11bml0eTEoMCYGA1UEAwwfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUmVsZWFz
ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN0OL1RqzWXQWCXpT0tt54aFR0Ul
7pqZYBJaCKT049xUYcfwCHLd0q0IzktNo9nqKIjE5BxOk76w7kHhxwowI2qjazBp
MB0GA1UdDgQWBBQAW6LlxgLrPko7kHS/jbcsqnh4WTAJBgNVHRMEAjAAMA4GA1Ud
DwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAYBgwrBgEEAY9bAoJ4AQME
CDAGAgEBCgEAMAoGCCqGSM49BAMCA0gAMEUCIQDHIWx4AELONvCoKaQnHQAW0bay
gjR168gmlnGfnFGowAIgfMV5/nIvmRAbpapqO3a2pBKeHFfeU5zel/T1Bgty198=
-----END CERTIFICATE-----转换后:
-----BEGIN CERTIFICATE-----\nMIICazCCAhGgAwIBAgIFAPERF2IwCgYIKoZIzj0EAwIwgYIxCzAJBgNVBAYTAkNO\nMR8wHQYDVQQKDBZPcGVuSGFybW9ueS1UaXppLXN1YkNBMSkwJwYDVQQLDCBPcGVu\nSGFybW9ueS1UaXppLXN1YkNBIENvbW11bml0eTEnMCUGA1UEAwweT3Blbkhhcm1v\nbnkgQXBwbGljYXRpb24gU3ViIENBMB4XDTIzMDUyMTE0MDU0M1oXDTI0MDUyMDE0\nMDU0M1owgYkxCzAJBgNVBAYTAkNOMSIwIAYDVQQKDBlPcGVuSGFybW9ueS1UaXpp\nLWFwcC1jZXJ0MSwwKgYDVQQLDCNPcGVuSGFybW9ueS1UaXppLWFwcC1jZXJ0IENv\nbW11bml0eTEoMCYGA1UEAwwfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUmVsZWFz\nZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN0OL1RqzWXQWCXpT0tt54aFR0Ul\n7pqZYBJaCKT049xUYcfwCHLd0q0IzktNo9nqKIjE5BxOk76w7kHhxwowI2qjazBp\nMB0GA1UdDgQWBBQAW6LlxgLrPko7kHS/jbcsqnh4WTAJBgNVHRMEAjAAMA4GA1Ud\nDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAYBgwrBgEEAY9bAoJ4AQME\nCDAGAgEBCgEAMAoGCCqGSM49BAMCA0gAMEUCIQDHIWx4AELONvCoKaQnHQAW0bay\ngjR168gmlnGfnFGowAIgfMV5/nIvmRAbpapqO3a2pBKeHFfeU5zel/T1Bgty198=\n-----END CERTIFICATE-----\n
{
"version-name": "2.0.0",
"version-code": 2,
"app-distribution-type": "os_integration",
"uuid": "5027b99e-5f9e-465d-9508-a9e0134ffe18",
"validity": {
"not-before": 1594865258,
"not-after": 1689473258
},
"type": "release",
"bundle-info": {
"developer-id": "OpenHarmony",
"distribution-certificate": "-----BEGIN CERTIFICATE-----\nMIICazCCAhGgAwIBAgIFAPERF2IwCgYIKoZIzj0EAwIwgYIxCzAJBgNVBAYTAkNO\nMR8wHQYDVQQKDBZPcGVuSGFybW9ueS1UaXppLXN1YkNBMSkwJwYDVQQLDCBPcGVu\nSGFybW9ueS1UaXppLXN1YkNBIENvbW11bml0eTEnMCUGA1UEAwweT3Blbkhhcm1v\nbnkgQXBwbGljYXRpb24gU3ViIENBMB4XDTIzMDUyMTE0MDU0M1oXDTI0MDUyMDE0\nMDU0M1owgYkxCzAJBgNVBAYTAkNOMSIwIAYDVQQKDBlPcGVuSGFybW9ueS1UaXpp\nLWFwcC1jZXJ0MSwwKgYDVQQLDCNPcGVuSGFybW9ueS1UaXppLWFwcC1jZXJ0IENv\nbW11bml0eTEoMCYGA1UEAwwfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUmVsZWFz\nZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN0OL1RqzWXQWCXpT0tt54aFR0Ul\n7pqZYBJaCKT049xUYcfwCHLd0q0IzktNo9nqKIjE5BxOk76w7kHhxwowI2qjazBp\nMB0GA1UdDgQWBBQAW6LlxgLrPko7kHS/jbcsqnh4WTAJBgNVHRMEAjAAMA4GA1Ud\nDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAYBgwrBgEEAY9bAoJ4AQME\nCDAGAgEBCgEAMAoGCCqGSM49BAMCA0gAMEUCIQDHIWx4AELONvCoKaQnHQAW0bay\ngjR168gmlnGfnFGowAIgfMV5/nIvmRAbpapqO3a2pBKeHFfeU5zel/T1Bgty198=\n-----END CERTIFICATE-----\n",
"bundle-name": "com.ohos.permissionmanager",
"apl": "normal",
"app-feature": "hos_system_app"
},
"acls": {
"allowed-acls": [
"ohos.permission.GET_SENSITIVE_PERMISSIONS",
"ohos.permission.GRANT_SENSITIVE_PERMISSIONS",
"ohos.permission.REVOKE_SENSITIVE_PERMISSIONS",
"ohos.permission.PERMISSION_USED_STATS",
"ohos.permission.GET_BUNDLE_INFO_PRIVILEGED",
"ohos.permission.GET_BUNDLE_INFO",
"ohos.permission.MANAGE_AUDIO_CONFIG",
"ohos.permission.MANAGE_CAMERA_CONFIG"
]
},
"permissions": {
"restricted-permissions": []
},
"issuer": "pki_internal",
"app-privilege-capabilities": [
"AllowAppDesktopIconHide",
"AllowAbilityExcludeFromMissions",
"AllowAppUsePrivilegeExtension"
]
}
5. ProvisionProfile文件签名,生成权限管理应用的p7b文件。
java -jar hap-sign-tool.jar sign-profile -keyAlias "OpenHarmony-Tizi-profileCA" -signAlg "SHA256withECDSA" -mode "localSign" -profileCertFile "OpenHarmony-Tizi-profile-cert-release.pem" -inFile "UnsgnedReleasedProfileTemplate.json" -keystoreFile "OpenHarmony-Tizi.p12" -outFile "pm.p7b" -keyPwd "Pwd-Tizi-5" -keystorePwd "Pwd-Tizi-2"
6. 将pm.p7b文件替换源码中原p7b文件。
7. 修改编译签名信息。
通过build/ohos/app/app_internal.gni文件查看应用签名需要的编译参数。
_private_key_path = default_hap_private_key_path
if (defined(private_key_path)) {
_private_key_path = private_key_path
}
_signature_algorithm = default_signature_algorithm
if (defined(signature_algorithm)) {
_signature_algorithm = signature_algorithm
}
_key_alias = default_key_alias
if (defined(key_alias)) {
_key_alias = key_alias
}
_keystore_path = default_keystore_path
if (defined(keystore_path)) {
_keystore_path = keystore_path
}
_keystore_password = default_keystore_password
if (defined(keystore_password)) {
_keystore_password = keystore_password
}
_certificate_file = default_hap_certificate_file
if (defined(certificate_file)) {
_certificate_file = certificate_file
}默认编译签名信息位于源码位置build/ohos_var.gni。
default_hap_private_key_path = "OpenHarmony Application Release"
default_signature_algorithm = "SHA256withECDSA"
default_key_alias = "123456"
default_keystore_password = "123456"
default_keystore_path = "//developtools/hapsigner/dist/OpenHarmony.p12"
default_hap_certificate_file =
"//developtools/hapsigner/dist/OpenHarmonyApplication.pem"编译配置字段 | hap-sign-tool.jar字段 | 签名信息 |
default_hap_private_key_path | keyAlias | OpenHarmony-Tizi-subCA |
default_signature_algorithm | signAlg | SHA256withECDSA |
default_key_alias | keyPwd | Pwd-Tizi-4 |
default_keystore_password | keystorePwd | Pwd-Tizi-2 |
default_keystore_path | keystoreFile | OpenHarmony-Tizi.p12 |
default_hap_certificate_file | appCertFile | OpenHarmony-Tizi-app-cert.pem |
说明:编译字段default_hap_private_key_path和default_key_alias的命名与hap-sign-tool.jar字段的命名有出入,但是与build/scripts/hapbuilder.py中sign_hap函数中的取值相对应,需注意,目前已与开发反馈,后续如有修改会进行文档更新。
def sign_hap(hapsigner, private_key_path, sign_algo, certificate_profile,
keystore_path, keystorepasswd, keyalias, certificate_file,
unsigned_hap_path, signed_hap_path):
cmd = ['java', '-jar', hapsigner, 'sign-app']
cmd.extend(['-mode', 'localsign'])
cmd.extend(['-signAlg', sign_algo])
cmd.extend(['-keyAlias', private_key_path])
cmd.extend(['-inFile', unsigned_hap_path])
cmd.extend(['-outFile', signed_hap_path])
cmd.extend(['-profileFile', certificate_profile])
cmd.extend(['-keystoreFile', keystore_path])
cmd.extend(['-keystorePwd', keystorepasswd])
cmd.extend(['-keyPwd', keyalias])
cmd.extend(['-appCertFile', certificate_file])
cmd.extend(['-profileSigned', '1'])
cmd.extend(['-inForm','zip'])
child = subprocess.Popen(cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout, stderr = child.communicate()
if child.returncode:
print(stdout.decode(), stderr.decode())
raise Exception("Failed to sign hap")此处如果修改默认签名配置,则全部由系统编译生成的应用都需要替换p7b文件。本文档仅替换了权限管理应用的p7b文件,所以单独配置权限管理应用的编译配置。
// applications/standard/permission_manager/permissionmanager/BUILD.gn
ohos_hap("permission_manager") {
hap_profile = "src/main/module.json"
deps = [
":permission_manager_js_assets",
":permission_manager_resources",
]
certificate_profile = "../signature/pm.p7b"
hap_name = "permission_manager"
part_name = "prebuilt_hap"
subsystem_name = "applications"
js_build_mode = "debug"
module_install_dir = "app/com.ohos.permissionmanager"
private_key_path = "OpenHarmony-Tizi-subCA" // 增加的签名配置信息
signature_algorithm = "SHA256withECDSA" // 增加的签名配置信息
key_alias = "Pwd-Tizi-4" // 增加的签名配置信息
keystore_path = "//developtools/hapsigner/dist/OpenHarmony-Tizi.p12" // 增加的签名配置信息
keystore_password = "Pwd-Tizi-2" // 增加的签名配置信息
certificate_file = "//developtools/hapsigner/dist/OpenHarmony-Tizi-app-cert.pem" // 增加的签名配置信息
}8. 将p12文件和pem文件放到步骤7中编译配置的源码目录中。
9. 由于p7b文件的替换,所以预安装配置文件中的app_signature也会被改变,需要重新生成,生成方法可以参考OpenHarmony应用开发技巧 - 如何获取证书指纹。
权限管理应用生成app_signature:
app_signature:F433242143C463C5931D84E127DA67A6B00B02C5625C17AA2EAA77A393400A33
替换install_list_capability.json文件,权限管理应用指纹信息。
// vendor/hihope/rk3568/preinstall-config/install_list_capability.json
{
"bundleName": "com.ohos.permissionmanager",
"app_signature": ["F433242143C463C5931D84E127DA67A6B00B02C5625C17AA2EAA77A393400A33"],
"allowAppUsePrivilegeExtension": true
},10. 重新编译系统镜像,烧录至设备,查看权限管理应用是否被正确安装,并验证指纹信息是否与新生成的指纹信息一致。
bm dump -n com.ohos.permissionmanager | grep finger
如何签出Debug等级权限应用
生成Debug等级的p7b文件需要用到UnsgnedDebugProfileTemplate.json和OpenHarmony-Tizi-profile-cert-debug.pem文件。
未修改的UnsgnedDebugProfileTemplate.json:
与Release配置文件区别在Debug配置文件增加了debug-info字段,Debug签名需要指定安装设备的udid。
1. 获取设备udid。
hdc shell "bm get --udid"
3BCB000C4E2B33075C2759B3A454AF51D7BFF3D2AA489879F70D829E272F03F3
2. 配置UnsgnedDebugProfileTemplate.json文件,将设备udid和development-certificate信息配置进文件。development-certificate的配置方式与Release配置文件相同,可以参考“配置源码编译应用的签名文件”章节的步骤4。
配置后的UnsgnedDebugProfileTemplate.json文件
{
"version-name": "2.0.0",
"version-code": 2,
"uuid": "fe686e1b-3770-4824-a938-961b140a7c98",
"validity": {
"not-before": 1610519532,
"not-after": 1705127532
},
"type": "debug",
"bundle-info": {
"developer-id": "OpenHarmony",
"development-certificate": "-----BEGIN CERTIFICATE-----\nMIICazCCAhGgAwIBAgIFAPERF2IwCgYIKoZIzj0EAwIwgYIxCzAJBgNVBAYTAkNO\nMR8wHQYDVQQKDBZPcGVuSGFybW9ueS1UaXppLXN1YkNBMSkwJwYDVQQLDCBPcGVu\nSGFybW9ueS1UaXppLXN1YkNBIENvbW11bml0eTEnMCUGA1UEAwweT3Blbkhhcm1v\nbnkgQXBwbGljYXRpb24gU3ViIENBMB4XDTIzMDUyMTE0MDU0M1oXDTI0MDUyMDE0\nMDU0M1owgYkxCzAJBgNVBAYTAkNOMSIwIAYDVQQKDBlPcGVuSGFybW9ueS1UaXpp\nLWFwcC1jZXJ0MSwwKgYDVQQLDCNPcGVuSGFybW9ueS1UaXppLWFwcC1jZXJ0IENv\nbW11bml0eTEoMCYGA1UEAwwfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUmVsZWFz\nZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN0OL1RqzWXQWCXpT0tt54aFR0Ul\n7pqZYBJaCKT049xUYcfwCHLd0q0IzktNo9nqKIjE5BxOk76w7kHhxwowI2qjazBp\nMB0GA1UdDgQWBBQAW6LlxgLrPko7kHS/jbcsqnh4WTAJBgNVHRMEAjAAMA4GA1Ud\nDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAYBgwrBgEEAY9bAoJ4AQME\nCDAGAgEBCgEAMAoGCCqGSM49BAMCA0gAMEUCIQDHIWx4AELONvCoKaQnHQAW0bay\ngjR168gmlnGfnFGowAIgfMV5/nIvmRAbpapqO3a2pBKeHFfeU5zel/T1Bgty198=\n-----END CERTIFICATE-----\n",
"bundle-name": "com.openharmony.signtest",
"apl": "normal",
"app-feature": "hos_normal_app"
},
"acls": {
"allowed-acls": [
""
]
},
"permissions": {
"restricted-permissions": [
""
]
},
"debug-info": {
"device-ids": [
"3BCB000C4E2B33075C2759B3A454AF51D7BFF3D2AA489879F70D829E272F03F3"
],
"device-id-type": "udid"
},
"issuer": "pki_internal"
}
说明:如果不配置udid,在应用安装时报错,error: failed to install bundle. error: signature verification failed due to not trusted app source.
3. ProvisionProfile文件签名,注意需使用OpenHarmony-Tizi-profile-cert-debug.pem配合UnsgnedDebugProfileTemplate.json进行签名。
java -jar hap-sign-tool.jar sign-profile -keyAlias "OpenHarmony-Tizi-profileCA" -signAlg "SHA256withECDSA" -mode "localSign" -profileCertFile "OpenHarmony-Tizi-profile-cert-debug.pem" -inFile "UnsgnedDebugProfileTemplate.json" -keystoreFile "OpenHarmony-Tizi.p12" -outFile "com.openharmony.signtest.debug.p7b" -keyPwd "Pwd-Tizi-5" -keystorePwd "Pwd-Tizi-2"
4. hap应用包签名,appCertFile参数与Release版本签名不变,profileFile使用Debug签出的p7b文件。
java -jar hap-sign-tool.jar sign-app -keyAlias "OpenHarmony-Tizi-subCA" -signAlg "SHA256withECDSA" -mode "localSign" -appCertFile "OpenHarmony-Tizi-app-cert.pem" -profileFile "com.openharmony.signtest.debug.p7b" -inFile "entry-default-unsigned.hap" -keystoreFile "OpenHarmony-Tizi.p12" -outFile "entry-default-signed-debug.hap" -keyPwd "Pwd-Tizi-4" -keystorePwd "Pwd-Tizi-2"
5. 安装应用。
DevEco Studio配置厂商私有签名
以com.openharmony.signtest工程为例。
1. 在工程根路径创建signature文件夹,把应用签名所需文件放入此文件夹下,包括OpenHarmony-Tizi-app-cert.pem、OpenHarmony-Tizi.p12和com.openharmony.signtest.p7b文件。
2. 更改OpenHarmony-Tizi-app-cert.pem后缀为cer。
3. 单击File > Project Structure > Project > SigningConfigs进入签名配置界面,如果勾选Automatically generate signature则需取消勾选。选取签名文件和配置密钥,点击OK保存配置。
Store file(*.p12):OpenHarmony-Tizi.p12
Store password:Pwd-Tizi-2
Key alias:OpenHarmony-Tizi-subCA
Key password:Pwd-Tizi-4
Sign alg:SHA256withECDSA
Profile file(*.p7b):com.openharmony.signtest.p7b
Certpath file(*.cer):OpenHarmony-Tizi-app-cert.cer
4. 构建安装验证。
参考文档
OpenHarmony Docs - 应用特权配置指南
蹲到后续了,必须点赞收藏一波
一般应用如果这样申请会直接被华为打回吗?
OpenHarmony属于开放原子开源基金会,不单独属于某一家企业。签名的分发是由系统厂商来控制的,各家厂商的系统是在OpenHarmony系统的基础上进行自我拓展,所以具体的签名规则,也是由各家厂商来具体详细制定的。一般而言不管是系统应用或者三方应用,都是不允许自行定义签名文件和签名的,应用的签名行为应统一由系统厂商来进行。
针对文档中“编译字段default_hap_private_key_path和default_key_alias的命名与hap-sign-tool.jar字段的命名有出入”的问题已于开发沟通,OpenHarmony-3.2-Release不会再做修改。
OpenHarmony-4.0随系统编译的应用编译逻辑已修改为与IDE对其,使用Hvigor工具进行辅助编译,现有编译方式将会被废弃。目前此处的需求正在开发中,当定型后会针对4.0重新发布厂商签名的应用文档供大家学习。
看起来OpenHarmony-4.0又会大改了
懂了,之前把OpenHarmony和华为弄混了
巨佬
1、步骤2&3中将源p7b文件中验签得到的json文件的bundle-name、apl、app-feature、allowed-acls以及app-privilege-capabilities字段信息保存至UnsgnedReleasedProfileTemplate.json的依据是什么,permissions字段不用拷贝吗?
2、步骤9中除了修改install_list_capability.json的signature,install_list_permissions.json的signature也要修改吧
针对文档中“验签JSON未输出app-privilege-capabilities字段,已与开发反馈,步骤3为临时方案,后续如有修改会进行文档更新。”已与开发沟通并转化为issue,请大家关注issue进展:https://gitee.com/openharmony/developtools_hapsigner/issues/I7NB7X?from=project-issue