SC20 - Signing Android with protected keys

IoT Modules Smart Module
1

Dear all,

I’m trying to sign an Android Image built to SC20 using keys protected with a password.

Steps to create my keys:

$ subject='/C=BR/ST=City/L=State/O=My Company/OU=R&D/CN=Company/emailAddress=[contact@company.com'

$ for x in releasekey platform shared media; do ./development/tools/make_key ~/release/$x "$subject" ; done

When asked for a password, I used ‘aep123’, for example.

To sign the image:

$ ./build/tools/releasetools/sign_target_files_apks -v --default_key_mappings ~/release ~/dist_output/msm8909-target_files-200212.zip ~/dist_output/signed-msm8909-target_files-200212.zip

Execution output:

running:  openssl pkcs8 -in /home/ubuntu/release/media.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in /home/ubuntu/release/media.pk8 -inform DER -passin pass:
running:  openssl pkcs8 -in /home/ubuntu/release/platform.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in /home/ubuntu/release/platform.pk8 -inform DER -passin pass:
running:  openssl pkcs8 -in /home/ubuntu/release/releasekey.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in /home/ubuntu/release/releasekey.pk8 -inform DER -passin pass:
running:  openssl pkcs8 -in /home/ubuntu/release/shared.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in /home/ubuntu/release/shared.pk8 -inform DER -passin pass:
running:  openssl pkcs8 -in cts/hostsidetests/appsecurity/certs/cts-testkey1.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in cts/hostsidetests/appsecurity/certs/cts-testkey2.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in cts/hostsidetests/appsecurity/certs/keysets/cts-keyset-test-a.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in cts/hostsidetests/appsecurity/certs/keysets/cts-keyset-test-b.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in cts/hostsidetests/appsecurity/certs/keysets/cts-keyset-test-c.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in cts/hostsidetests/appsecurity/certs/keysets/cts-keyset-test-ec-a.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in frameworks/base/core/tests/coretests/apks/keyset/../../certs/keyset_A.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in frameworks/base/core/tests/coretests/apks/keyset/../../certs/keyset_B.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in frameworks/base/core/tests/coretests/apks/version/../../certs/unit_test.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in frameworks/base/core/tests/coretests/apks/version/../../certs/unit_test_diff.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in frameworks/base/core/tests/coretests/apks/version_nosys/../../certs/unit_test.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in vendor/unbundled_google/libraries/certs/clockwork.pk8 -inform DER -nocrypt
running:  openssl pkcs8 -in vendor/unbundled_google/libraries/certs/clockwork.pk8 -inform DER -passin pass:
Enter password for /home/ubuntu/release/media key>
Enter password for /home/ubuntu/release/platform key>
Enter password for /home/ubuntu/release/releasekey key>
Enter password for /home/ubuntu/release/shared key>
rewriting RECOVERY/RAMDISK/default.prop:
  replace:  ro.bootimage.build.fingerprint=qcom/msm8909/msm8909:7.1.2/N2G47H/ubuntu01132103:userdebug/test-keys
 with:  ro.bootimage.build.fingerprint=qcom/msm8909/msm8909:7.1.2/N2G47H/ubuntu01132103:userdebug/release-keys
replace:  ro.build.display.id=msm8909-userdebug 7.1.2 N2G47H eng.ubuntu.20200113.210300 test-keys
 with:  ro.build.display.id=msm8909-userdebug 7.1.2 N2G47H eng.ubuntu.20200113.210300
replace:  ro.build.tags=test-keys
 with:  ro.build.tags=release-keys
replace:  ro.build.description=msm8909-userdebug 7.1.2 N2G47H eng.ubuntu.20200113.210300 test-keys
 with:  ro.build.description=msm8909-userdebug 7.1.2 N2G47H eng.ubuntu.20200113.210300 release-keys
replace:  ro.build.fingerprint=qcom/msm8909/msm8909:7.1.2/N2G47H/ubuntu01132103:userdebug/test-keys
 with:  ro.build.fingerprint=qcom/msm8909/msm8909:7.1.2/N2G47H/ubuntu01132103:userdebug/release-keys
rewriting BOOT/RAMDISK/default.prop:
replace:  ro.bootimage.build.fingerprint=qcom/msm8909/msm8909:7.1.2/N2G47H/ubuntu01132103:userdebug/test-keys
 with:  ro.bootimage.build.fingerprint=qcom/msm8909/msm8909:7.1.2/N2G47H/ubuntu01132103:userdebug/release-keys
signing: Telecom.apk                        (/home/ubuntu/release/platform)
running:  aapt dump badging /tmp/tmprvx6Wk
running:  java -Xmx2048m -Djava.library.path=out/host/linux-x86/lib64 -jar out/host/linux-x86/framework/signapk.jar --min-sdk-version 25 /home/ubuntu/release/platform.x509.pem /home/ubuntu/release/platform.pk8 /tmp/tmprvx6Wk /tmp/tmpIEEA9j
java.lang.ClassCastException: org.bouncycastle.asn1.DLSequence cannot be cast to org.bouncycastle.asn1.ASN1Integer
    at org.bouncycastle.asn1.pkcs.PrivateKeyInfo.<init>(PrivateKeyInfo.java:79)
    at org.bouncycastle.asn1.pkcs.PrivateKeyInfo.getInstance(PrivateKeyInfo.java:45)
    at com.android.signapk.SignApk.readPrivateKey(SignApk.java:271)
    at com.android.signapk.SignApk.main(SignApk.java:1105)

ERROR: signapk.jar failed: return code 1

I’m using Ubuntu 18.04, running the commands from AOSP environment.

Can anybody help with this issue?

Kind Regards,
Alexandre

2

./build/tools/releasetools/sign_target_files_apks -v --default_key_mappings ~/release ~/dist_output/msm8909-target_files-200212.zip ~/dist_output/signed-msm8909-target_files-200212.zip

I have not use this command.
Can you tell me where you find this command.