I'm currently developing a .AAR android library and I would like to sign the released artifacts with my own key, so that I can determine if a fake aar with the same name and functionality has been released by mine or not.
Notice 1 :
I want to be able to check the authenticity of my library programmatically, even if a fakely-cooked one, is forging just part of the functionality of my aar file.
Notice 2 :
I am not going to publish this aar into maven, sonatype or any other public repository. So I'm going to sign it for a typical release flow like signing an apk file.
In android studio, open the Project Files view. Find the . aar file and double click, choose "arhcive" from the 'open with' list that pops up. This will open a window in android studio with all the files, including the classes, manifest, etc.
The . aar bundle is the binary distribution of an Android Library Project. An AAR is similar to a JAR file, but it can contain resources as well as compiled byte-code. A AAR file can be included in the build process of an Android application similar to a JAR file.
An AAR file contains a software library used for developing Android apps. It is structurally similar to an . APK file (Android Package), but it allows a developer to store a reusable component that can be used across multiple different apps.
Artifacts are temporary or final files or directories that are produced by the Android Gradle plugin during the build. Depending on its configuration, each com.android.build.api.variant.VariantBuilder produces different versions of some of the output artifacts.
However, instead of compiling into an APK that runs on a device, an Android library compiles into an Android Archive (AAR) file that you can use as a dependency for an Android app module. AAR files offer the following functionality for Android applications:
Access to the artifacts on a Variant object. Artifacts are temporary or final files or directories that are produced by the Android Gradle plugin during the build. Depending on its configuration, each com.android.build.api.variant.VariantBuilder produces different versions of some of the output artifacts.
Method 1 1 Step 1: Creating AAR#N#If you have already created AAR then you can skip this step and jump to generate AAR. If you... 2 Step 2: Generate AAR More ...
You can use jarsigner
to sign you aar
library, and you can use keytool
to generate the signing keys. Both tools are located in the embedded JDK that comes with Android Studio. Do the following to sign your library.
Generate a keystore with a key pair. You'll need to provide the certificate fields:
keytool -genkeypair -alias aarsign -keypass mypassword -keystore aarsign.keystore -storepass mypassword -v
Export the generated certificate into a PEM file:
keytool -exportcert -rfc -alias aarsign -file aarsign-public.pem -keystore aarsign.keystore -storepass mypassword -v
Create a keystore containing the certificate:
keytool -importcert -alias aarsign -file aarsign-public.pem -keystore aarsign-public.keystore -storepass mypassword -v
Sign the library:
jarsigner -keystore aarsign.keystore -storepass mypassword -keypass mypassword -signedjar lib-signed.aar -verbose lib.aar aarsign
Anyone who wishes to attest the authenticity of the library needs to obtain your certificate (or the keystore with it) in a reliable way, and enter this command:
jarsigner -keystore aarsign-public.keystore -storepass mypassword -verify -verbose -certs lib-signed.aar aarsign
It will give the message
jar verified.
with some warnings about certificate expiration and signature timestamp. You can get rid of these warnings by creating a stricter certificate. Refer to keytool
and jarsigner
documentation.
There are two ways in which you can find out whether your library has been tampered: unmatching digests or unmatching certificate. If someone generates an aar
from a different source code or with different resources, the digest won't match and jarsigner
will warn, for example:
jarsigner: java.lang.SecurityException: invalid SHA-256 signature file digest for <file>
And, if someone provides a different certificate than your own, jarsigner
will warn:
Warning:
This jar contains entries whose certificate chain is not validated.
This jar contains signed entries which are not signed by the specified alias(es).
This jar contains signed entries that are not signed by alias in this keystore.
Because variant.signingConfig
doesn't work for me I have used
apply plugin: 'com.android.library'
...
android {
...
signingConfigs {
release {
storeFile file("${rootProject.projectDir}/keystore.jks")
storePassword "XXXX"
keyAlias "alias"
keyPassword "XXXX"
}
}
...
}
tasks.whenTaskAdded { task ->
if (task.name == 'assembleRelease') {
def aarPath = "${project.buildDir}/outputs/aar/XXX-release.aar"
task.doLast {
ant.signjar(
alias: android.signingConfigs.release.keyAlias,
jar: aarPath,
keystore: android.signingConfigs.release.storeFile,
storepass: android.signingConfigs.release.storePassword,
keypass: android.signingConfigs.release.keyPassword,
preservelastmodified: 'true')
ant.verifyjar(
alias: android.signingConfigs.release.keyAlias,
jar: aarPath,
keystore: android.signingConfigs.release.storeFile,
storepass: android.signingConfigs.release.storePassword,
keypass: android.signingConfigs.release.keyPassword)
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With