How to sign android app with platform keys using gradle?

Question

I saw couple similar questions like:

• Android: After building platform source, how to sign arbitrary APK with platform key?
• How to create a release signed apk file using Gradle?
• APK signing error : Failed to read key from keystore

but I feel my problem is different.

First of all I use:

android:sharedUserId="android.uid.system"

so I need to sign my app with platform key. I'm able to do that in this way:

cd $ANDROID_ROOT/out/host/linux-x86/framework
java -Djava.library.path=$ANDROID_ROOT/out/host/linux-x86/lib64 -jar signapk.jar $ANDROID_ROOT/build/target/product/security/platform.x509.pem $ANDROID_ROOT/build/target/product/security/platform.pk8 $APP_DIR/app/build/outputs/apk/debug/app-debug.apk $APP_DIR/MyApp-signed.apk

However I want to do signing from gradle, so I have generated jks file in this way:

./keytool-importkeypair -k my_keystore.jks -p my_password -pk8 $ANDROID_ROOT/build/target/product/security/platform.pk8 -cert $ANDROID_ROOT/build/target/product/security/platform.x509.pem -alias platform

and I've modified app/build.gradle to have:

 signingConfigs {
     release {
         storeFile file("my_keystore.jks")
         storePassword "my_password"
         keyAlias "platform"
         keyPassword "my_password"
     }
 }

 buildTypes {
     release {
         minifyEnabled false
         proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'

         signingConfig signingConfigs.release
     }
 }

I've checked that my_keystore.jks has platform alias with:

keytool -list -v -keystore my_keystore.jks | grep Alias
Alias name: platform

but when I try to do:

./gradlew assembleRelease

or:

./gradlew signingReport

I get:

Failed to read key platform from store "(...)/my_keystore.jks": Invalid keystore format

Update: I've tried following dr_g tips and I'm able to sign app using Android Studio (Build -> Generate Signed APK), so I guess keystore is ok, but still I get the same error when using assembleRelease. I've also tried generating my own keystore as suggested by deadfish and indeed keystore generated by Android Studio is fine for gradle and assembleRelease works, but it's not platform key, so I can't use it unfortunately.

Issue solved: It turned out that my problem was indeed different than the ones I've mentioned. It was related with keytool used for generating keys (not gradle), and it was because although my default java was 8, my default keytool was from java 10 … When I’ve switched to keytool from java 8 everything started to work fine.

Answer 1

Please try using the .keystore variant. There could be ways to fix the java keystore (.jks) format but it is likely to take more time.

1) Generate your .keystore file from your separate key files

$ openssl pkcs8 -inform DER -nocrypt -in \
  $ANDROID_ROOT/build/target/product/security/platform.pk8 -out platform.key
$ openssl pkcs12 -export -in \
  $ANDROID_ROOT/build/target/product/security/platform.x509.pem -inkey \
  platform.key -name platform -out platform.pem -password pass:password
$ keytool -importkeystore -destkeystore platform.keystore -deststorepass \
  password -srckeystore platform.pem -srcstoretype PKCS12 -srcstorepass 
  password

2) Test your new keystore:

$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore \
  platform.keystore -storepass password your-app.apk platform

3) Deploy keystore in your gradle build:

signingConfigs {
 debug {
    storeFile     file('debug.keystore')
    storePassword 'android'
    keyAlias      'androiddebugkey'
    keyPassword   'android'
 }
 release {
    storeFile     file('platform.keystore')
    storePassword 'password'
    keyAlias      'platform'
    keyPassword   'password'
 } 
}

The above build.gradle is also showing an example of using the android debug keystore as standard for debug builds.

Answer 2

for create a keystore from x509.pem and pk8 files, you can use this script platform_import_keystore which is similar to keytool-importkeypair, but given that keytool-importkeypair doesn't work if you don't have a keystore already existing, platform_import_keystore will do.

I hope it will help.

EDIT :

The script platform_import_keystore is using the default keytool command. You must ansure that the command keytool which is used in the script is from java 8. This influences the keystore format got by keytool.

Answer 3

After chat with deadfish and following his suggestions (thanks for help!) I've come up with following workaround in app/build.gradle (inside android {}):

applicationVariants.all { variant ->
    variant.assemble.doLast {
        exec {
            commandLine 'sh', '../mySigningScript.sh'
        }
    }
}

This will run my script everytime when assembleDebug or assembleRelease is finished. I will not accept my answer because it's not answering my question and it forces me to remove signingConfigs from gradle but at least it's a workaround which potentially could be used if no better solution is proposed.