diff --git a/doc/Android_code_signing.adoc b/doc/Android_code_signing.adoc new file mode 100644 index 0000000..a5774e3 --- /dev/null +++ b/doc/Android_code_signing.adoc @@ -0,0 +1,59 @@ +Load and use Android code signing certificate +--------------------------------------------- + +This is a step-by-step guide on how to load and use an android code signing +key and certificate. + +Prerequisites +------------- + +* a YubiKey with the PIV application +* the yubico-piv-tool software +* the OpenSC software +* jarsigner and keytool from the JDK (openjdk 8 used here) + +Steps +----- + +1. Import the key and cert, do a or b +a. Import the key and cert (PEM format) in slot 9a: + + $ yubico-piv-tool -s 9a -a import-key -i key.pem + $ yubico-piv-tool -s 9a -a import-certificate -i cert.pem + +b. Import the key and cert (PKCS12 format) in slot 9a: + + $ yubico-piv-tool -s 9a -a import-key -a import-cert -i key.p12 -K PKCS12 + +2. Create a java pkcs11 configuration file: + + cat > /tmp/pkcs11_java.cfg + name = OpenSC-PKCS11 + description = SunPKCS11 via OpenSC + library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so + slotListIndex = 1 + +3. Check that keytool can see the key: + + $ keytool -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /tmp/pkcs11_java.cfg -keystore NONE -storetype PKCS11 -list + Enter keystore password: + + Keystore type: PKCS11 + Keystore provider: SunPKCS11-OpenSC-PKCS11 + + Your keystore contains 1 entry + + Certificate for PIV Authentication, PrivateKeyEntry, + Certificate fingerprint (SHA1): 26:D7:CB:71:6D:42:3C:AB:58:69:E0:9D:F0:16:DF:84:7E:1C:5A:9A ++ +Password here is the PIN of the key (default 123456). + +4. Sign the apk with jarsigner: + + $ jarsigner -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /tmp/pkcs11_java.cfg -keystore NONE -storetype PKCS11 app.apk "Certificate for PIV Authentication" + Enter Passphrase for keystore: + jar signed. + +5. Verify the signature with jarsigner: + + $ jarsigner -verify app.apk