Reputation: 61
apksigner ignoring java parameters when trying to include azure keyvault jca
We need to sign our APK with a code signing certificate stored in a Azure Key Vault. We also need to utilise a certificate lineage. jarsigner supports the parameters required to use azure-security-keyvault-jca-2.10.0.jar but jarsigner does not do lineages (not that I could find anyway)
apksigner supports lineages but was not passing the -J-Dx=y or -J-z=w parameters properly. The batch file in the current build tools only passes the parameter to java as a java option and ignores the value. For example: -J-Dx=y will pass along -Dx to java. The value (y) is included with the parameters passed to the apksigner.jar
We have "fixed" the apksigner.bat file to pass the -J and -J-D parameters through to java correctly so that finally we can use apksigner with a lineage to sign our apk using an Azure HSM key vault....what an adventure
The version of the apksigner.bat is below with the additional lines highlighted if anyone needs it (mainly me when I go looking again in the future HA!)
@echo off
REM Copyright (C) 2016 The Android Open Source Project
REM
REM Licensed under the Apache License, Version 2.0 (the "License");
REM you may not use this file except in compliance with the License.
REM You may obtain a copy of the License at
REM
REM http://www.apache.org/licenses/LICENSE-2.0
REM
REM Unless required by applicable law or agreed to in writing, software
REM distributed under the License is distributed on an "AS IS" BASIS,
REM WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
REM See the License for the specific language governing permissions and
REM limitations under the License.
REM don't modify the caller's environment
setlocal
REM Locate apksigner.jar in the directory where apksigner.bat was found and start it.
REM Set up prog to be the path of this script, including following symlinks,
REM and set up progdir to be the fully-qualified pathname of its directory.
set prog=%~f0
@rem Find java.exe
if defined JAVA_HOME goto findJavaFromJavaHome
set JAVA_EXE=java.exe
%JAVA_EXE% -version >NUL 2>&1
if "%ERRORLEVEL%" == "0" goto init
echo.
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
exit /b 1
:findJavaFromJavaHome
set JAVA_HOME=%JAVA_HOME:"=%
set JAVA_EXE=%JAVA_HOME%/bin/java.exe
if exist "%JAVA_EXE%" goto init
echo.
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
exit /b 1
:init
set jarfile=apksigner.jar
set "frameworkdir=%~dp0"
rem frameworkdir must not end with a dir sep.
set "frameworkdir=%frameworkdir:~0,-1%"
if exist "%frameworkdir%\%jarfile%" goto JarFileOk
set "frameworkdir=%~dp0lib"
if exist "%frameworkdir%\%jarfile%" goto JarFileOk
set "frameworkdir=%~dp0..\framework"
:JarFileOk
set "jarpath=%frameworkdir%\%jarfile%"
set javaOpts=
set args=
REM By default, give apksigner a max heap size of 1 gig and a stack size of 1meg.
rem This can be overridden by using "-JXmx..." and "-JXss..." options below.
set defaultXmx=-Xmx1024M
set defaultXss=-Xss1m
REM Capture all arguments that are not -J options.
REM Note that when reading the input arguments with %1, the cmd.exe
REM automagically converts --name=value arguments into 2 arguments "--name"
REM followed by "value". apksigner has been changed to know how to deal with that.
set params=
:firstArg
if [%1]==[] goto endArgs
set "a=%~1"
REM THIS IS NEW
set "b=%~2"
if [%defaultXmx%]==[] goto notXmx
if "%a:~0,5%" NEQ "-JXmx" goto notXmx
set defaultXmx=
:notXmx
if [%defaultXss%]==[] goto notXss
if "%a:~0,5%" NEQ "-JXss" goto notXss
set defaultXss=
:notXss
REM THIS IS NEW OR CHANGED vvvvvvv
if "%a:~0,2%" NEQ "-J" goto notJ
set javaOpts=%javaOpts% %a:~2%
if "%b%" NEQ "" (
set javaOpts=%javaOpts%=%b%
shift /1
)
shift /1
goto firstArg
REM THIS IS NEW OR CHANGED ^^^^^^^
:notJ
set params=%params% %1
shift /1
goto firstArg
:endArgs
set javaOpts=%javaOpts% %defaultXmx% %defaultXss%
call "%java_exe%" %javaOpts% -jar "%jarpath%" %params%
Then to use it we simply call
apksigner.bat sign --ks NONE --ks-type AzureKeyVault --ks-key-alias "alias1" --ks-pass pass: --ks-provider-class com.azure.security.keyvault.jca.KeyVaultJcaProvider
--next-signer --ks NONE --ks-type AzureKeyVault --ks-key-alias "alias2" --ks-pass pass: --ks-provider-class com.azure.security.keyvault.jca.KeyVaultJcaProvider
--lineage "pathtolineagefile" --rotation-min-sdk-version 28 --v -in my.apk -out my.signed.apk
-J--module-path="""path to azure-security-keyvault-jca-2.10.0.jar"""
-J--add-modules="""com.azure.security.keyvault.jca"""
-J-Dazure.keyvault.uri="YOUR KEYVAULT URI"
-J-Dazure.keyvault.tenant-id="YOUR APP TENANT ID"
-J-Dazure.keyvault.client-id="YOUR APP CLIENT ID"
-J-Dazure.keyvault.client-secret="YOUR APP CLIENT SECRET"
Details on the JCA here but the examples are all for jarsigner which is fine if you don't need a lineage. https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/keyvault/azure-security-keyvault-jca/README.md
.................................................
Upvotes: 2
Views: 59
Answers (0)
Related Questions
- How do I correctly code sign using a certificate stored in Azure Key Vault with the trust chain included?
- Azure keyvault get certificate using java
- Azure Storage UseDevelopmentStorage=true when using KeyVault
- Azure KeyVault 403 Forbidden when using Principal Account to access
- Getting Method not found error when accessing to Azure KeyVault
- Get secret from azure keyvault azure Java servlet
- Why do I need a tenant when using @azure/keyvault-keys with @azure/identity, but not when using azure-keyvault?
- Azure KeyVault: Exceptions when using GetSecretAsync
- SDK Manager is executing in cmd but not opening