1# hapsigner 2 3 4 5#### Introduction 6 7To ensure the integrity and secure source of applications, the applications must be signed during the build process. Only signed applications can be installed, run, and debugged on real devices. This repository provides the source code of the HAP signing tool - hapsigner. This tool can be used to generate key pairs, certificate signing requests (CSRs), certificates, profile signatures, and HAP signatures. 8 9 10#### Directory Structure 11 12 developtools_hapsigner 13 14 ├── autosign # One-click signature script. 15 ├── dist # SDK preconfigured file. 16 ├── hapsigntool # Master code. 17 ├──hap_sign_tool # Application entry, used to verify input parameters. 18 ├──hap_sign_tool_lib # Signing tool lib, used to parse command words and parameter lists to implement logic of modules. 19 ├── tools # Auto-test script. 20 21 22 23#### Constraints 24hapsigner is developed in Java and must run in JRE 8.0 or later. 25The scripts, such as the one-click signature script, are developed in Python, and must run on Python 3.x. 26#### Build 27 28 1. Check that Gradle 7.1 has been installed. 29 30 gradle -v 31 32 2. Download the code, open the file directory **developtools_hapsigner/hapsigntool**, and run the following command to build the code: 33 34 gradle build or gradle jar 35 36 3. Check that **hap-sign-tool.jar** (binary files) is generated in the **./hap_sign_tool/build/libs** directory. 37 38**** 39#### Usage 40##### Note 41 42In the following, the JAR package used is the binary files generated during the build process. 43 441. Command line signatures 45 Command line signatures include profile signatures and HAP signatures. 46 47 (1) Sign a profile. 48 49 50```shell 51java -jar hap-sign-tool.jar sign-profile -keyAlias "oh-profile1-key-v1" -signAlg "SHA256withECDSA" -mode "localSign" -profileCertFile "result\profile1.pem" -inFile "app1-profile-release.json" -keystoreFile "result\ohtest.jks" -outFile "result\app1-profile.p7b" -keyPwd "123456" -keystorePwd "123456" 52``` 53The parameters in the command are described as follows: 54 55 sign-profile: Sign a provisioning profile. 56 ├── -mode # Signing mode, which can be localSign or remoteSign. It is mandatory. 57 ├── -keyAlias # Key alias. It is mandatory. 58 ├── -keyPwd # Key password. It is optional. 59 ├── -profileCertFile # Profile signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory. 60 ├── -inFile # Raw provisioning profile. It is mandatory. 61 ├── -signAlg # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 62 ├── -keystoreFile # KeyStore (KS) file, in JKS or P12 format. It is mandatory if the signing mode is localSign. 63 ├── -keystorePwd # KS password. It is optional. 64 ├── -outFile # Signed provisioning profile to generate, in p7b format. It is mandatory. 65 66 67 68(2) Sign a HAP. 69 70 71```shell 72java -jar hap-sign-tool.jar sign-app -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA" -mode "localSign" -appCertFile "result\app1.pem" -profileFile "result\app1-profile.p7b" -inFile "app1-unsigned.zip" -keystoreFile "result\ohtest.jks" -outFile "result\app1-unsigned.hap" -keyPwd "123456" -keystorePwd "123456" 73``` 74The parameters in the command are described as follows: 75 76 sign-app: HAP signature. 77 ├── -mode # Signing mode, which can be localSign or remoteSign. It is mandatory. 78 ├── -keyAlias # Key alias. It is mandatory. 79 ├── -keyPwd # Key password. It is optional. 80 ├── -appCertFile # Application signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory. 81 ├── -profileFile # Singed provisioning profile, in p7b format. It is mandatory. 82 ├── -profileSigned # Whether the profile is signed. The value 1 means signed, and value 0 means unsigned. The default value is 1. It is optional. 83 ├── -inForm # Raw file, in .zip (default) or .bin format. It is optional. 84 ├── -inFile # Raw application package, in .zip or .bin format. It is mandatory. 85 ├── -signAlg # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 86 ├── -keystoreFile # KeyStore (KS) file, in JKS or P12 format. It is mandatory if the signing mode is localSign. 87 ├── -keystorePwd # KS password. It is optional. 88 ├── -outFile # Signed HAP file to generate. It is mandatory. 89 90 912. One-click signature 92 93 94To improve development efficiency, this project also provides one-click signature scripts based on the hapsigner tool. You can use these scripts to easily generate key pairs and end-entity certificates and sign profiles and HAPs, instead of entering complex commands. 95The scripts and configuration files are located in the **autosign** directory. 96 97 - create_root.sh/create_root.bat 98 - create_appcert_sign_profile.sh/create_appcert_sign_profile.bat 99 - sign_hap.sh/sign_hap.bat 100 - createAppCertAndProfile.config 101 - createRootAndSubCert.config 102 - signHap.config 103 104Procedure: 1051. Ensure that Python 3.5 or later has been installed. 1062. Prepare **hap-sign-tool.jar**. For details, see section **Build**. 1073. Prepare the HAP to be signed and the provisioning profile template file. 1084. Use the text editor to open the **createAppCertAndProfile.config** file and **signHap.config** file and change the values of **common.keyPwd** and **common.issuerKeyPwd** to match your case. 1095. Run **create_appcert_sign_profile.sh** in Linux or **create_appcert_sign_profile.bat** in Windows to generate files required for signature. 1106. Run **sign_hap.sh** in Linux or **sign_hap.bat** in Windows to sign the HAP. 111 112 > Note: To generate the KS file, root CA certificate, intermediate CA certificate, and profile signing certificate, perform the following steps: 113 1. Use the text editor to open the **createRootAndSubCert.config** file and change the values of **common.keyPwd** and **common.issuerKeyPwd** to match your case. 114 2. Run **create_root.sh** in Linux or run **create_root.bat** in Windows to generate the required KS file, root CA certificate, intermediate CA certificate, and profile signing certificate. 115 116 117**** 118##### Common Operations 1191.Generate a key pair. 120 121 generate-keypair: Generate a key pair. 122 ├── -keyAlias # Key alias. It is mandatory. 123 ├── -keyPwd # Key password. It is optional. 124 ├── -keyAlg # Key algorithm, which can be RSA or ECC. It is mandatory. 125 ├── -keySize # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits if RSA is used and is NIST-P-256 or NIST-P-384 if ECC is used. 126 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory. 127 ├── -keystorePwd # KS password. It is optional. 128 1292.Generate a CSR. 130 131 generate-csr: Generate a CSR. 132 ├── -keyAlias # Key alias. It is mandatory. 133 ├── -keyPwd # Key password. It is optional. 134 ├── -subject # Certificate subject. It is mandatory. 135 ├── -signAlg # Signature algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory. 136 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory. 137 ├── -keystorePwd # KS password. It is optional. 138 ├── -outFile # CSR to generate. It is optional. If you do not specify this parameter, the CSR is output to the console. 139 1403.Generate a root CA or intermediate CA certificate. 141 142 generate-ca: Generate a root CA or intermediate CA certificate. If the key does not exist, generate a key together with the certificate. 143 ├── -keyAlias # Key alias. It is mandatory. 144 ├── -keyPwd # Key password. It is optional. 145 ├── -keyAlg # Key algorithm, which can be RSA or ECC. It is mandatory. 146 ├── -keySize # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits if RSA is used and is NIST-P-256 or NIST-P-384 if ECC is used. 147 ├── -issuer # Issuer of the certificate. It is optional. It indicates a root CA certificate if not specified. 148 ├── -issuerKeyAlias # Key alias of the issuer. It is optional. It indicates a root CA certificate if not specified. 149 ├── -issuerKeyPwd # Key password of the issuer. It is optional. 150 ├── -subject # Certificate subject. It is mandatory. 151 ├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days. 152 ├── -signAlg # Signature algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory. 153 ├── -basicConstraintsPathLen # Path length. It is optional. The default value is 0. 154 ├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional. 155 ├── -issuerKeystorePwd # KS password of the issuer. It is optional. 156 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory. 157 ├── -keystorePwd # KS password. It is optional. 158 ├── -outFile # File to generate. It is optional. The file is output to the console if this parameter is not specified. 159 1604.Generate an application debug or release certificate. 161 162 generate-app-cert: Generate an application debug or release certificate. 163 ├── -keyAlias # Key alias. It is mandatory. 164 ├── -keyPwd # Key password. It is optional. 165 ├── -issuer # Issuer of the certificate. It is mandatory. 166 ├── -issuerKeyAlias # Key alias of the issuer. It is mandatory. 167 ├── -issuerKeyPwd # Key password of the issuer. It is optional. 168 ├── -subject # Certificate subject. It is mandatory. 169 ├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days. 170 ├── -signAlg # Signature algoritym, which can be SHA256withECDSA or SHA384withECDSA. 171 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory. 172 ├── -keystorePwd # KS password. It is optional. 173 ├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional. 174 ├── -issuerKeystorePwd # KS password of the issuer. It is optional. 175 ├── -outForm # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain. 176 ├── -rootCaCertFile # Root CA certificate, which is mandatory when outForm is certChain. 177 ├── -subCaCertFile # Intermediate CA certificate, which is mandatory when outForm is certChain. 178 ├── -outFile # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified. 179 1805.Generate a profile debug or release certificate. 181 182 generate-profile-cert: Generate a profile debug or release certificate. 183 ├── -keyAlias # Key alias. It is mandatory. 184 ├── -keyPwd # Key password. It is optional. 185 ├── -issuer # Issuer of the certificate. It is mandatory. 186 ├── -issuerKeyAlias # Key alias of the issuer. It is mandatory. 187 ├── -issuerKeyPwd # Key password of the issuer. It is optional. 188 ├── -subject # Certificate subject. It is mandatory. 189 ├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days. 190 ├── -signAlg # Signature algoritym, which can be SHA256withECDSA or SHA384withECDSA. 191 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory. 192 ├── -keystorePwd # KS password. It is optional. 193 ├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional. 194 ├── -issuerKeystorePwd # KS password of the issuer. It is optional. 195 ├── -outForm # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain. 196 ├── -rootCaCertFile # Root CA certificate, which is mandatory when outForm is certChain. 197 ├── -subCaCertFile # Intermediate CA certificate, which is mandatory when outForm is certChain. 198 ├── -outFile # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified. 199 2006.Generate a common certificate, which can be used to generate a custom certificate. 201 202 generate-cert: Generate a common certificate, which can be used to generate a custom certificate. 203 ├── -keyAlias # Key alias. It is mandatory. 204 ├── -keyPwd # Key password. It is optional. 205 ├── -issuer # Issuer of the certificate. It is mandatory. 206 ├── -issuerKeyAlias # Key alias of the issuer. It is mandatory. 207 ├── -issuerKeyPwd # Key password of the issuer. It is optional. 208 ├── -subject # Certificate subject. It is mandatory. 209 ├── -validity # Validity period of the certificate. It is optional. The default value is 1095 days. 210 ├── -keyUsage # Usages of the key. It is mandatory. The key usages include digitalSignature, nonRepudiation, 211 ├ keyEncipherment, dataEncipherment, keyAgreement, certificateSignature, crlSignature, 212 ├ encipherOnly, and decipherOnly. Use a comma (,) to separate multiple values. 213 ├── -keyUsageCritical # Whether keyUsage is a critical option. It is optional. The default value is true. 214 ├── -extKeyUsage # Extended key usages. It is optional. The extended key usages include clientAuthentication, 215 ├ serverAuthentication, codeSignature, emailProtection, smartCardLogin, timestamp, and ocspSignature. 216 ├── -extKeyUsageCritical # Whether extKeyUsage is a critical option. It is optional. The default value is false. 217 ├── -signAlg # Signature algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory. 218 ├── -basicConstraints # Whether basicConstraints is contained. It is optional. The default value is false. 219 ├── -basicConstraintsCritical # Whether basicConstraints is a critical option. It is optional. The default value is false. 220 ├── -basicConstraintsCa # Whether it is CA. It is optional. The default value is false. 221 ├── -basicConstraintsPathLen # Path length. It is optional. The default value is 0. 222 ├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional. 223 ├── -issuerKeystorePwd # KS password of the issuer. It is optional. 224 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory. 225 ├── -keystorePwd # KS password. It is optional. 226 ├── -outFile # Certificate file to generate. It is optional. The file is output to the console if this parameter is not specified. 227 2287.Sign a provisioning profile. 229 230 sign-profile: Generate a provisioning profile signature. 231 ├── -mode # Signing mode, which can be localSign or remoteSign. It is mandatory. 232 ├── -keyAlias # Key alias. It is mandatory. 233 ├── -keyPwd # Key password. It is optional. 234 ├── -profileCertFile # Profile signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory. 235 ├── -inFile # Raw provisioning profile. It is mandatory. 236 ├── -signAlg # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 237 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory if the signing mode is localSign. 238 ├── -keystorePwd # KS password. It is optional. 239 ├── -outFile # Signed provisioning profile to generate, in p7b format. It is mandatory. 240 2418.Verify the provisioning profile signature. 242 243 verify-profile: Verify the provisioning profile signature. 244 ├── -inFile # Signed provisioning profile, in p7b format. It is mandatory. 245 ├── -outFile # Verification result file (including the verification result and profile content), in json format. It is optional. The file is output to the console if this parameter is not specified. 246 2479.Sign a HAP. 248 249 sign-app: Sign a HAP 250 ├── -mode # Signing mode, which can be localSign, remoteSign, or remoteResign. It is mandatory. 251 ├── -keyAlias # Key alias. It is mandatory. 252 ├── -keyPwd # Key password. It is optional. 253 ├── -appCertFile # Application signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory. 254 ├── -profileFile # Name of the signed provisioning profile. The profile is in p7b format if profileSigned is 1 and in json format if profileSigned is 0. It is mandatory. 255 ├── -profileSigned # Whether the profile is signed. The value 1 means signed, and value 0 means unsigned. The default value is 1. It is optional. 256 ├── -inForm # Raw file, in .zip (default) or .bin format. It is optional. 257 ├── -inFile # Raw application package, in .zip or .bin format. It is mandatory. 258 ├── -signAlg # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 259 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory if the signing mode is localSign. 260 ├── -keystorePwd # KS password. It is optional. 261 ├── -outFile # Signed HAP file to generate. It is mandatory. 262 26310.Verify the HAP Signature. 264 265 verify-app: Verify the HAP signature. 266 ├── -inFile # Signed application file, in .zip or .bin format. It is mandatory. 267 ├── -outCertchain # Signed certificate chain file. It is mandatory. 268 ├── -outProfile # Profile of the application. It is mandatory. 269 270 271 272 273#### Repositories Involved 274 N/A 275