• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# hapsigner Guide
2
3## Overview
4
5### Function
6To ensure the integrity and secure source of OpenHarmony applications, the applications must be signed during the build process. Only signed applications can be installed, run, and debugged on real devices. [developtools_hapsigner](https://gitee.com/openharmony/developtools_hapsigner) provides the source code of the OpenHarmony Ability Package (HAP) signing tool - hapsigner. This tool can be used to generate key pairs, certificate signing requests (CSRs), certificates, profile signatures, and HAP signatures.
7
8
9### Key Concepts
10
11The hapsigner tool is implemented based on the Public Key Infrastructure (PKI). Before using this tool, you should understand the following concepts:
12
13 - Asymmetric key pair
14
15    The asymmetric key algorithm is the basis of data signature and signature verification. The hapsigner tool can generate standard asymmetric key pairs, including ECC P384/256 and RSA 2048/3072/4096.
16
17 - CSR
18
19    The CSR contains the public key, subject, and private key signature of a certificate. Before applying for a certificate, you must generate a CSR based on the key pair and submit the CSR to the Certificate Authority (CA).
20 - Certificate
21
22    OpenHarmony uses the RFC5280 standard to build the X.509 certificate trust system. The OpenHarmony certificates used for application signatures are classified into the root CA certificate, intermediate CA certificate, and end-entity certificate (application or profile signing certificate). The application signing certificate indicates the identity of the application developer, which ensures the traceability of the source of the applications. The profile signing certificate is used to verify the signature of the profile, which ensures the integrity of the profile.
23
24 - HAP
25
26    HAP is a package used to deploy an ability, which is the basic unit for OpenHarmony application development. An OpenHarmony application consists of one or more abilities.
27
28 - Profile
29
30    The profile in a HAP contains information such as the authorized certificate permission and device ID.
31
32### Constraints
33
34 - hapsigner is developed in Java and must run in JRE 8.0 or later.
35
36 - The scripts, such as the one-click signature script, are developed in Python, and must run on Python 3.5 or later.
37
38
39
40## Build
41
42 1. Check that Gradle 7.1 has been installed.
43
44    ```shell
45        gradle -v
46    ```
47
48 2. Download the code, open the file directory **developtools_hapsigner/hapsigntool**, and run the following command to build the code:
49
50    ```shell
51        gradle build
52    ```
53     Or
54    ```shell
55        gradle jar
56    ```
57
58 3. Check that **hap-sign-tool.jar** (binary files) is generated in the **./hap_sign_tool/build/libs** directory.
59
60## Usage Guidelines
61
62### When to Use
63
64The OpenHarmony system has a built-in KeyStore (KS) file named **OpenHarmony.p12**. This file contains the root CA certificate, intermediate CA certificate, and end-entity certificate information. The hapsigner tool signs the OpenHarmony applications based on this KS file.
65
66The usage of hapsigner varies depending on whether an application signing certificate is available.
67
68- If no application signing certificate is available:<br/>
69  You need to generate a key pair, generate an application signing certificate, sign the profile, and sign the application.
70- If an application signing certification is available:<br/>
71  You need to sign the profile, and use the application signing certificate and the local KS file (containing the corresponding key) to sign the application.
72
73### Usage
74
75#### Description
761. Display help information.
77
78        -help     # If no parameter is specified, the command help information is displayed by default.
79
802. Display the version information.
81
82        -version  # Display the tool version information.
83
84
853.Generate a key pair.
86
87     generate-keypair: Generate a key pair.
88         ├── -keyAlias          # Key alias. It is mandatory.
89         ├── -keyPwd            # Key password. It is optional.
90         ├── -keyAlg            # Key algorithm, which can be RSA or ECC. It is mandatory.
91         ├── -keySize           # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits if RSA is used and is NIST-P-256 or NIST-P-384 if ECC is used.
92         ├── -keystoreFile      # KS file, in JKS or P12 format. It is mandatory.
93         ├── -keystorePwd       # KS password. It is optional.
94
954.Generate a CSR.
96
97    generate-csr: Generate a CSR.
98         ├── -keyAlias          # Key alias. It is mandatory.
99         ├── -keyPwd            # Key password. It is optional.
100         ├── -subject           # Certificate subject. It is mandatory.
101         ├── -signAlg           # Signature algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory.
102         ├── -keystoreFile      # KS file, in JKS or P12 format. It is mandatory.
103         ├── -keystorePwd       # KS password. It is optional.
104         ├── -outFile           # CSR to generate. It is optional. If you do not specify this parameter, the CSR is output to the console.
105
1065.Generate a root CA or intermediate CA certificate.
107
108    generate-ca: Generate a root CA or intermediate CA certificate. If the key does not exist, generate a key together with the certificate.
109         ├── -keyAlias                        # Key alias. It is mandatory.
110         ├── -keyPwd                          # Key password. It is optional.
111         ├── -keyAlg                          # Key algorithm, which can be RSA or ECC. It is mandatory.
112         ├── -keySize                         # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits if RSA is used and is NIST-P-256 or NIST-P-384 if ECC is used.
113         ├── -issuer                          # Issuer of the certificate. It is optional. It indicates a root CA certificate if not specified.
114         ├── -issuerKeyAlias                  # Key alias of the issuer. It is optional. It indicates a root CA certificate if not specified.
115         ├── -issuerKeyPwd                    # Key password of the issuer. It is optional.
116         ├── -subject                         # Certificate subject. It is mandatory.
117         ├── -validity                        # Validity period of the certificate. It is optional. The default value is 3650 days.
118         ├── -signAlg                         # Signature algorithm, which can be SHA256withRSA, SHA384withRSA,  SHA256withECDSA, or SHA384withECDSA. It is mandatory.
119         ├── -basicConstraintsPathLen         # Path length. It is optional. The default value is 0.
120         ├── -keystoreFile                    # KS file, in JKS or P12 format. It is mandatory.
121         ├── -keystorePwd                     # KS password. It is optional.
122         ├── -issuerKeystoreFile              # KS file of the issuer, in JKS or P12 format. It is optional.
123         ├── -issuerKeystorePwd               # KS password of the issuer. It is optional.
124         ├── -outFile                         # File to generate. It is optional. The file is output to the console if this parameter is not specified.
125
1266.Generate an application debug or release certificate.
127
128    generate-app-cert: Generate an application debug or release certificate.
129         ├── -keyAlias                        # Key alias. It is mandatory.
130         ├── -keyPwd                          # Key password. It is optional.
131         ├── -issuer                          # Issuer of the certificate. It is mandatory.
132         ├── -issuerKeyAlias                  # Key alias of the issuer. It is mandatory.
133         ├── -issuerKeyPwd                    # Key password of the issuer. It is optional.
134         ├── -subject                         # Certificate subject. It is mandatory.
135         ├── -validity                        # Validity period of the certificate. It is optional. The default value is 3650 days.
136         ├── -signAlg                         # Signature algoritym, which can be SHA256withECDSA or SHA384withECDSA.
137         ├── -issuerKeystoreFile              # KS file of the issuer, in JKS or P12 format. It is optional.
138         ├── -issuerKeystorePwd               # KS password of the issuer. It is optional.
139         ├── -keystoreFile                    # KS file, in JKS or P12 format. It is mandatory.
140         ├── -keystorePwd                     # KS password. It is optional.
141         ├── -outForm                         # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain.
142         ├── -rootCaCertFile                  # Root CA certificate, which is mandatory when outForm is certChain.
143         ├── -subCaCertFile                   # Intermediate CA certificate, which is mandatory when outForm is certChain.
144         ├── -outFile                         # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified.
145
1467.Generate a profile debug or release certificate.
147
148    generate-profile-cert: Generate a profile debug or release certificate.
149         ├── -keyAlias                        # Key alias. It is mandatory.
150         ├── -keyPwd                          # Key password. It is optional.
151         ├── -issuer                          # Issuer of the certificate. It is mandatory.
152         ├── -issuerKeyAlias                  # Key alias of the issuer. It is mandatory.
153         ├── -issuerKeyPwd                    # Key password of the issuer. It is optional.
154         ├── -subject                         # Certificate subject. It is mandatory.
155         ├── -validity                        # Validity period of the certificate. It is optional. The default value is 3650 days.
156         ├── -signAlg                         # Signature algoritym, which can be SHA256withECDSA or SHA384withECDSA.
157         ├── -issuerKeystoreFile              # KS file of the issuer, in JKS or P12 format. It is optional.
158         ├── -issuerKeystorePwd               # KS password of the issuer. It is optional.
159         ├── -keystoreFile                    # KS file, in JKS or P12 format. It is mandatory.
160         ├── -keystorePwd                     # KS password. It is optional.
161         ├── -outForm                         # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain.
162         ├── -rootCaCertFile                  # Root CA certificate, which is mandatory when outForm is certChain.
163         ├── -subCaCertFile                   # Intermediate CA certificate, which is mandatory when outForm is certChain.
164         ├── -outFile                         # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified.
165
1668.Generate a common certificate, which can be used to generate a custom certificate.
167
168    generate-cert: Generate a common certificate, which can be used to generate a custom certificate.
169          ├── -keyAlias                         # Key alias. It is mandatory.
170          ├── -keyPwd                           # Key password. It is optional.
171          ├── -issuer                           # Issuer of the certificate. It is mandatory.
172          ├── -issuerKeyAlias                   # Key alias of the issuer. It is mandatory.
173          ├── -issuerKeyPwd                     # Key password of the issuer. It is optional.
174          ├── -subject                          # Certificate subject. It is mandatory.
175          ├── -validity                         # Validity period of the certificate. It is optional. The default value is 1095 days.
176          ├── -keyUsage                         # Usages of the key. It is mandatory. The key usages include digitalSignature, nonRepudiation,
177          ├                                        keyEncipherment, dataEncipherment, keyAgreement, certificateSignature, crlSignature,
178          ├                                        encipherOnly, and decipherOnly. Use a comma (,) to separate multiple values.
179          ├── -keyUsageCritical                 # Whether keyUsage is a critical option. It is optional. The default value is true.
180          ├── -extKeyUsage                      # Extended key usages. It is optional. The extended key usages include clientAuthentication,
181          ├                                        serverAuthentication, codeSignature, emailProtection, smartCardLogin, timestamp, and ocspSignature.
182          ├── -extKeyUsageCritical              # Whether extKeyUsage is a critical option. It is optional. The default value is false.
183          ├── -signAlg                          # Signature algorithm, which can be SHA256withRSA, SHA384withRSA,  SHA256withECDSA, or SHA384withECDSA. It is mandatory.
184          ├── -basicConstraints                 # Whether basicConstraints is contained. It is optional. The default value is false.
185          ├── -basicConstraintsCritical         # Whether basicConstraints is a critical option. It is optional. The default value is false.
186          ├── -basicConstraintsCa               # Whether it is CA. It is optional. The default value is false.
187          ├── -basicConstraintsPathLen          # Path length. It is optional. The default value is 0.
188          ├── -issuerKeystoreFile               # KS file of the issuer, in JKS or P12 format. It is optional.
189          ├── -issuerKeystorePwd                # KS password of the issuer. It is optional.
190          ├── -keystoreFile                     # KS file, in JKS or P12 format. It is mandatory.
191          ├── -keystorePwd                      # KS password. It is optional.
192          ├── -outFile                          # Certificate file to generate. It is optional. The file is output to the console if this parameter is not specified.
193
1949.Sign a profile.
195
196    sign-profile: Sign a profile.
197          ├── -mode            # Signing mode, which can be localSign or remoteSign. It is mandatory.
198          ├── -keyAlias        # Key alias. It is mandatory.
199          ├── -keyPwd          # Key password. It is optional.
200          ├── -profileCertFile # Profile signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory.
201          ├── -inFile          # Raw profile template in JSON format (developtools_hapsigner/autosign/UnsgnedReleasedProfileTemplate.json). It is mandatory.
202          ├── -signAlg         # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
203          ├── -keystoreFile    # KS file, in JKS or P12 format. It is mandatory if the signing mode is localSign.
204          ├── -keystorePwd     # KS password. It is optional.
205          ├── -outFile         # Signed provisioning profile to generate, in p7b format. It is mandatory.
206
20710.Verify the profile signature.
208
209     verify-profile: Verify the profile signature.
210           ├── -inFile       # Signed provisioning profile, in p7b format. It is mandatory.
211           ├── -outFile      # Verification result file (including the verification result and profile content), in json format. It is optional. The file is output to the console if this parameter is not specified.
212
21311.Sign a HAP.
214
215     sign-app: Sign a HAP.
216          ├── -mode          # Signing mode, which can be localSign, remoteSign, or remoteResign. It is mandatory.
217          ├── -keyAlias      # Key alias. It is mandatory.
218          ├── -keyPwd        # Key password. It is optional.
219          ├── -appCertFile   # Application signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory.
220          ├── -profileFile   # Singed provisioning profile, in p7b format. It is mandatory.
221          ├── -profileSigned # Whether the profile is signed. The value 1 means signed, and value 0 means unsigned. The default value is 1. This parameter is optional.
222          ├── -inForm        # Raw file, in .zip (default) or .bin format. It is optional.
223          ├── -inFile        # Raw application package, in HAP or .bin format. It is mandatory.
224          ├── -signAlg       # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
225          ├── -keystoreFile  # KS file, in JKS or P12 format. It is mandatory if the signing mode is localSign.
226          ├── -keystorePwd   # KS password. It is optional.
227          ├── -outFile       # Signed HAP file to generate. It is mandatory.
228
22912.Verify the HAP signature.
230
231      verify-app: Verify the HAP signature.
232         ├── -inFile          # Signed application file, in HAP or bin format. It is mandatory.
233         ├── -outCertchain    # Signed certificate chain file. It is mandatory.
234         ├── -outProfile      # Profile of the application. It is mandatory.
235
236### Signing Procedure
237The process of signing a HAP is as follows:
238
2391. Generate a key pair for an application signing certificate.
2402. Generate an application signing certificate.
2413. Sign the profile.
2424. Sign the HAP.
243
244
245> **Precautions** <br>
246 For security purposes, the ECC algorithm is recommended for generating key pairs for application signing signatures. The RSA algorithm is not recommended.<br>
247>  You are advised to place the HAP, profile, KS file **OpenHarmony.p12**, root CA certificate, intermediate CA certificate, and hapsigner in the same directory for easy operation.
248>  The [**developtools_hapsigner/autosign/result**](https://gitee.com/openharmony/developtools_hapsigner/tree/master/autosign/result) directory has the following files:<br/>-&nbsp;OpenHarmony KS file **OpenHarmony.p12** <br/>-&nbsp;Root CA certificate **rootCA.cer**<br/>-&nbsp;Intermediate CA certificate **subCA.cer**<br/>-&nbsp;Profile signing certificate **OpenHarmonyProfileRelease.pem**
249
250
251**1. Generate a key pair for the application signing certificate.**
252
253Generate a signature key pair and save it to the KS.
254
255Example:
256```shell
257java -jar hap-sign-tool.jar generate-keypair -keyAlias "oh-app1-key-v1" -keyAlg "ECC"  -keySize "NIST-P-256" -keystoreFile "OpenHarmony.p12" -keyPwd "123456" -keystorePwd "123456"
258```
259  > ![icon-note.gif](../public_sys-resources/icon-note.gif) **NOTE**<br>Record the values of **keyAlias**, **keyStorePwd**, and **keyPwd**. These values will be used when the application signing certificate is generated and the HAP is signed.
260
261The command parameters are described as follows:
262
263      generate-keypair: Generate a key pair for the application signing certificate.
264          ├── -keyAlias         # Alias of the key used to generate the application signing certificate. It is stored in the OpenHarmony.p12 file. This parameter is mandatory.
265          ├── -keyAlg           # Key algorithm. It is mandatory. ECC is recommended.
266          ├── -keySize          # Key length. It is NIST-P-256/NIST-P-384 if ECC is used. This parameter is mandatory.
267          ├── -keyStoreFile     # KS file. OpenHarmony.p12 is recommended. This parameter is mandatory.
268          ├── -keyStorePwd      # KS password. It is mandatory. The default password 123456 for OpenHarmony.p12.
269          ├── -keyPwd           # Key password. It is optional. If this parameter is not specified, the generated key pair has no password.
270
271
272
273**2. Generate an application signing certificate.**
274
275Use the local intermediate CA certificate to issue an application signing certificate.
276
277Example:
278
279```shell
280java -jar hap-sign-tool.jar generate-app-cert -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA"  -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Team,CN= OpenHarmony Application CA" -issuerKeyAlias "openharmony application ca" -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Team,CN=OpenHarmony Application Release" -keystoreFile "OpenHarmony.p12" -subCaCertFile "subCA.cer" -rootCaCertFile "rootCA.cer" -outForm "certChain" -outFile "app1.pem" -keyPwd "123456" -keystorePwd "123456" -issuerKeyPwd "123456" -validity "365"
281```
282The command parameters are described as follows:
283
284     generate-app-cert: Generate an application signing certificate.
285         ├── -keyAlias         # Key alias, which must be the same as that in the previous step.
286         ├── -signAlg          # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
287         ├── -issuer           #  Issuer of the certificate. Enter the issuer of the intermediate CA certificate. It is mandatory and cannot be changed.
288         ├── -issuerKeyAlias   # Key alias of the issuer. Enter the key alias of the intermediate CA certificate. This parameter is mandatory and cannot be changed.
289         ├── -subject          # Subject of the certificate. Enter the subject in the same sequence specified in the command. This parameter is mandatory.
290         ├── -issuerKeyPwd     # Key password of the issuer. Enter the key password of the intermediate CA certificate. It is mandatory and cannot be changed. In this example, it is 123456.
291         ├── -keystoreFile     # KS file. Use OpenHarmony.p12. It is mandatory and cannot be changed.
292         ├── -rootCaCertFile   # Root certificate. It is mandatory and cannot be changed.
293         ├── -subCaCertFile    # Intermediate CA certificate provided. This parameter is mandatory and cannot be changed.
294         ├── -outForm          # Format of the certificate file to generate. certChain is recommended.
295         ├── -outFile          # File to generate. It is optional. The file is output to the console if this parameter is not specified.
296         ├── -keyPwd           # Key password. It is optional. It is the key password set when the key pair is generated.
297         ├── -keystorePwd      # KS password. The default value is 123456.
298         ├── -validity         # Validity period of the certificate. It is optional. The default value is 3650 days.
299  <br/>
300
301**3. Sign the profile.**
302
303Use the profile signature key to sign the profile.
304
305Example:
306
307```shell
308java -jar hap-sign-tool.jar  sign-profile -keyAlias "openharmony application profile release" -signAlg "SHA256withECDSA" -mode "localSign" -profileCertFile "OpenHarmonyProfileRelease.pem" -inFile "UnsgnedReleasedProfileTemplate.json" -keystoreFile "OpenHarmony.p12" -outFile "app1-profile.p7b" -keyPwd "123456" -keystorePwd "123456"
309```
310The command parameters are described as follows:
311
312      sign-profile: Sign a profile.
313         ├── -keyAlias         # Alias of the key for generating the profile certificate. It is mandatory and cannot be changed.
314         ├── -signAlg          # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
315         ├── -mode             # Signing mode, which must be localSign. It is mandatory.
316         ├── -profileCertFile  # Profile signing certificate. Use the certificate provided. It is mandatory and cannot be changed.
317         ├── -inFile           # Raw profile template in JSON format (developtools_hapsigner/autosign/UnsgnedReleasedProfileTemplate.json). It is mandatory.
318         ├── -keystoreFile     # KS file. Use OpenHarmony.p12. It is mandatory and cannot be changed.
319         ├── -outFile          # Signed provisioning profile in p7b format to generate. It is mandatory.
320         ├── -keyPwd           # Key password. The default key password in OpenHarmony.p12 is 123456.
321         ├── -keystorePwd      # KS password. The default key password in OpenHarmony.p12 is 123456.
322 <br/>
323
324**4. Sign the HAP.**
325
326Use the application signature key to sign the HAP.
327
328Example:
329```shell
330java -jar hap-sign-tool.jar sign-app -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA" -mode "localSign" -appCertFile "app1.pem" -profileFile "app1-profile.p7b" -inFile "app1-unsigned.zip" -keystoreFile "OpenHarmony.p12" -outFile "app1-signed.hap" -keyPwd "123456" -keystorePwd "123456"
331```
332
333 > ![icon-note.gif](../public_sys-resources/icon-note.gif) **NOTE**:<br>The following parameters used are for the scenario where there is no application signing certificate available. If the application signing certificate is available, the following parameters need to be modified:<br>
334-**keyAlias**: Enter the key alias of the application signing certificate. This parameter is mandatory. <br>
335-**appCertFile**: Enter the application signing certificate. This parameter is mandatory.<br>
336-**keystoreFile**: Enter the KS file of the application signing certificate. This parameter is mandatory. <br>
337-**keyPwd**: Enter the key password in the KS file. <br>
338-**keystorePwd**: Enter the KS password in the KS file.<br>
339
340The command parameters are described as follows:
341
342      sign-app: Sign a HAP.
343         ├──-keyAlias          # Key alias, which must be the same as the alias of the key pair generated. This parameter is mandatory.
344         ├── -signAlg          # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
345         ├── -mode             # Signing mode, which must be localSign. It is mandatory.
346         ├── -appCertFile      # Application signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). Enter the application signing certificate generated in step 2. This parameter is mandatory.
347         ├── -profileFile      # Signed provisioning profile in p7b format. Enter the profile generated. This parameter is mandatory.
348         ├── -inFile           # Raw application package. It is mandatory.
349         ├── -keystoreFile     # KS file, which must be the same as the KS file generated. It is mandatory and cannot be changed.
350         ├── -outFile          # Signed file to generate. It is mandatory.
351         ├── -keyPwd           # Key password, which must be the actual key password.
352         ├── -keystorePwd      # KS password, which must be the actual KS password.
353
354
355
356
357
358
359
360
361
362## FAQs
363
364**1. When the application signing certificate is generated, the console displays the result but no file is output.**
365
366 - **Symptom**
367
368   When the tool is used to to generate an application signing certificate, the certificate content is displayed on the console and no certificate is generated.
369
370 - **Possible Causes**
371
372   The path in the **outFile** parameter is incorrect, or the hyphen (-) in **-outFile** is not an English character.
373
374 - **Solution**
375
376   Check and correct the value of **outFile**, and ensure the hyphen (-) in **-outFile** is an English character.
377
378**2. Failed to sign the profile.**
379
380- **Symptom**
381
382  When the tool is used to sign a profile, any of the following information is displayed:
383
384  (1) "SIGN_ERROR, code: 107.Details: Failed to verify signature: Wrong key usage".
385
386  (2) "NOT_SUPPORT_ERROR, code: 105.Details: Profile cert 'result\profile1.pem' must a cert chain".
387
388  (3) "VERIFY_ERROR, code: 108.Details: Failed to verify signature: unable to find valid certification path to requested target"
389
390
391- **Possible Causes**
392
393  The possible causes for the error messages are as follows:
394
395  (1) The certificate chain of the profile signing certificate is in incorrect order.
396
397  (2) The profile signing certificate is not a certificate chain.
398
399  (3) The certificate subject is in incorrect sequence, or the **-issuerKeyAlias** parameter set to generate the application signing certificate is incorrect.
400
401- **Solution**
402
403  (1) Check that the certificate chain is in ascending or descending order of seniority.
404
405  (2) Check that the certificate is a certificate chain.
406
407  (3) Check that the certificate subject is in the C, O, OU, and CN order.
408
409**3. An error message is displayed when the tool is used to sign a HAP.**
410
411 - **Symptom**
412
413   The following error message is displayed: "NOT_SUPPORT_ERROR, code: 105.Details: SignAlg params is incorrect, signature algorithms include SHA256withECDSA,SHA384withECDSA
414
415 - **Possible Causes**
416
417   The signature algorithm is not supported. Check the value of **signAlg**.
418
419 - **Solution**
420
421   Use ECC to generate the key pair for an application or profile signing certificate. Use **SHA256withECDSA** or **SHA384withECDSA** as the HAP signature algorithm.
422