README.md
1# Code Signature
2
3## Introduction
4
5The code signature component implements the code signing mechanism of OpenHarmony, which provides validity check and integrity protection for apps in runtime, eliminating execution of malicious code on devices and malicious tampering of app code by attackers.
6
7Architecture of the code signature component
8
9
10
11The code signature component provides the following functions:
12
13- Trusted certificate management: imports the device certificate and local code signing certificate and validates the certificate chain and its trusted source.
14- Code signing enabling: provides APIs in user mode to enable code signing of apps or code files during installation.
15- Local code signing: runs the signing service on the device and provides interfaces to sign local code (e.g. native code generated by the AOT).
16- Code attribute setting: provides APIs for setting the code owner ID and initializing the XPM region.
17
18## Directory Structure
19
20```
21/base/security/code_signature
22├── interfaces # Interface layer
23│ └── innerkits #
24│ ├── code_sign_attr_utils # APIs for setting code signing attributes
25│ ├── code_sign_utils # APIs for enabling code signing
26│ ├── common # Common basic capacities
27│ └── local_code_sign # APIs for local code signing
28├── services # Service layer
29│ ├── key_enable # Certificate initialization
30│ └── local_code_sign # Local code signing service
31├── test # Test cases
32│ ├── fuzztest # Fuzz test cases
33│ └── unittest # Unit test cases
34└── utils # Common basic capabilities
35```
36
37## Usage
38### Available APIs
39
40| **API**| **Description**|
41| --- | --- |
42| int32_t EnforceCodeSignForApp(const EntryMap &entryPath, const std::string &signatureFile); | Enforces code signing for HAPs.|
43| int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type); | Enforces code signing for HAPs.|
44| int32_t EnforceCodeSignForFile(const std::string &path, const ByteBuffer &signature); | Enforces code signing for files.|
45| int32_t EnforceCodeSignForAppWithOwnerId(std::string ownerId, const std::string &path, const EntryMap &entryPathMap, FileType type); | Enforces code signing for HAPs with the owner ID.|
46| int ParseOwnerIdFromSignature(const ByteBuffer &sigbuffer, std::string &ownerID); | Parses the owner ID from the signature.|
47| int32_t EnableKeyInProfile(const std::string &bundleName, const ByteBuffer &profileBuffer); | Trusts a developer certificate.|
48| int32_t RemoveKeyInProfile(const std::string &bundleName); | Revokes a trusted developer certificate.|
49| int32_t InitLocalCertificate(ByteBuffer &cert); | Initializes a local code signing certificate.|
50| int32_t SignLocalCode(const std::string &filePath, ByteBuffer &signature); | Signs the local code.|
51| int32_t SignLocalCode(const std::string &ownerID, const std::string &filePath, ByteBuffer &signature); | Signs the local code with the owner ID.|
52| int InitXpmRegion(void); | Initializes the XPM region.|
53| int SetXpmOwnerId(uint32_t idType, const char *ownerId); | Sets an owner ID.|
54
55### Usage Guidelines
56
57[hapsigner User Guide](https://gitee.com/openharmony/developtools_hapsigner/blob/master/README.md)
58
59## Repositories Involved
60
61**[developtools\_hapsigner](https://gitee.com/openharmony/developtools_hapsigner/blob/master/README.md)**
62
63**[kernel_linux_common_modules](https://gitee.com/openharmony/kernel_linux_common_modules)**
64
65**[third\_party\_fsverity-utils](https://gitee.com/openharmony/third_party_fsverity-utils/blob/master/README.md)**
66
README_zh.md
1# 代码签名
2
3## 简介
4
5代码签名部件用于支持OpenHarmony的代码签名机制。OpenHarmony使用代码签名提供运行时应用程序的完整性保护,校验应用来源的合法性。
6
7代码签名部件架构图
8
9
10
11代码签名部件主要提供如下模块功能:
12
13- 可信证书管理:将设备证书和本地签名证书写入内核.fs-verity keyring,支持证书链及其合法路径校验。
14- 代码签名使能:在用户态提供代码签名校验的相关接口和逻辑,供应用安装的时候调用,为应用和代码文件使能代码签名。
15- 本地代码签名:在设备侧运行签名服务给本地代码提供签名接口,为AOT生成的机器码文件生成代码签名。
16- 代码属性设置:支持代码所有者标记及校验,提供配置XPM验签地址区接口。
17
18## 目录
19
20```
21/base/security/code_signature
22├── interfaces # 接口层
23│ └── innerkits #
24│ ├── code_sign_attr_utils # 属性设置接口
25│ ├── code_sign_utils # 使能接口
26│ ├── common # 公共基础能力
27│ └── local_code_sign # 本地签名接口
28├── services # 服务层
29│ ├── key_enable # 证书初始化
30│ └── local_code_sign # 本地签名服务
31├── test # 测试用例
32│ ├── fuzztest # fuzz测试用例
33│ └── unittest # 单元测试用例
34└── utils # 公共基础能力
35```
36
37## 使用
38### 接口说明
39
40| **接口声明** | **接口描述** |
41| --- | --- |
42| int32_t EnforceCodeSignForApp(const EntryMap &entryPath, const std::string &signatureFile); | 对hap使能代码签名 |
43| int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type); | 对hap使能代码签名 |
44| int32_t EnforceCodeSignForFile(const std::string &path, const ByteBuffer &signature); | 对文件使能代码签名 |
45| int32_t EnforceCodeSignForAppWithOwnerId(std::string ownerId, const std::string &path, const EntryMap &entryPathMap, FileType type); | 对hap使能代码签名和OwnerId校验 |
46| int ParseOwnerIdFromSignature(const ByteBuffer &sigbuffer, std::string &ownerID); | 从签名中解析OwnerId |
47| int32_t EnableKeyInProfile(const std::string &bundleName, const ByteBuffer &profileBuffer); | 信任开发者证书 |
48| int32_t RemoveKeyInProfile(const std::string &bundleName); | 撤销已信任的开发者证书 |
49| int32_t InitLocalCertificate(ByteBuffer &cert); | 初始化本地签名证书 |
50| int32_t SignLocalCode(const std::string &filePath, ByteBuffer &signature); | 本地代码签名 |
51| int32_t SignLocalCode(const std::string &ownerID, const std::string &filePath, ByteBuffer &signature); | 带OwnerId的本地代码签名 |
52| int InitXpmRegion(void); | 初始化XPM地址 |
53| int SetXpmOwnerId(uint32_t idType, const char *ownerId); | 设置OwnerId |
54
55### 签名工具使用指南
56
57**[使用指南](https://gitee.com/openharmony/developtools_hapsigner/blob/master/README_ZH.md)**
58
59## 相关仓
60
61**[developtools\_hapsigner](https://gitee.com/openharmony/developtools_hapsigner/blob/master/README_ZH.md)**
62
63**[kernel_linux_common_modules](https://gitee.com/openharmony/kernel_linux_common_modules)**
64
65**[third\_party\_fsverity-utils](https://gitee.com/openharmony/third_party_fsverity-utils/blob/master/README_zh.md)**
66
