1# hapsigner Guide 2 3## Build 4 5 1. Check that Gradle 7.1 or later has been installed. 6 7 ```shell 8 gradle -v 9 ``` 10 11 2. Download the code, open the file directory **developtools_hapsigner/hapsigntool**, and run the following command to build the code: 12 13 ```shell 14 gradle build 15 ``` 16 Or 17 ```shell 18 gradle jar 19 ``` 20 21 3. Check that **hap-sign-tool.jar** (binary files) is generated in the **./hap_sign_tool/build/libs** directory. 22 23## How to Development 24 25### When to Use 26 27The OpenHarmony system has a built-in KeyStore (KS) file named **OpenHarmony.p12**. This file contains the root CA certificate, intermediate CA certificate, and end-entity certificate information. The hapsigner tool signs the OpenHarmony applications based on this KS file. 28 29The usage of hapsigner varies depending on whether an application signing certificate is available. 30 31- If no signing certificate is available for your application, you can use this tool to generate a key pair for signing, generate an application signing certificate, sign the profile, and sign the application. 32- If a signing certificate is available for your application, you need to sign the profile, and use the application signing certificate and the local KS file (containing the corresponding key) to sign your application. 33 34### Command Description 35 361. Display command help information. 37 38 ``` 39 -help # If no parameter is specified, the command help information is displayed by default. 40 ``` 41 422. Display version information 43 44 ``` 45 -version # Display the tool version information. 46 ``` 47 483. Generate a key pair. 49 50 ``` 51 generate-keypair: Generate a key pair. 52 ├── -keyAlias # Key alias. It is mandatory. 53 ├── -keyPwd # Key password. It is optional. 54 ├── -keyAlg # Key algorithm, which can be RSA or ECC. It is mandatory. 55 ├── -keySize # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits if RSA is used and is NIST-P-256 or NIST-P-384 if ECC is used. 56 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory. 57 ├── -keystorePwd # KS password. It is optional. 58 ``` 59 604. Generate a CSR. 61 ``` 62 generate-csr: Generate a CSR. 63 ├── -keyAlias # Key alias. It is mandatory. 64 ├── -keyPwd # Key password. It is optional. 65 ├── -subject # Certificate subject. It is mandatory. 66 ├── -signAlg # Signing algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory. 67 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory. 68 ├── -keystorePwd # KS password. It is optional. 69 ├── -outFile # CSR to generate. It is optional. If you do not specify this parameter, the CSR is output to the console. 70 ``` 71 725. Generate a root CA or intermediate CA certificate. 73 74 ``` 75 generate-ca: Generate a root CA or intermediate CA certificate. If the key does not exist, generate a key together with the certificate. 76 ├── -keyAlias # Key alias. It is mandatory. 77 ├── -keyPwd # Key password. It is optional. 78 ├── -keyAlg # Key algorithm, which can be RSA or ECC. It is mandatory. 79 ├── -keySize # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits if RSA is used and is NIST-P-256 or NIST-P-384 if ECC is used. 80 ├── -issuer # Issuer of the certificate. It is optional. It indicates a root CA certificate if not specified. 81 ├── -issuerKeyAlias # Key alias of the issuer. It is optional. It indicates a root CA certificate if not specified. 82 ├── -issuerKeyPwd # Key password of the issuer. It is optional. 83 ├── -subject # Certificate subject. It is mandatory. 84 ├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days. 85 ├── -signAlg # Signing algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory. 86 ├── -basicConstraintsPathLen # Path length. It is optional. The default value is 0. 87 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory. 88 ├── -keystorePwd # KS password. It is optional. 89 ├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional. 90 ├── -issuerKeystorePwd # KS password of the issuer. It is optional. 91 ├── -outFile # File to generate. It is optional. The file is output to the console if this parameter is not specified. 92 ``` 93 946. Generate an application debug or release certificate. 95 96 ``` 97 generate-app-cert: Generate an application debug or release certificate. 98 ├── -keyAlias # Key alias. It is mandatory. 99 ├── -keyPwd # Key password. It is optional. 100 ├── -issuer # Issuer of the certificate. It is mandatory. 101 ├── -issuerKeyAlias # Key alias of the issuer. It is mandatory. 102 ├── -issuerKeyPwd # Key password of the issuer. It is optional. 103 ├── -subject # Certificate subject. It is mandatory. 104 ├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days. 105 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. 106 ├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional. 107 ├── -issuerKeystorePwd # KS password of the issuer. It is optional. 108 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory. 109 ├── -keystorePwd # KS password. It is optional. 110 ├── -outForm # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain. 111 ├── -rootCaCertFile # Root CA certificate, which is mandatory when outForm is certChain. 112 ├── -subCaCertFile # Intermediate CA certificate, which is mandatory when outForm is certChain. 113 ├── -outFile # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified. 114 ``` 115 1167. Generate a profile debug or release certificate. 117 118 ``` 119 generate-profile-cert: Generate a profile debug or release certificate. 120 ├── -keyAlias # Key alias. It is mandatory. 121 ├── -keyPwd # Key password. It is optional. 122 ├── -issuer # Issuer of the certificate. It is mandatory. 123 ├── -issuerKeyAlias # Key alias of the issuer. It is mandatory. 124 ├── -issuerKeyPwd # Key password of the issuer. It is optional. 125 ├── -subject # Certificate subject. It is mandatory. 126 ├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days. 127 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. 128 ├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional. 129 ├── -issuerKeystorePwd # KS password of the issuer. It is optional. 130 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory. 131 ├── -keystorePwd # KS password. It is optional. 132 ├── -outForm # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain. 133 ├── -rootCaCertFile # Root CA certificate, which is mandatory when outForm is certChain. 134 ├── -subCaCertFile # Intermediate CA certificate, which is mandatory when outForm is certChain. 135 ├── -outFile # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified. 136 ``` 137 1388. Generate a common certificate, which can be used to generate a custom certificate. 139 140 ``` 141 generate-cert: Generate a common certificate, which can be used to generate a custom certificate. 142 ├── -keyAlias # Key alias. It is mandatory. 143 ├── -keyPwd # Key password. It is optional. 144 ├── -issuer # Issuer of the certificate. It is mandatory. 145 ├── -issuerKeyAlias # Key alias of the issuer. It is mandatory. 146 ├── -issuerKeyPwd # Key password of the issuer. It is optional. 147 ├── -subject # Certificate subject. It is mandatory. 148 ├── -validity # Validity period of the certificate. It is optional. The default value is 1095 days. 149 ├── -keyUsage # Usages of the key. It is mandatory. The key usages include digitalSignature, nonRepudiation, keyEncipherment, 150 ├ dataEncipherment, keyAgreement, certificateSignature, crlSignature, 151 ├ encipherOnly, and decipherOnly. Use a comma (,) to separate multiple values. 152 ├── -keyUsageCritical # Whether keyUsage is a critical option. It is optional. The default value is true. 153 ├── -extKeyUsage # Extended key usages. It is optional. The extended key usages include clientAuthentication, serverAuthentication, 154 ├ codeSignature, emailProtection, smartCardLogin, timestamp, and ocspSignature. 155 ├── -extKeyUsageCritical # Whether extKeyUsage is a critical option. It is optional. The default value is false. 156 ├── -signAlg # Signing algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory. 157 ├── -basicConstraints # Whether basicConstraints is contained. It is optional. The default value is false. 158 ├── -basicConstraintsCritical # Whether basicConstraints is a critical option. It is optional. The default value is false. 159 ├── -basicConstraintsCa # Whether it is CA. It is optional. The default value is false. 160 ├── -basicConstraintsPathLen # Path length. It is optional. The default value is 0. 161 ├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional. 162 ├── -issuerKeystorePwd # KS password of the issuer. It is optional. 163 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory. 164 ├── -keystorePwd # KS password. It is optional. 165 ├── -outFile # Certificate file to generate. It is optional. The file is output to the console if this parameter is not specified. 166 ``` 167 1689. Sign a profile. 169 170 ``` 171 sign-profile: Sign a profile. 172 ├── -mode # Signing mode, which can be localSign or remoteSign. It is mandatory. 173 ├── -keyAlias # Key alias. It is mandatory. 174 ├── -keyPwd # Key password. It is optional. 175 ├── -profileCertFile # Profile signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory. 176 ├── -inFile # Raw profile template in JSON format (developtools_hapsigner/autosign/UnsgnedReleasedProfileTemplate.json). It is mandatory. 177 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 178 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory if the signing mode is localSign. 179 ├── -keystorePwd # KS password. It is optional. 180 ├── -outFile # Signed profile to generate, in p7b format. This parameter is mandatory. 181 ``` 182 18310. Verify the signature of the profile. 184 185 ``` 186 verify-profile: Verify the profile signature. 187 ├── -inFile # Signed profile in p7b format. This parameter is mandatory. 188 ├── -outFile # Verification result file (including the verification result and profile content), in json format. It is optional. The file is output to the console if this parameter is not specified. 189 ``` 190 19111. Sign a HAP and a debugging tool. 192 193 ``` 194 sign-app: Sign a HAP and a debugging tool. 195 ├── -mode # Signing mode, which can be localSign, remoteSign, or remoteResign. It is mandatory. 196 ├── -keyAlias # Key alias. It is mandatory. 197 ├── -keyPwd # Key password. It is optional. 198 ├── -appCertFile # Application signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory. 199 ├── -profileFile # Signed profile in p7b format. This parameter is mandatory. 200 ├── -profileSigned # Whether the profile is signed. The value 1 means the profile is signed, and value 0 means the opposite. The default value is 1. This parameter is optional. 201 ├── -inForm # Format of the file to be signed. The value can be zip, elf, or bin. The default value is zip. This parameter is optional. 202 ├── -inFile # Raw application package, in HAP or .bin format. It is mandatory. 203 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 204 ├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory if the signing mode is localSign. 205 ├── -keystorePwd # KS password. It is optional. 206 ├── -outFile # Signed HAP file to generate. It is mandatory. 207 ├── -signCode # Whether to enable code signing. The value 1 means to enable code signing; the value 0 means the opposite. The default value is 1. This parameter is optional. 208 ``` 209 21012. Verify the signature of a HAP and debugging tool. 211 212 ``` 213 verify-app: Verify the signature of a HAP and debugging tool. 214 ├── -inFile # Signed application file, in HAP or bin format. It is mandatory. 215 ├── -outCertchain # Signed certificate chain file. It is mandatory. 216 ├── -outProfile # Profile of the application. It is mandatory. 217 ├── -inForm # Format of the file to be signed. The value can be zip, elf, or bin. The default value is zip. This parameter is optional. 218 ``` 219 220### Signing Procedure 221The process of signing a HAP is as follows: 222 2231. Generate a key pair for an application signing certificate. 2242. Generate an application signing certificate. 2253. Sign the profile. 2264. Sign the HAP. 227 228 229> **NOTE** 230> 231> - For security purposes, use ECC to generate the key pair in step 1. Avoid using RSA. 232> - You are advised to place the HAP to be signed, profile, **OpenHarmony.p12**, root CA certificate, intermediate CA certificate, and hapsigner in the same directory for easy operation. The following files exist in [**developtools_hapsigner/autosign/result**](https://gitee.com/openharmony/developtools_hapsigner/tree/master/autosign/result):<br>- **OpenHarmony.p12** (OpenHarmony keystore file)<br>- **rootCA.cer** (root CA certificate)<br>- **subCA.cer** (intermediate CA certificate)<br>- **OpenHarmonyProfileRelease.pem** (profile signing certificate) 233 2341. **Generate a key pair for the application signing certificate.** 235 236 Generate a key pair and save it to the KS. 237 238 Example: 239 240 ```shell 241 java -jar hap-sign-tool.jar generate-keypair -keyAlias "oh-app1-key-v1" -keyAlg "ECC" -keySize "NIST-P-256" -keystoreFile "OpenHarmony.p12" -keyPwd "123456" -keystorePwd "123456" 242 ``` 243 244 > **NOTE** 245 > 246 > Record the values of **keyAlias**, **keyStorePwd**, and **keyPwd**. These values will be used when the application signing certificate is generated and the HAP is signed. 247 248 The command parameters are described as follows: 249 250 ``` 251 generate-keypair: Generate a key pair for the application signing certificate. 252 ├── -keyAlias # Alias of the key used to generate the application signing certificate. It is stored in the OpenHarmony.p12 file. This parameter is mandatory. 253 ├── -keyAlg # Key algorithm. It is mandatory. ECC is recommended. 254 ├── -keySize # Key length. It is NIST-P-256/NIST-P-384 if ECC is used. This parameter is mandatory. 255 ├── -keyStoreFile # KS file. OpenHarmony.p12 is recommended. This parameter is mandatory. 256 ├── -keyStorePwd # KS password. It is mandatory. The default password 123456 for OpenHarmony.p12. 257 ├── -keyPwd # Key password. It is optional. If this parameter is not specified, the generated key pair has no password. 258 ``` 259 2602. **Generate an application signing certificate.** 261 262 Use the local intermediate CA certificate to issue an application signing certificate. 263 264 Example: 265 266 ```shell 267 java -jar hap-sign-tool.jar generate-app-cert -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA" -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Team,CN= OpenHarmony Application CA" -issuerKeyAlias "openharmony application ca" -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Team,CN=OpenHarmony Application Release" -keystoreFile "OpenHarmony.p12" -subCaCertFile "subCA.cer" -rootCaCertFile "rootCA.cer" -outForm "certChain" -outFile "app1.pem" -keyPwd "123456" -keystorePwd "123456" -issuerKeyPwd "123456" -validity "365" 268 ``` 269 270 The command parameters are described as follows: 271 272 ``` 273 generate-app-cert: Generate an application signing certificate. 274 ├── -keyAlias # Key alias, which must be the same as that in the previous step. 275 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 276 ├── -issuer # Issuer of the certificate. Enter the issuer of the intermediate CA certificate. It is mandatory and cannot be changed. 277 ├── -issuerKeyAlias # Key alias of the issuer. Enter the alias of the intermediate CA certificate key. This parameter is mandatory and cannot be changed. 278 ├── -subject # Subject of the certificate. Enter the subject in the same sequence specified in the command. This parameter is mandatory. 279 ├── -issuerKeyPwd # Key password of the issuer. Enter the key password of the intermediate CA certificate. It is mandatory and cannot be changed. In this example, it is 123456. 280 ├── -keystoreFile # KS file. Use OpenHarmony.p12. It is mandatory and cannot be changed. 281 ├── -rootCaCertFile # Root certificate. It is mandatory and cannot be changed. 282 ├── -subCaCertFile # Intermediate CA certificate. This parameter is mandatory and cannot be modified. 283 ├── -outForm # Format of the certificate file to generate. certChain is recommended. 284 ├── -outFile # File to generate. It is optional. The file is output to the console if this parameter is not specified. 285 ├── -keyPwd # Key password. It is optional. It is the key password set when the key pair is generated. 286 ├── -keystorePwd # KS password. The default value is 123456. 287 ├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days. 288 ``` 289 2903. **Sign the profile.** 291 292 Call the profile signing API to sign the profile using the profile signing key. 293 294 Example: 295 296 ```shell 297 java -jar hap-sign-tool.jar sign-profile -keyAlias "openharmony application profile release" -signAlg "SHA256withECDSA" -mode "localSign" -profileCertFile "OpenHarmonyProfileRelease.pem" -inFile "UnsgnedReleasedProfileTemplate.json" -keystoreFile "OpenHarmony.p12" -outFile "app1-profile.p7b" -keyPwd "123456" -keystorePwd "123456" 298 ``` 299 300 The command parameters are described as follows: 301 302 ``` 303 sign-profile: Sign a profile. 304 ├── -keyAlias # Alias of the key for generating the profile certificate. It is mandatory and cannot be changed. 305 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 306 ├── -mode # Signing mode, which must be localSign. It is mandatory. 307 ├── -profileCertFile # Profile signing certificate. Use the certificate provided. It is mandatory and cannot be changed. 308 ├── -inFile # Raw profile template in JSON format (developtools_hapsigner/autosign/UnsgnedReleasedProfileTemplate.json). It is mandatory. 309 ├── -keystoreFile # KS file. Use OpenHarmony.p12. It is mandatory and cannot be changed. 310 ├── -outFile # Signed profile to generate, in p7b format. This parameter is mandatory. 311 ├── -keyPwd # Key password. The default key password in OpenHarmony.p12 is 123456. 312 ├── -keystorePwd # KS password. The default key password in OpenHarmony.p12 is 123456. 313 ``` 314 3154. **Sign the HAP.** 316 317 Use the application signature key to sign the HAP. 318 319 Example: 320 321 ```shell 322 java -jar hap-sign-tool.jar sign-app -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA" -mode "localSign" -appCertFile "app1.pem" -profileFile "app1-profile.p7b" -inFile "app1-unsigned.zip" -keystoreFile "OpenHarmony.p12" -outFile "app1-signed.hap" -keyPwd "123456" -keystorePwd "123456" 323 ``` 324 > **NOTE** 325 > 326 > The following parameters are used when there is no application signing certificate available. If the application signing certificate is available, the following parameters must be modified. 327 > -**keyAlias**: Enter the key alias of the application signing certificate. This parameter is mandatory. <br/> 328 > -**appCertFile**: Enter the application signing certificate. This parameter is mandatory.<br/> 329 > -**keystoreFile**: Enter the KS file of the application signing certificate. This parameter is mandatory. <br/> 330 > -**keyPwd**: Enter the key password in the KS file. <br/> 331 > -**keystorePwd**: Enter the KS password in the KS file. 332 333 The command parameters are described as follows: 334 335 ``` 336 sign-app: Sign a HAP. 337 ├──-keyAlias # Key alias, which must be the same as the alias of the key pair generated. This parameter is mandatory. 338 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 339 ├── -mode # Signing mode, which must be localSign. It is mandatory. 340 ├── -appCertFile # Application signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). Enter the application signing certificate generated in step 2. This parameter is mandatory. 341 ├── -profileFile # Signed profile in p7b format. Enter the profile generated. This parameter is mandatory. 342 ├── -inFile # Raw application package. It is mandatory. 343 ├── -keystoreFile # KS file, which must be the same as the KS file generated. It is mandatory and cannot be changed. 344 ├── -outFile # Signed file to generate. It is mandatory. 345 ├── -keyPwd # Key password, which must be the actual key password. 346 ├── -keystorePwd # KS password, which must be the actual KS password. 347 ``` 348 349 350## FAQs 351 3521. When the application signing certificate is generated, the console displays the result but no file is output. 353 354 - **Symptom** 355 356 When the tool is used to generate an application signing certificate, the certificate content is displayed on the console and no certificate is generated. 357 358 - **Possible Causes** 359 360 The path in the **outFile** parameter is incorrect, or the hyphen (-) in **-outFile** is not an English character. 361 362 - **Solution** 363 364 Check and correct the value of **outFile**, and ensure the hyphen (-) in **-outFile** is an English character. 365 3662. Failed to sign a profile. 367 368 - **Symptom** 369 370 When the tool is used to sign a profile, any of the following information is displayed: 371 372 (1) "SIGN_ERROR, code: 107. Details: Failed to verify signature: Wrong key usage" 373 374 (2) "NOT_SUPPORT_ERROR, code: 105. Details: Profile cert 'result\profile1.pem' must a cert chain" 375 376 (3) "VERIFY_ERROR, code: 108. Details: Failed to verify signature: unable to find valid certification path to requested target" 377 378 - **Possible Causes** 379 380 (1) The certificate chain of the profile signing certificate is in incorrect order. 381 382 (2) The profile signing certificate is not a certificate chain. 383 384 (3) The certificate subject is in incorrect sequence, or the **-issuerKeyAlias** parameter set to generate the application signing certificate is incorrect. 385 386 - **Solution** 387 388 (1) Check that the certificate chain is in ascending or descending order of seniority. 389 390 (2) Check that the certificate is a certificate chain. 391 392 (3) Check that the certificate subject is in the C, O, OU, and CN order. 393 3943. An error message is displayed when the tool is used to sign a HAP. 395 396 - **Symptom** 397 398 The following information is displayed after the command is executed:<br>NOT_SUPPORT_ERROR, code: 105. Details: SignAlg params is incorrect, signature algorithms include SHA256withECDSA,SHA384withECDSA 399 400 - **Possible Causes** 401 402 The signing algorithm is not supported. Check the value of **signAlg**. 403 404 - **Solution** 405 406 Use ECC to generate a key pair for the application or profile signing certificate. Use SHA256withECDSA or SHA384withECDSA as the HAP signing algorithm. 407 4084. A HAP fails to be signed, and a message is displayed indicating that the CN field of the certificate is empty. 409 410 - **Symptom** 411 412 The message "error: Common name of certificate is empty!" is displayed. 413 414 - **Possible Causes** 415 416 The HAP signing certificate used does not contain the CN field. 417 418 - **Solution** 419 420 The CN field of the HAP signing certificate cannot be empty. Generate a certificate in correct format. 421