eclipse Android 开发:Keytool,创建密钥库?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19753522/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Android Development: Keytool, creating a keystore?
提问by Oliver
I am trying to prepare my app for the google market, but it is proving a lot more challenging than expected. I cannot seem to grasp the whole concept of signing the app, but to be more specific my problem is that I have installed the keytool plugin for eclipse, but when I want to create a certificate it asks me to select a keystore (Enter the filename and keystore password), I don't understand what I am supposed to enter as a file, because it actually wants me to select the file through browse and how do I proceed with the exporting of the file, Google has sadly not come up with very good or clear answers
我正在尝试为谷歌市场准备我的应用程序,但事实证明它比预期的更具挑战性。我似乎无法掌握签署应用程序的整个概念,但更具体地说,我的问题是我已经为 eclipse 安装了 keytool 插件,但是当我想创建证书时,它要求我选择一个密钥库(输入文件名和密钥库密码),我不明白我应该作为文件输入什么,因为它实际上希望我通过浏览选择文件以及如何继续导出文件,遗憾的是谷歌没有想出非常好的或明确的答案
回答by kiruwka
You need to provide location and filename for your new keystore file in case you are creating a new one. Alternatively, you could choose "use existing keystore" and browse to existing keystore file location.
您需要为新密钥库文件提供位置和文件名,以防您创建新密钥库文件。或者,您可以选择“使用现有密钥库”并浏览到现有密钥库文件位置。
Edit: I thought I would provide elaborate answer. Hope this info would be useful.
编辑:我想我会提供详尽的答案。希望这些信息有用。
What is signature and why it is needed.
什么是签名以及为什么需要它。
The apk signature mechanism used by android is an example usage of digital signatureapplied to bytecode and resources of the application to ensure :
android使用的apk签名机制是数字签名应用于字节码和应用程序资源的示例用法,以确保:
- integrity (no tampering with your app after downloading)
- authenticity - You are the one who released the app to GooglePlay
- 完整性(下载后不会篡改您的应用程序)
- 真实性 - 您是将应用发布到 GooglePlay 的人
To better understand digital signatureI suggest you also skim through public-key cryptography.
为了更好地理解数字签名,我建议您还浏览一下public-key cryptography。
How does that work.
这是如何运作的。
Android uses same standard JDK tools used for signature/verification of standard java apps:
Android 使用与标准 Java 应用程序的签名/验证相同的标准 JDK 工具:
- jarsigner- signs data with provided
private key, and verifies data with certificate(i.e. public key bound to your identity) - keytool- manages private keys and certificates in your
keystore. Those keys are needed forjarsigner.
After you sign your application manually with jarsigneror export signed application using your IDE (which uses keytooland jarsignerunder the hood anyway), you can then locate signature-related files placed in META-INFdirectory of your signed .apk archive :
在您jarsigner使用 IDE手动签署您的应用程序或导出已签名的应用程序后(无论如何,它都会使用keytool和jarsigner在幕后),然后您可以找到放置在META-INF您已签名的 .apk 存档目录中的签名相关文件:
- CERT.SF - file containing
SHAhashes of your app components and - CERT.RSA (or .DSA) - digital signature of above mentioned file + public certificate to verify this signature. You can read more details about how singing works here.
- CERT.SF - 包含
SHA应用程序组件哈希值的文件和 - CERT.RSA(或.DSA)-上述文件的数字签名+用于验证此签名的公共证书。您可以在此处阅读有关唱歌工作原理的更多详细信息。
How to properly sign application for release.
如何正确签署释放申请。
This articlevery well describes steps you need to follow.
这篇文章很好地描述了您需要遵循的步骤。
Note: Please consider important pre-release steps before you proceed with signing : logs/ critical string literals removal, obfuscation with proguard, etc.
注:请考虑的重要预发行的步骤,您有签约继续之前:日志/关键字符串文字去除,混淆与ProGuard的,等等。
Below I will provide some key points for the process :
下面我将提供该过程的一些关键点:
Generate your private key and put it in java keystore.
生成您的私钥并将其放入 java keystore。
This may require creating keystorefirst if you don't have one. When creating keystoreyou need to create Keystore password, that is used to ensure integrity of keystoredata (i.e. you will be warned that your keystore is tampered with after someone - not you -has added new certificate to it). Practically, this password is not super crucial if you keep your keystorefile safe. You can get away if you forget it some day.
keystore如果您没有,这可能需要先创建。创建时,keystore您需要创建Keystore password,它用于确保keystore数据的完整性(即,在有人 - 而不是您 - 添加新证书后,您将被警告您的密钥库被篡改)。实际上,如果您保持keystore文件安全,此密码并不是非常重要。如果有一天你忘记了它,你可以逃脱。
When generating private key, you will be also asked to create PrivateKey passwordthat will be used to encrypt your private key inside the keystore. This is the very important password you need to keepas it ensures
生成 时private key,您还将被要求创建PrivateKey password将用于在密钥库中加密您的私钥。这是您需要保留的非常重要的密码,因为它可以确保
- your privatekey is really private. and most importantly
- without this password you won't be able to use you private key to sign and release future updates for your application;
- 你的私钥真的很私密。最重要的是
- 如果没有这个密码,您将无法使用您的私钥来为您的应用程序签名和发布未来的更新;
When you generate your new private key in Eclipse, you will also be asked to provide identity information that is used to create your self-signed certificate.
在 Eclipse 中生成新的私钥时,还会要求您提供用于创建自签名证书的身份信息。
As the next step your private keyfrom specified keystorefile will be used to sign the application and your .apkwill be updated with signature-related files explained above.
作为下一步,您private key的指定keystore文件将用于对应用程序进行签名,并且您.apk将使用上述与签名相关的文件进行更新。
Some important terminology :
一些重要的术语:
Keystoreis simply a single binary file keeping list of your private keys / certificates in a specific format. It is programmatically accessible using API provided by KeyStore.java. Your keystore can contain multiple private key entries, each identified by its alias.
In majority of cases your keystorewill have single private key with single self-signed certificate matching this private key.
密钥库只是一个二进制文件,以特定格式保存您的私钥/证书列表。它可以使用KeyStore.java提供的 API 以编程方式访问。您的密钥库可以包含多个私钥条目,每个条目都由其alias.
在大多数情况下,您keystore将拥有单个私钥和与此私钥匹配的单个自签名证书。
Keystore passwordis used for integrity check of the keystore content.
If you loose this password, but you still have password for private key stored inside, you can "clone" your keystore and provide new keystore password by running the following cmd:
密钥库密码用于密钥库内容的完整性检查。
如果您丢失了此密码,但您仍然拥有存储在其中的私钥的密码,您可以通过运行以下 cmd 来“克隆”您的密钥库并提供新的密钥库密码:
keytool -importkeystore -srckeystore path/to/keystore/with/forgotten/pw -destkeystore path/to/my/new/keystore
keytool -importkeystore -srckeystore path/to/keystore/with/forgotten/pw -destkeystore path/to/my/new/keystore
provide new password, and leave old keystore password blank - you will only get warning. You can then use your new keystore and get rid of old one.
There are other ways you can retrieve your private key without using keystore password.
提供新密码,并将旧密钥库密码留空 - 您只会收到警告。然后,您可以使用新的密钥库并摆脱旧的密钥库。
还有其他方法可以在不使用密钥库密码的情况下检索您的私钥。
Private key password- protects(by encrypting) private keyinside keystore. It is extremely important as it allows you to access your private key to, among other things, sign updates for your application. It is generally very hard to recover it.
私钥密码- 保护(通过加密)private key内部keystore。这非常重要,因为它允许您访问您的私钥,除其他外,为您的应用程序签署更新。通常很难恢复它。
Self-signed ceritificate- very simple certificate binding your identity(name/organization/email) to your public key. This certificate is added to .apkfile during signing operation and will be used on user's device to verify .apkbefore installation.
自签名证书 - 将您的身份(姓名/组织/电子邮件)绑定到您的公钥的非常简单的证书。此证书.apk在签名操作期间添加到文件中,并将在用户设备上用于.apk在安装前进行验证。
