Android APK的签名存在什么样的缺陷？

Question

免责声明：我知道签署APK的基本知识，而且我只对我的一个项目有问题，而且只有在与Microsoft签署操作系统.时才有问题。

我正在用Maven构建我的APK，并使用maven-jarsigner签名：

  <plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-jarsigner-plugin</artifactId>
    <executions>
      <execution>
        <id>signing</id>
        <goals>
          <goal>sign</goal>
        </goals>
        <phase>package</phase>
        <inherited>true</inherited>
        <configuration>
          <archive>target/${project.build.finalName}.apk</archive>
          <sigfile>CERT</sigfile>
          <keystore>${env.HOME}/.keystore</keystore>
          <storepass>${env.KEY_STOREPASS}</storepass>
          <keypass>${env.KEY_KEYPASS}</keypass>
          <alias>${env.KEY_ALIAS}</alias>
        </configuration>
      </execution>
    </executions>
  </plugin>

现在，在我的一个项目中，尝试安装和启动应用程序时会出现以下错误：

1360 KB/s (2057872 bytes in 1.477s)
        pkg: /data/local/tmp/FX-602P-Droid-5.0.0.apk
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]

正如我在第一句中所说:它在与Mac进行签名时运行良好。只有在使用Windows 7进行签名时，它才会失败。

使用--debug调用Maven时，我看到jarsigner被称为ok，并且没有报告错误：

[INFO]
[INFO] --- maven-jarsigner-plugin:1.2:sign (signing) @ FX-602P-Droid ---
[DEBUG] org.apache.maven.plugins:maven-jarsigner-plugin:jar:1.2:
[DEBUG]    org.apache.maven:maven-plugin-api:jar:2.0.6:compile
[DEBUG]    org.apache.maven:maven-project:jar:2.0.6:compile
[DEBUG]       org.apache.maven:maven-settings:jar:2.0.6:compile
[DEBUG]       org.apache.maven:maven-profile:jar:2.0.6:compile
[DEBUG]       org.apache.maven:maven-model:jar:2.0.6:compile
[DEBUG]       org.apache.maven:maven-artifact-manager:jar:2.0.6:compile
[DEBUG]          org.apache.maven:maven-repository-metadata:jar:2.0.6:compile
[DEBUG]       org.apache.maven:maven-plugin-registry:jar:2.0.6:compile
[DEBUG]       org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1:compile
[DEBUG]          junit:junit:jar:3.8.1:compile
[DEBUG]          classworlds:classworlds:jar:1.1-alpha-2:compile
[DEBUG]    org.apache.maven:maven-artifact:jar:2.0.6:compile
[DEBUG]    org.codehaus.plexus:plexus-utils:jar:1.5.15:compile
[DEBUG] Created new class realm plugin>org.apache.maven.plugins:maven-jarsigner-plugin:1.2
[DEBUG] Importing foreign packages into class realm plugin>org.apache.maven.plugins:maven-jarsigner-plugin:1.2
[DEBUG]   Imported:  < project>net.sourceforge.uiq3:FX-602P-Droid:5.0.0
[DEBUG] Populating class realm plugin>org.apache.maven.plugins:maven-jarsigner-plugin:1.2
[DEBUG]   Included: org.apache.maven.plugins:maven-jarsigner-plugin:jar:1.2
[DEBUG]   Included: junit:junit:jar:3.8.1
[DEBUG]   Included: org.codehaus.plexus:plexus-utils:jar:1.5.15
[DEBUG]   Excluded: org.apache.maven:maven-plugin-api:jar:2.0.6
[DEBUG]   Excluded: org.apache.maven:maven-project:jar:2.0.6
[DEBUG]   Excluded: org.apache.maven:maven-settings:jar:2.0.6
[DEBUG]   Excluded: org.apache.maven:maven-profile:jar:2.0.6
[DEBUG]   Excluded: org.apache.maven:maven-model:jar:2.0.6
[DEBUG]   Excluded: org.apache.maven:maven-artifact-manager:jar:2.0.6
[DEBUG]   Excluded: org.apache.maven:maven-repository-metadata:jar:2.0.6
[DEBUG]   Excluded: org.apache.maven:maven-plugin-registry:jar:2.0.6
[DEBUG]   Excluded: org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1
[DEBUG]   Excluded: classworlds:classworlds:jar:1.1-alpha-2
[DEBUG]   Excluded: org.apache.maven:maven-artifact:jar:2.0.6
[DEBUG] Configuring mojo org.apache.maven.plugins:maven-jarsigner-plugin:1.2:sign from plugin realm ClassRealm[plugin>org.apache.maven.plugins:maven-jarsigner-plugin:1.
2, parent: sun.misc.Launcher$AppClassLoader@214c4ac9]
[DEBUG] Configuring mojo 'org.apache.maven.plugins:maven-jarsigner-plugin:1.2:sign' with basic configurator -->
[DEBUG]   (f) alias = krischik
[DEBUG]   (f) archive = C:\Work\uiq3\Java\FX-602P-Droid\target\FX-602P-Droid-5.0.0.apk
[DEBUG]   (f) arguments = []
[DEBUG]   (f) keypass = Atlan.
[DEBUG]   (f) keystore = C:\Users\martin.krischik/.keystore
[DEBUG]   (f) processAttachedArtifacts = true
[DEBUG]   (f) processMainArtifact = true
[DEBUG]   (f) project = MavenProject: net.sourceforge.uiq3:FX-602P-Droid:5.0.0 @ C:\Work\uiq3\Java\FX-602P-Droid\pom.xml
[DEBUG]   (f) removeExistingSignatures = false
[DEBUG]   (f) sigfile = CERT
[DEBUG]   (f) skip = false
[DEBUG]   (f) storepass = !AtlanRhodan!
[DEBUG]   (f) verbose = false
[DEBUG] -- end configuration --
[DEBUG] Verarbeite C:\Work\uiq3\Java\FX-602P-Droid\target\FX-602P-Droid-5.0.0.apk
[DEBUG] 'cmd.exe /X /C "C:\opt\Java\jdk\1.7.0\bin\jarsigner.exe -keystore C:\Users\martin.krischik/.keystore -storepass '*****' -keypass '*****' -sigfile CERT C:\Work\u
iq3\Java\FX-602P-Droid\target\FX-602P-Droid-5.0.0.apk krischik"'
[INFO] 1 Archiv(e) verarbeitet
[INFO]

还有什么会出错的？

PS:我刚刚注意到C:\opt\Java\jdk\1.7.0\bin\jarsigner.exe --是否有从1.6到1.7之间的变化？为什么Maven会在1.6项目中使用1.7签名者呢？

Answer 1

解决方案是将其添加到maven-jarsigner-plugin的<configuration>中：

<arguments>
  <argument>-sigalg</argument><argument>MD5withRSA</argument>
  <argument>-digestalg</argument><argument>SHA1</argument>
</arguments>

Ant 已经有直接的支持用于此，但Maven插件没有。

Answer 2

用1.7查找有关使用情况的信息是非常棘手的，但一旦发现它是合理的简单：

对于keytool，包括：

-sigalg SHA1withDSA -keyalg DSA -keysize 1024

对于jarsigner，包括：

-sigalg SHA1withDSA -digestalg SHA1

(1024是最大的，有效的，更少的可能起作用)

Answer 3

巴凯塔的解决方案也适用于我。

在keytool中使用这些参数：

-sigalg MD5withRSA -keyalg RSA -keysize 1024 

我仍在用它来表示：

-sigalg MD5withRSA -digestalg SHA1

谢谢，APK编译并安装在一个使用Java 7的设备上，最后！