Scribd
Upload
73 views8 pages

ApkSigner SignKit UserGuide

Uploaded by

gamer.miwpe
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
73 views8 pages

ApkSigner SignKit UserGuide

Uploaded by

gamer.miwpe
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

ApkSigner/SignKit

• Introduction

• Download

• Changelog

• Requirements

• JIRA Project Where I can open issues

• How to use it ?

• From command line

• Note on Group (NX8) signature

• TroubleShooting

Introduction
The apksigner tool is a software provided by Google that allows you to sign APKs and to confirm
that an APK’s signature will be verified successfully on AXIUM terminals. This page presents a short
guide for using the tool and serves as a reference for the different command-line options that the
tool supports.

Ingenico Android devices, known as AXIUM, rely on specific signatures. To do that Ingenico rely on
SignKit tool to put the signature inside the Apk.

As a consequence, apksigner tool has been modified to link the tool with SignKit. Thus it is now
able to modify the given apk to inject a signature. You can also pass the option --out to specify
the output apk, and then avoid modifying the given apk.

• Original documentation is available here : https://developer.android.com/studio/command-line/


apksigner.

• Google source code is here : https://android.googlesource.com/platform/tools/apksig/

Apksigner allows to sign apk with Sign/Kit Software Application and a Sign/Kit Tool Terminal
(STT) with a signature card. It allow also to read which type of card has been used to sign the apk.

This tools modifies the given apk to inject a signature. Please keep a copy of your apk before.
But you can pass the option --out to specify the output apk.

Download
A modified version of apksigner is available on Nexus :

• Windows version/Linux version/MacOS version

This tools allow to sign apk with SignKit and a terminal with a signature card. It allow also to read
which tye of card has been used to sign the apk.

1
The actual version 0.9.2.1.ingenico is based on the tag android-r-preview-2 from the master branch
of the October, 30 2019.

Changelog
• 0.9.2-1.ingenico

• AXMAPKSGN-65

• 0.9.2-0.ingenico

• AXMAPKSGN-46

• AXMAPKSGN-47

• AXMAPKSGN-48

• AXMAPKSGN-49

• AXMAPKSGN-50

• AXMAPKSGN-51

• AXMAPKSGN-52

• AXMAPKSGN-53

• AXMAPKSGN-54

• AXMAPKSGN-55

• AXMAPKSGN-56

• AXMAPKSGN-57

• AXMAPKSGN-58

• AXMAPKSGN-59

• AXMAPKSGN-60

• 0.9.1-1.ingenico

• AXMAPKSGN-43

• 0.9.1-0.ingenico: based on the master branch (android-r-preview-2) of


https://android.googlesource.com/platform/tools/apksig/ commit
2dd388f2f5595d93199ed322ff55c48233d89e99.

• AXMAPKSGN-41

• AXMAPKSGN-42

• 0.9.0-2.ingenico

• AXMAPKSGN-24

• AXMAPKSGN-17

• AXMAPKSGN-10

• 0.9.0-1.ingenico

• AXMAPKSGN-2

2
• AXMAPKSGN-3

• 0.9.0-0.ingenico: first release based on the tag android-o-mr1-iot-release-1.0.5 from the branch
master of the August, 17 2018:

• AXMAPKSGN-1

• 0.8.1-ingenico

• Add verify order to read the card used to sign

• 0.8.0-ingenico: first release based on the tag studio-3.1.2 from the branch studio-master-dev of
the jan, 04 2018.

• CIANDROID-149 - apksig : add to CI ( Processed)

Requirements
• java 8 installed ( openJdk or oracle jre).

• Apksigner need the installation of SignKit v3.12.0.2 available in cvsworkshop


: \\frsnprfil4\cvsworkshop\DevRetD\TeliumSoftware\Tools\T_JSAT\031200_01\install.

• according to the level of signature, you may need to also install the Corporate Addon (to sign
system APK (the ones delivered within the ROM)

• You need a Signature terminal (STT4 - iCT250 with SignKit V0409)

• and a valid card with the pin code associated.

JIRA Project where I can open issues


https://jir-rndsoft.ingenico.com/projects/AXMAPKSGN

How to use it
• From command line

From command line

Download the archive with the link provided at the top of the page. Unzip then untar to a dedicated
location on your computer.

.
├── apksigner
├── apksigner.bat
├── apksigner.jar
├── ApkSigner_SignKit_UserGuide.html
├── ApkSigner_SignKit_UserGuide.pdf
└── LICENSE

To launch it, add the path to your settings, then call :

3
$ apksigner
USAGE: apksigner <command> [options]
apksigner --version
apksigner --help
EXAMPLE:
apksigner sign --ks release.jks app.apk
apksigner verify --verbose app.apk
INGENICO EXAMPLE:
apksigner sign --v2-signing-enabled --ks pathToJks --ks-key-alias axium_key
--ks-pass pass:keyStorePwd --key-pass pass:KeyPassw apkFile
apksigner sign --ks-key-alias axiumD7Key --v2Ingenico-signing-enabled true
--signKitPath pathToSignKit apkFile
apksigner sign --ks-key-alias axiumNX8Key --v2Group-signing-enabled true
--signKitPath pathToSignKit apkFile
apksigner is a tool for signing Android APK files and for checking whether
signatures of APK files will verify on Android devices.

COMMANDS
sign Sign the provided APK
verify Check whether the provided APK is expected to verify on
Android
version Show this tool's version number and exit
help Show this usage page and exit

So to sign an Apk for AXIUM D7 with a terminal :

apksigner sign --v2Ingenico-signing-enabled true --ks-key-alias


axium_closed_user_comp_minimal --signKitPath "c:\Program Files (x86)\Ingenico\Ingenico
SignKit" d:\Downloads\taas-1.10.17.apk"

So to sign an Apk for the AXIUM range except D7 (A8,NX,DX) with a terminal :

apksigner sign --v2Group-signing-enabled true --ks-key-alias


axium_closed_user_comp_minimal --signKitPath "c:\Program Files (x86)\Ingenico\Ingenico
SignKit" d:\Downloads\taas-1.10.17.apk"

If there is no error, nothing is displayed. To have more information, add the flag --verbose or -v :

D:\sign\apksignerIngenico>apksigner sign --verbose --v2Ingenico-signing-enabled true


--ks-key-alias axium_closed_user_comp_minimal --signKitPath "c:\Program Files
(x86)\Ingenico\Ingenico SignKit" "d:\Users\vguignot\Downloads\taas-1.10.17.apk"
Cmd : [c:\Program Files (x86)\Ingenico\Ingenico SignKit\antCmdLine.bat,
D:\Users\xxx\AppData\Local\Temp\cert_V8BPBM2VU65Y14BV94.xml]
08/10/2020 8:00:37,28
Calling the default Ant Target...
Buildfile: D:\Users\xxx\AppData\Local\Temp\cert_V8BPBM2VU65Y14BV94.xml
certificate:

4
[signkit.teliumtetra.local.certificates] Parameters:
[signkit.teliumtetra.local.certificates] Output File Name...........:
D:\Users\xxx\signkit_db\SignKit_PROD_AXIUM_OPEN_PLATFORM_RELEASED_idx_19VBZW1PPKKX97VT
4PT
[signkit.teliumtetra.local.certificates] Card Usage and Access Right:
AXIUM_CLOSED_USER_COMP_Minimal
[signkit.teliumtetra.local.certificates] Mockup Mode................: false
[signkit.teliumtetra.local.certificates] Communication Port.........: <none>
[signkit.teliumtetra.local.certificates] Available serial ports [COM3]
[signkit.teliumtetra.local.certificates] Testing COM3
[signkit.teliumtetra.local.certificates] Connection successful on port COM3
BUILD SUCCESSFUL
BUILD SUCCESSFUL
Total time: 28 seconds
DONE
08/10/2020 8:01:07,79
Appuyez sur une touche pour continuer...
Cmd : [c:\Program Files (x86)\Ingenico\Ingenico SignKit\antCmdLine.bat,
D:\Users\xxx\AppData\Local\Temp\signapk_65SNFNSV8379B8D6XV.xml]
08/10/2020 8:01:08,13
Calling the default Ant Target...
Buildfile: D:\Users\xxx\AppData\Local\Temp\signapk_65SNFNSV8379B8D6XV.xml
signature:
[signkit.teliumtetra.local.sign] Parameters:
[signkit.teliumtetra.local.sign] Data to sign...............:
2c000000280000000102000020000000660a747e5805a3ff36c4d1287071bc3f10cf22d8450ee7a48da7e8
e69768fa38d0020000cc020000308202c83082024da003020102021100f8d0d38a39f666aad34c3318947b
2ff2300a06082a8648ce3d040303303b310b30090603550406130246523111300f060355040a1308496e67
656e69636f31193017060355040313105445435320434f4d5020537562434132301e170d31383039313831
34303333305a170d3338303931383134303333305a303a31253023060355040a0c1c4652412d494e47454e
49434f20436f72706f726174652050617269733111300f06035504030c0830303030303732343059301306
072a8648ce3d020106082a8648ce3d0301070342000493a950e6ad8f0ecc2f2304eb5f237f834797552fdd
9e0d6f9be110d5193a784dc4da79e6a50e62d38920b851d124841521b6d9762cbaa60323bc511e446d85b6
a38201313082012d301d0603551d0e04160414b5042897e1f4d8fa37d3335955eb4f58a5a42d973062060a
2b0601040181c657050604541652687474703a2f2f63726c64702e746563732e696e67656e69636f2e636f
6d2f746563735f636f6d705f7375626361322e63726c20687474703a2f2f6f637370722e746563732e696e
67656e69636f2e636f6d3023060a2b0601040181c65705050101ff04120410000000000000000000040000
00000000300c0603551d130101ff040230003017060a2b0601040181c65705040101ff0406040400000001
3015060a2b0601040181c65705030101ff0404040202383014060a2b0601040181c65705020101ff040304
0176300e0603551d0f0101ff0404030206c0301f0603551d230418301680140f165bbfd3685f5635ab5b30
15660db88f3a7897300a06082a8648ce3d0403030369003066023100fd6f0de85f4cf3f8f2e5fb60b6b0db
c35ed95a1d81ba4694fc51d305f8fef6a802dc3c7c3ef6dc70d5eff621bedd0eee023100a7a693bfba9e14
744861c307e85ba73f101855c143cc68874ceae3d6b49d0e00c15d7606cf08cb1db28f931768dc5a220000
0000
[signkit.teliumtetra.local.sign] Output File Name...........:
D:\Users\xxx\signkit_db\SignKit_PROD_c983cf598bab2369ZSOCIX8F604T6QQOZW
[signkit.teliumtetra.local.sign] Card Usage and Access Right:
AXIUM_CLOSED_USER_COMP_Minimal
[signkit.teliumtetra.local.sign] Mockup Mode................: false
[signkit.teliumtetra.local.sign] Communication Port.........: <none>
[signkit.teliumtetra.local.sign] Available serial ports [COM3]

5
[signkit.teliumtetra.local.sign] Testing COM3
[signkit.teliumtetra.local.sign] Connection successful on port COM3
BUILD SUCCESSFUL
BUILD SUCCESSFUL
Total time: 17 seconds
DONE
08/10/2020 8:01:27,31
Appuyez sur une touche pour continuer...
Verif Sign :
304502210085D48EEC4A74BFF6D6A0A28C8E8A29206A09FAC7CF5A72E7E059EF442DD82B8B022041FD48AF
35325E97D900CC7529E65F145025B69090DDCD62CCD65C8A49C4EBF5
[------ APK SIGNATURE DONE ------]
Signed

To check the signature (D7):

D:\sign\apksignerIngenico>apksigner verify --print-certs


d:\Users\vguignot\Downloads\taas-1.10.17.apk
Signer #1 certificate Name: AXIUM_CLOSED_USER_COMP_Minimal
Signer #1 certificate DN: CN=00000783, O=FRA-INGENICO Corporate
Signer #1 certificate SHA-256 digest:
499e1b202f6fc6bf9b856cd8c1436bdcabf4d924f7007d0638ec5082cf8e8fa5
Signer #1 certificate SHA-1 digest: e0aab05ebfa07f8a3c7af4f43c35fc05b26bca7e
Signer #1 certificate MD5 digest: 6ab755121cf025cb6d399d230583779f

The certificate name represents the card named used to sign. The DN/CN represents the card
number used (783) and the Organisation (FRA-INGENICO Corporate Paris).

To check the signature (NX8):

6
$ ./apksigner verify --print-certs -v /share/ApiTester-g.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v2Group scheme (APK Signature Scheme v2Group): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 3
Signer #1 certificate Name: null
Signer #1 certificate DN: CN=ingen, OU=rndgr, O=ingen, L=valen, ST=drome, C=FR
Signer #1 certificate SHA-256 digest:
477611a51c7e8ba98e4a97fd490af2cd6ce424313d4bb0f175695097cd157cb7
Signer #1 certificate SHA-1 digest: cfbbb36952ef8de2a0d6b13c84ee7a943f77107a
Signer #1 certificate MD5 digest: c543682704063fa2f2ac9596af7d0264
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest:
e8568550182be8af51b69085a1802cfecdb2b6f62087f8cc051b1655e6726f5c
Signer #1 public key SHA-1 digest: 3ede0ff0da2d7386662744ca2901a46d2b512814
Signer #1 public key MD5 digest: 3131f66030340dd2859423882ce21e72
Signer #2 certificate Name: AXIUM_CLOSED_USER_COMP_Minimal
Signer #2 certificate DN: CN=000007A2, O=FRA-INGENICO Corporate Paris
Signer #2 certificate SHA-256 digest:
394f8a70a8452967a1b07c825574461a514a417c6036b24566552775fa97a78e
Signer #2 certificate SHA-1 digest: 9ed2e751ab3d0982cd9f82dfafab2fbd8e97cea1
Signer #2 certificate MD5 digest: 5607b9caaa879634d9aeec7f3e6e1fbd
Signer #2 key algorithm: EC
Signer #2 key size (bits): 256
Signer #2 public key SHA-256 digest:
491a9d67d0b761bb17d847acb12a1ef884e277fe1603202fad32ddbdd8d96790
Signer #2 public key SHA-1 digest: 19d9d8bb67fed4ef22d1cf496c08599bb1fe8c9e
Signer #2 public key MD5 digest: cb7b37148407852b7d34ba656b0c2dab
Signer #3 certificate Name: SIGNATURE_SERVER
Signer #3 certificate DN: CN=0000012C, O=FRA-INGENICO Corporate
Signer #3 certificate SHA-256 digest:
65a9ea04f104e44679affaf7438e8d86c51a4c3feec9539f9c731a911a2705ee
Signer #3 certificate SHA-1 digest: 8cb371fe1fd8c407492d4e750fd0ce658b1499ef
Signer #3 certificate MD5 digest: ef52bda2f0e69f4bb6c39077049a32ce
Signer #3 key algorithm: EC
Signer #3 key size (bits): 256
Signer #3 public key SHA-256 digest:
faabbb7f3b7062b810723c66537dff8e5ef795a0b5a3ce40aff3687a5bbb397f
Signer #3 public key SHA-1 digest: cb2a60f4db20de72705f373a1222750ba42d1616
Signer #3 public key MD5 digest: 5c858f4abdebdd68ff2d6f776e9506b2

Note on Group Signature


The Group signature is dedicated for AXIUM range except D7. This signature add a specific BLOCK
ID compliant with the android signature which contains local and remote signature. And when
signing with the --v2group-signing-enabled true the previous v1, v2 and v3 signatures are

7
preserved.

TroubleShooting

When trying to read the v2 signature of a apk signed with a minSdkVersion < 24, there is an error :

DOES NOT VERIFY


ERROR: JAR signer CERT.EC: Failed to verify JAR signature META-INF/CERT.EC against
META-INF/CERT.SF: java.security.SignatureException: Signing certificate has
unsupported critical extensions

This error happen when there is no V1 signature. When using an apk with a minSdkVersion < 24,
the terminal where the apk will be installed is only able to decode the V1 signature.

The solution to read without error the apk is to use the option --min-sdk-version 24

apksigner verify --verbose --print-certs --min-sdk-version 24 taas.apk

You might also like