Adobe-Runtime-Support icon indicating copy to clipboard operation
Adobe-Runtime-Support copied to clipboard

Published 20 hours ago verified publisher icon airsdk

AIR SDK 50.2.4.3 - APK not valid with hardware certificat

Open Nisaba opened this issue 1 year ago • 7 comments

Hello,

Anotther issue for this SDK release:

I use a GlobalSign hardware certificat. With the last 50.2.4.3, the release build produces an invalid APK.

Whereas it's OK with AIR SDK 50.2.2.6

Nisaba avatar Feb 06 '24 00:02 Nisaba

This sort of thing is something we're currently working on, with some support from DigiCert. Interesting that GlobalSign talk about it being compatible with AIR: https://www.globalsign.com/en/code-signing-certificate/java

Are you able to point to any details on how you would use their hardware based certificate to sign a Java archive? This is most similar to how AIR works, and I think is going to be the way we can get ADT code-signing working again with hardware keys.

thanks

ajwfrost avatar Feb 06 '24 06:02 ajwfrost

Hello,

Here is the option I use in the asconfig.json :

"signingOptions": {
		 "storetype": "Windows-MY",
		 "alias": "ALIAS OF THE CERTIFICATE"
	   }
	}

Nisaba avatar Feb 06 '24 13:02 Nisaba

Where do you get the Windows-MY part from?

From what I can see, the way to do this would be to add a line into your JVM security settings, that provides the configuration settings for your GlobalSign tools - e.g. in JAVA_HOME/conf/security/java.security, add a line to the end of the providers list such as:

security.provider.13=SunPKCS11 c:/globalsign/configuration/pkcs11.cfg

where that config file should have something like:

name = GlobalSignTools
library = c:\\program files\\globalsign\\tools\\pkcssigning.dll

Then the signing parameters for AIR should be

-storetype pkcs11 -providerName SunPKCS11-GlobalSignTools

i.e. the provider is a combination of the 'SunPKCS11' part from the security file, plus a hyphen, plus the name given in the configuration file.

This is working for me with DigiCert, or at least, I'm getting a signed .air file, although currently the certificate isn't official/trusted so we will need to check further to ensure that the validation works too.

In terms of APK generation, and AAB, I think we may need to look more at how to pass the requirements through to the Gradle process..

Some references: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-30E98B63-4910-40A1-A6DD-663EAF466991 https://docs.digicert.com/en/software-trust-manager/signing-tools/sign-java-files-with-jarsigner-using-pkcs11-integration.html https://docs.digicert.com/en/software-trust-manager/ci-cd-integrations/script-integrations/gradle-integration-with-pkcs11.html#sign-436096

ajwfrost avatar Feb 07 '24 11:02 ajwfrost

https://www.google.com/search?client=opera&q="Windows-MY"&sourceid=opera&ie=UTF-8&oe=UTF-8

It works well under Visual Studio Code. Anyway, I also have a Java Android App but we never managed to use this certificate in Android Studio

Nisaba avatar Feb 07 '24 11:02 Nisaba

  • works well on SDK before 50.2.4.3

Nisaba avatar Feb 07 '24 11:02 Nisaba

Ah okay, so have just been looking further - we had switched to using the Gradle signing mechanism, but this seems to only work with local keystore files, rather than working with providers and aliases...

The reason for switching was the removal of our earlier capabilities within the Java runtime when they switched up to v17 (and the trigger for us actually getting on with this was that Animate 2024 came out with Java 17 embedded in it...)

So we have a situation now where the Android build tools don't support this; but the Java version means we can't use the earlier sun.security classes.... (in terms of the Android build tools - I had hoped we could just update how we generate the signingConfig information for Gradle to then do all this.... but they don't have these sorts of options, see https://developer.android.com/studio/publish/app-signing)

Which means our options are:

  1. Look at command-line-driven use of jarsigner and apksigner tools, rather than using Gradle
  2. Implement an internal signing mechanism again i.e. within the Java code, load the appropriate provider and generate the signatures, without using the sun.security internal classes...

Just wondering, are you able to sign an APK file using the apksigner tool? Something like:

apksigner sign --ks NONE --ks-type "Windows-MY" --ks-pass pass:anything --ks-key-alias ALIAS_CERT --in Unsigned.apk --out Signed.apk

thanks

ajwfrost avatar Feb 07 '24 12:02 ajwfrost

Hello,

The apksigner command works well. Anyway, I have still the same issue with AIR SDK Release 50.2.4.4

Thanks

Nisaba avatar Feb 13 '24 12:02 Nisaba