How to create correct .keystore for NXP iMX8QM AAOS12?

rampe · ‎11-29-2022

Could you hint how to create .keystore properly? I tried using platform.pk8 and .x509.pem files from nxp/android_build/build/make/target/product/security like below

openssl pkcs8 -inform DER -nocrypt -in platform.pk8 -out nxpimx8qmaaos12-platform.key
openssl pkcs12 -export -in platform.x509.pem -inkey nxpimx8qmaaos12-platform.key -name nxpimx8qmaaos12-platform -out nxpimx8qmaaos12-platform.pem -password pass:password
../../../../../prebuilts/jdk/jdk11/linux-x86/bin/keytool -importkeystore -destkeystore nxpimx8qmaaos12-platform.keystore -deststorepass password -srckeystore nxpimx8qmaaos12-platform.pem -srcstoretype PKCS12 -srcstorepass password

But when release.apk is signed with jarsigner or apksigner and app is deployed over ADP we get an error in app startup: "The app is not signed with a valid platform signature. The Car API back end cannot work with an unsigned app."

zdenek_zadera · ‎03-30-2023

Hello @rampe ,

In NXP Android release, there are created keys/certs in “device/nxp/common/security/” (platform.pk8 and platform.x509.pem). Are you using keys from this location?

The apksinger tool supports signing APKs with keystore file or with the private key file and certificate file separately. Below are some useful links may be helpful:

Convert x509.pem and pk8 file to keystore: https://stackoverflow.com/questions/39657812/how-to-import-x509-pem-pk8-file-into-jks-keystore
apksigner usage: https://developer.android.com/studio/command-line/apksigner
some basic concept about app-signing: https://developer.android.com/studio/publish/app-signing

Best Regards,

Zdenek

zdenek_zadera · ‎03-29-2023

Hello @rampe ,

I have created internal question to our developers how to proceed correctly with your case.

Zdenek

rampe · ‎03-05-2023

For example this one had been used

./apksigner sign --append-signature --ks /home/rami/dev/docs/outruntonxp/nxpimx8qmaaos12-platform.keystore /home/username/dev/docs/outruntonxp/wow/build-Outrun_IVI-Android_Qt_6_4_0_Clang_arm64_v8a-Debug/android-build/build/outputs/apk/release/android-build-release-signed.apk

rampe · ‎03-05-2023

For example one that was tried

./apksigner sign --append-signature --ks /home/username/dev/docs/outruntonxp/nxpimx8qmaaos12-platform.keystore /home/rami/dev/docs/outruntonxp/wow/build-Outrun_IVI-Android_Qt_6_4_0_Clang_arm64_v8a-Debug/android-build/build/outputs/apk/release/android-build-release-signed.apk

rampe · ‎01-12-2023

..../build-tools/33.0.0/apksigner sign --append-signature --ks .../platform.keystore ..../android-build/build/outputs/apk/release/android-build-release-signed.apk

rampe · ‎01-12-2023

build-tools/33.0.0/apksigner sign --append-signature --ks ../platform.keystore ./android-build/build/outputs/apk/release/android-build-release-signed.apk

Zhiming_Liu · ‎12-04-2022

Hi

Can you try the pkcs11?

rampe · ‎12-11-2022

openssl accepts only pkcs7, pkcs8 and pkcs12.

What would be the proper keytool command? Following does not seem to work

keytool -keystore NONE -storetype PKCS11 -list
keytool error: java.security.KeyStoreException: PKCS11 not found

Zhiming_Liu · ‎12-13-2022

Hi @rampe

Can you also share the apksigner command you use?

rampe · ‎03-05-2023

For example this had been used

./apksigner sign --append-signature --ks /home/rami/dev/docs/outruntonxp/nxpimx8qmaaos12-platform.keystore /home/uname/dev/docs/outruntonxp/wow/build-Outrun_IVI-Android_Qt_6_4_0_Clang_arm64_v8a-Debug/android-build/build/outputs/apk/release/android-build-release-signed.apk