How to Sign My Application with the System Signature Key

Android :Signing in android app with system signature

It was my mistake to not analyze it further, I tried installing it with
adb install -r ".apk"
and found the exact error, which is "signatures are not matching". Then I contacted the manufacturer and the problem was solved.

How to sign Android app with system signature?

Finally I managed to discover a way to sign my application with the platform signature. You need to use keys located in <root-of-android-source-tree>/build/target/product/security/ and add android:sharedUserId="android.uid.system" in your AndroidManifest.xml file.

Details from this google groups thread:

On top of signing Android 1.6 for Dream with certificates generated by
myself, I've also managed to sign my app with the platform certificate
and run it with the system sharedUserId. These are the steps I took:

• Build and flash to your Dream your own Android using https://web.archive.org/web/20081211205758/http://source.android.com:80/documentation/building-for-dream. Use the
  mkkey.sh script on
  https://web.archive.org/web/20091213215940/http://pdk.android.com/online-pdk/guide/release_keys.html to create
  new certificates, including x509 certificates before you do 'make'.
• In the AndroidManifest.xml of your application: under the <manifest> element, add the attribute android:sharedUserId="android.uid.system".
• Export an unsigned version of your Android application using Eclipse: right-click on the project >> Android Tools >> Export
  Unsigned Application Package.

• Use <root-of-android-source-tree>/out/host/<your-host>/framework/signapk.jar to sign your app using platform.x509.pem and platform.pk8 in <root-of-android-source-tree>/build/target/product/security
  generated earlier:

  java -jar signapk.jar platform.x509.pem platform.pk8 YourApp-unsigned.apk YourApp-signed.apk.
  

• Install the app to your device:

  adb install YourApp-signed.apk
  

• Run your app
• Use adb shell ps to confirm that your app is running as system.

Signing my android application as system app

Well below is your answer,

1. You can find platform keys from
   HERE. The command to sign apk (for linux) is:

   java -jar signapk.jar -w platform.x509.pem platform.pk8 APPLICATION.apk APPLICATION_sign.apk

   onward Android 10 lib64 library path need to provided which can be found at android/out/host/linux-x86 after generating a successful build, one can copy folder or simply provide its path to generate sign APK

   java -Djava.library.path="<path to lib64>" -jar signapk.jar -w platform.x509.pem platform.pk8

2. If you sign your apk with platform keys you won't required root access you can simply install it from "adb install" command, and yes in someway it is like root 'cos it can access all internal api but keep in mind if your app is system signed then you can't write external storage.

3. First of all don't combine both root is user where system app is application type which distinguish from normal application below link might clear your confusion regarding it.

   what-is-the-difference-between-android-user-app-with-root-access-and-a-system-ap

Android APK signed with PLATFORM key not given system privileges?

What @Mark mentions is correct to some extent, for system apps.
I think you are doing something else wrong.
I have tried this with system apps as well, and as long it was signed with the platform keystore, it works. Now this was on Android 8 and Android 9. You haven't mentioned the AOSP version running the device.

That changes things AFAIK, so if it's AOSP 10+, it might behave differently.

Also the other comments are missing another key thing SELinux. SELinux is not permissive for user builds. Verity is enabled, and you cannot have root access. So you cannot push the app into /system/priv-app/ or push it into /vendor/app/.
You cannot access system resources without proper SE Policy files. You can check the logs yourself, to see avc denied messages.

I think overall what you are seeing should be inline with AOSP's security ideals. An app signed with System keys should not be able to get system permissions. It also needs to be located in the correct place, either as a privileged app or vendor app. Such apps need to be whitelisted. There's a built in script in AOSP source to even generate the permissions for whitelisting (it produces the required xml)

There's two classes of system apps, /system/app/ and /system/priv-app/
The privileged apps are the only ones that get signature level permissions, and according to newer versions of android, you need to enable whitelisting in the /system/etc/priv_app-permissions_device_name.

If you make any changes to the system or vendor when verity is enabled, firstly they are mounted read only, but somehow if you do make a change, the device will brick itself. This is the security feature. All custom development needs to be done in userdebug builds with SELinux in permissive mode, and then all the permissions need to be predefined, SE Policies fine tuned to utmost minimal, only then the user build can function normally. User build is not at all suitable for AOSP development activities, even if it's just for testing or trying out a single app.

User build is production type build that the end user can use and is not for development. It's the most secure form of android, so if you have platform keys, it may never be enough.

All that being said, I'm sure you don't have the right keys. Just pull an app from system/priv-app/ and use keytool or similar to check it's signature, and then try to match with your release apk.

It's little complicated as it is, and kind of hard to explain and there are levels of permissions also in android, so if you aren't following a specific approach/path, you will not be able to get it to work.

---

Related Topics