I'm currently developing a .AAR android library and I would like to sign the released artifacts with my own key, so that I can determine if a fake aar with the same name and functionality has been released by mine or not.
Notice 1 :
I want to be able to check the authenticity of my library programmatically, even if a fakely-cooked one, is forging just part of the functionality of my aar file.
Notice 2 :
I am not going to publish this aar into maven, sonatype or any other public repository. So I'm going to sign it for a typical release flow like signing an apk file.
You can use jarsigner to sign you aar library, and you can use keytool to generate the signing keys. Both tools are located in the embedded JDK that comes with Android Studio. Do the following to sign your library.
Generate a keystore with a key pair. You'll need to provide the certificate fields:
keytool -genkeypair -alias aarsign -keypass mypassword -keystore aarsign.keystore -storepass mypassword -v
Export the generated certificate into a PEM file:
keytool -exportcert -rfc -alias aarsign -file aarsign-public.pem -keystore aarsign.keystore -storepass mypassword -v
Create a keystore containing the certificate:
keytool -importcert -alias aarsign -file aarsign-public.pem -keystore aarsign-public.keystore -storepass mypassword -v
Sign the library:
jarsigner -keystore aarsign.keystore -storepass mypassword -keypass mypassword -signedjar lib-signed.aar -verbose lib.aar aarsign
Anyone who wishes to attest the authenticity of the library needs to obtain your certificate (or the keystore with it) in a reliable way, and enter this command:
jarsigner -keystore aarsign-public.keystore -storepass mypassword -verify -verbose -certs lib-signed.aar aarsign
It will give the message
jar verified.
with some warnings about certificate expiration and signature timestamp. You can get rid of these warnings by creating a stricter certificate. Refer to keytool and jarsigner documentation.
There are two ways in which you can find out whether your library has been tampered: unmatching digests or unmatching certificate. If someone generates an aar from a different source code or with different resources, the digest won't match and jarsigner will warn, for example:
jarsigner: java.lang.SecurityException: invalid SHA-256 signature file digest for <file>
And, if someone provides a different certificate than your own, jarsigner will warn:
Warning:
This jar contains entries whose certificate chain is not validated.
This jar contains signed entries which are not signed by the specified alias(es).
This jar contains signed entries that are not signed by alias in this keystore.