Search code examples
androidsigningandroid-app-bundle

How can I sign aab with certificate file

I want to use certificate file in the build server to sign Android aab. So I need to sign Android aab without using keystore or jks file. For this I create a pem and pk8 files with these commands :

openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -out request.pem
openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem
openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt

There are some commands for apk signing like

java -jar SignApk.jar testkey.x509.pem testkey.pk8 my.apk my.s.apk
apksigner sign --key .pk8 --cert .x509.pem file.apk

But I could not find a way for aab file. After that I will upload signed aab file to play store. How can I do that ?

Solution

  • I have found a way. Here are the steps :

    Generates a new certificate request with the given information and writes it to request.pem

    openssl req -new -key Server_Signing_Cert_20201015.pem -out request.pem

    Uses OpenSSL to create a certificate using the certificate request file (request.pem) and the specified key, then writes the certificate to certificate.pem.

    openssl x509 -req -days 9999 -in request.pem -signkey Server_Signing_Cert_20201015.pem -out certificate.pem

    Converts the private key to PKCS#8 format, saving it as key.pk8 without encryption.

    openssl pkcs8 -topk8 -outform DER -in Server_Signing_Cert_20201015.pem -inform PEM -out key.pk8 -nocrypt

    Converts the private key from PKCS#8 format (DER) to PEM format, saving it as platform.priv.pem without encryption.

    openssl pkcs8 -in key.pk8 -inform DER -outform PEM -out platform.priv.pem -nocrypt

    Creates a PKCS#12 file (platform.pk12) containing the certificate and private key, protected with the password "123123" and with the alias "android".

    openssl pkcs12 -export -in certificate.pem -inkey platform.priv.pem -out platform.pk12 -name android -password pass:123123

    Creates a Java Keystore file (test.jks) in the Android keystore format, importing the certificate and private key from the PKCS#12 file (platform.pk12), using the password "123123", and setting the alias to "android".

    keytool -importkeystore -destkeystore test.jks -srckeystore platform.pk12 -srcstoretype PKCS12 -srcstorepass 123123 -alias android

    Signs the Android App Bundle file (app-release_unsigned.aab) using the specified keystore (test.jks) and the alias "android", applying the given signature and digest algorithms, and saves the signed bundle as signed_app-release.aab.

    jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -signedjar signed_app-release.aab -keystore test.jks app-release_unsigned.aab android -storepass 123123