FORUMS
Remove All Ads from XDA
H10 Turbo

[API][APP] ZipSigner -- signing zip and apks onboard the device

226 posts
Thanks Meter: 135
 
By kellinwood, Retired Recognized Developer on 17th November 2010, 05:25 AM
Post Reply Email Thread
I've developed an open-source java library for signing files onboard the device and an app that demonstrates its use.

The app is "ZipSigner" and its in the market. Binaries and source for the libraries and app are available at http://code.google.com/p/zip-signer.

More information on using the app can be found at http://sites.google.com/site/zipsigner/

BASIC API USAGE:
Code:
import kellinwood.security.zipsigner.ZipSigner; 

try { 
    // Sign with the built-in default test key/certificate. 
    ZipSigner zipSigner = new ZipSigner(); 
    zipSigner.setKeyMode('testkey');
    zipSigner.signZip( inputFile, outputFile); 
} catch (Throwable t) { 
    // log, display toast, etc. 
}
I developed this code as part of an effort to create a theming application that creates update.zip files on the device (ZipThemer).


I tested by having Titanium Backup generate its update.zip, signed it with the ZipSigner app, and then flashed it in recovery.

Enjoy,

Ken
The Following 13 Users Say Thank You to kellinwood For This Useful Post: [ View ] Gift kellinwood Ad-Free
 
 
18th November 2010, 02:53 PM |#2  
kellinwood's Avatar
OP Retired Recognized Developer
Kailua, HI
Thanks Meter: 135
 
Donate to Me
More
Version 1.1
Version 1.1 is out. The library code size is significantly smaller in this version since I reduced the need to include sun.security.pkcs and sun.security.x509. For example, the ZipSigner app is now 1/6 its former size (now 47kb).
18th November 2010, 03:42 PM |#3  
Senior Member
Flag Brighton IL
Thanks Meter: 566
 
More
I'm not sure I see the relevance of this. I don't know about all devices, but from my understanding, for and update.zip to be accepted by the device, it needs to be signed by a trusted authority (i.e HTC or Samsung, etc.). On the other hand, if you're rooted and have a custom recovery partition, they ignore signatures anyway. Is it the case that some devices require a signed update.zip, but then don't give a hoot who signs it?
The Following User Says Thank You to Gene Poole For This Useful Post: [ View ] Gift Gene Poole Ad-Free
18th November 2010, 08:12 PM |#4  
kellinwood's Avatar
OP Retired Recognized Developer
Kailua, HI
Thanks Meter: 135
 
Donate to Me
More
Yes, the root recovery programs do verify the signature, and no, the certificate does not need to be trusted.

I'm assuming this API its only going to be picked up for use in root-enabled apps where the developers can assume the users have the ability to flash updates.
18th November 2010, 09:06 PM |#5  
Senior Member
Flag Brighton IL
Thanks Meter: 566
 
More
Quote:
Originally Posted by kellinwood

Yes, the root recovery programs do verify the signature, and no, the certificate does not need to be trusted.

All of them? Are you sure? Clockwork recovery on my HTC Aria cares not-at-all about signatures on update.zip's.
18th November 2010, 11:14 PM |#6  
kellinwood's Avatar
OP Retired Recognized Developer
Kailua, HI
Thanks Meter: 135
 
Donate to Me
More
Am I sure? No. After a bit of research it appears the recovery programs, if they verify the signature, require the signing certificate to match one built into recovery itself. In the case of most root recovery programs I think this is the test certificate available from Google, and also the one used by default in my code.
19th November 2010, 07:02 AM |#7  
Junior Member
Thanks Meter: 0
 
More
Clockworkmod recovery has the option to turn off signiture verification

Sent from my ADR6300 using XDA App
19th November 2010, 01:53 PM |#8  
Senior Member
Flag Brighton IL
Thanks Meter: 566
 
More
Quote:
Originally Posted by Runawaycoder

Clockworkmod recovery has the option to turn off signiture verification

Sent from my ADR6300 using XDA App

Yes, but the question seems to be: what signatures does it accept? The whole point is to verify the authenticity of the update, but if it uses the google debug key, then anybody can sign an update with that key thus eliminating any benefit of authenticity verification.

In other words, why bother turning it on at all?
19th November 2010, 02:46 PM |#9  
Senior Member
Flag Stockholm
Thanks Meter: 1,090
 
Donate to Me
More
Quote:
Originally Posted by Gene Poole

Yes, but the question seems to be: what signatures does it accept? The whole point is to verify the authenticity of the update, but if it uses the google debug key, then anybody can sign an update with that key thus eliminating any benefit of authenticity verification.

In other words, why bother turning it on at all?


If you use Amon_RA you need to sign them.
19th November 2010, 03:38 PM |#10  
Senior Member
Flag Brighton IL
Thanks Meter: 566
 
More
I'm not familiar with Amon_RA (other than the Egyptian deity). What certificates does it use for authentication?
20th November 2010, 01:51 AM |#11  
kellinwood's Avatar
OP Retired Recognized Developer
Kailua, HI
Thanks Meter: 135
 
Donate to Me
More
Amon_RA on my Droid Eris allows update.zip files to be flashed if they've been signed with the Google test key.

Sent from my FroyoEris using XDA App
Post Reply Subscribe to Thread

Tags
jarsigner, onboard, signapk, signature

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes