search

sassoftware / relic

Relic is a service and a tool for adding digital signatures to operating system packages for Linux and Windows
Apache License 2.0
153 stars 41 forks source link

Allow signing JAR files (like Android application bundles) with modern keys #25

Closed ingokloecker closed 1 year ago

ingokloecker commented 1 year ago

This PR adds support for PKCS#12 key files.

I had a hard time convincing relic to sign an Android application bundle with a key generated with keytool according to Google's instructions. The only thing that worked what using an unencrypted private key. Seeing that the import-key command already supports PKCS#12, I decided to add support for PKCS#12 key files (like the keystores created by keytool). Since modern keys use SHA256 instead of SHA1, I also had to find a replacement for the frozen and outdated golang.org/x/crypto/pkcs12 module.

Using the following relic.yml:

---
tokens:
  myfiletoken:
    type: file

keys:
  my_file_key:
    token: myfiletoken
    keyfile: ./keystore.jks
    ispkcs12: true
    x509certificate: ./certificate.pem

I could successfully sign an Android application bundle with our upload key.

./relic -c relic.yml sign -k my_file_key -f app.aab -T jar
Password for PKCS12: ******
Signed app.aab

I don't really know Go (yet). Comments are welcome.

I agree to the contributing guidelines, but I couldn't find the referenced contributor agreement file.

mtharp commented 1 year ago

Thanks for the contribution! I followed this up with an addition to load the certificates as well, so it doesn't need to be separately provided. Let me know if it doesn't work for you.