我已阅读此处,https://source.android.com/docs/security/features/apksigning/v3 ,这里https://www.xda-developers.com/apk-signature-scheme-v3-key-rotation/ ,我可以使用 V3 签名轮换 key ,并且能够使用另一个 key 对 apk 进行签名。
我还需要旧 key 来签名吗?或者用新 key 签名就足够了?
最佳答案
简而言之,用新 key 签名就足够了。
我在 Android 13 模拟器和 Pixel 5 上执行了以下关键轮换步骤(不适用于 Android 10 模拟器)
以下步骤供您引用
创建3个 keystore owen1.jks、owen2.jks和owen3.jks
keytool -keystore owen1.jks -genkey -alias owen1 -keyalg rsa
keytool -keystore owen2.jks -genkey -alias owen2 -keyalg rsa
keytool -keystore owen3.jks -genkey -alias owen3 -keyalg rsa
创建轮换谱系文件
apksigner rotate --out SigningCertificateLineage.owen1.owen2 --old-signer --ks owen1.jks --new-signer --ks owen2.jks
apksigner rotate --out SigningCertificateLineage.owen2.owen3 --old-signer --ks owen2.jks --new-signer --ks owen3.jks
用每个jks签署serial.apk
apksigner sign --ks owen1.jks --in serial.apk --out serial.SignedOwen1.apk
apksigner sign --ks owen2.jks --in serial.apk --out serial.SignedOwen2.apk
apksigner sign --ks owen3.jks --in serial.apk --out serial.SignedOwen3.apk
使用旋转数据对serial.apk进行签名
apksigner sign --ks owen1.jks --next-signer --ks owen2.jks --lineage SigningCertificateLineage.owen1.owen2 --in serial.apk --out serial.rotate.owen1.owen2.apk
apksigner sign --ks owen2.jks --next-signer --ks owen3.jks --lineage SigningCertificateLineage.owen2.owen3 --in serial.apk --out serial.rotate.owen2.owen3.apk
然后让我们尝试按照以下步骤进行旋转
[0] 12/29 15:41:51 owenwen@dell:~/jks$ adb install serial.SignedOwen1.apk
Performing Incremental Install
Serving...
All files should be loaded. Notifying the device.
Success
Install command complete in 931 ms
[0] 12/29 15:42:42 owenwen@dell:~/jks$ adb install serial.rotate.owen1.owen2.apk
Performing Incremental Install
Serving...
All files should be loaded. Notifying the device.
Success
Install command complete in 629 ms
[0] 12/29 15:42:52 owenwen@dell:~/jks$ adb install serial.SignedOwen2.apk
Performing Incremental Install
Serving...
All files should be loaded. Notifying the device.
Success
Install command complete in 467 ms
[0] 12/29 15:42:59 owenwen@dell:~/jks$ adb install serial.rotate.owen2.owen3.apk
Performing Incremental Install
Serving...
All files should be loaded. Notifying the device.
Success
Install command complete in 570 ms
[0] 12/29 15:43:05 owenwen@dell:~/jks$ adb install serial.SignedOwen3.apk
Performing Incremental Install
Serving...
All files should be loaded. Notifying the device.
Success
Install command complete in 728 ms
[0] 12/29 15:43:10 owenwen@dell:~/jks$ adb install serial.SignedOwen1.apk
Performing Incremental Install
Serving...
Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE: Existing package com.sample.app signatures do not match newer version; ignoring!]
Performing Streamed Install
adb: failed to install serial.SignedOwen1.apk: Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE: Existing package com.sample.app signatures do not match newer version; ignoring!]
[1] 12/29 15:43:14 owenwen@dell:~/jks$ adb shell getprop | grep fingerprint
[ro.bootimage.build.fingerprint]: [google/redfin/redfin:13/TQ1A.221205.011/9244662:user/release-keys]
关于android - key 轮换后,我是否仍然需要旧 key 来签署应用程序的更新?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73787102/