Add script to sign apks with yubikey

tchapgouv · May 14, 2024 · 9bf3952 · 9bf3952
1 parent df899ac
commit 9bf3952
Show file tree

Hide file tree

Showing 2 changed files with 143 additions and 0 deletions.
diff --git a/tools/release/sign_all_apks_yubi.sh b/tools/release/sign_all_apks_yubi.sh
@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+
+# Copy and adaptation of ./sign_all_apks.sh, which takes 2 more params: key store pass and the path of PKCS11 config file.
+# It's unsafe to use it because it takes password as parameter, so passwords will
+# remain in the terminal history.
+
+set -e
+
+if [ "$#" -ne 2 ]
+then
+  echo "Usage: ./tools/release/sign_all_apks_yubi \$PKCS11_CONFIG_PATH \$FOLDER"
+  exit 1
+fi
+
+# Get the command line parameters
+PARAM_PKCS11_CONFIG_PATH=$1
+PARAM_DIRECTORY=$2
+CHECKSUM_FILE="checksums.txt"
+
+if [ ! -f "$PARAM_PKCS11_CONFIG_PATH" ]
+then
+    echo "$PARAM_PKCS11_CONFIG_PATH does not exist. Please install yubico-piv-tool (doc: https://developers.yubico.com/PIV/Guides/Android_code_signing.html)"
+    exit 1
+fi
+
+read -p "Please enter the artifact URL: " artifactUrl
+read -s -p "Please enter your GitHub token: " gitHubToken
+
+printf "\n================================================================================\n"
+printf "Downloading the artifact...\n"
+
+# Ignore error
+set +e
+
+python3 ./tools/release/download_github_artifacts.py \
+    --token ${gitHubToken} \
+    --artifactUrl ${artifactUrl} \
+    --directory ${PARAM_DIRECTORY} \
+    --ignoreErrors
+
+# Do not ignore error
+set -e
+
+printf "\n================================================================================\n"
+printf "Unzipping the artifact...\n"
+
+unzip ${PARAM_DIRECTORY}/GplayTchapWithdmvoipWithpinning-release-unsigned.zip -d ${PARAM_DIRECTORY}
+
+# Flatten folder hierarchy
+mv ${PARAM_DIRECTORY}/gplayTchapWithdmvoipWithpinning/release/* ${PARAM_DIRECTORY}
+rm -rf ${PARAM_DIRECTORY}/gplayTchapWithdmvoipWithpinning
+
+printf "\n================================================================================\n"
+printf "Signing the APKs...\n"
+
+read -s -p "Enter your PIN: " pin
+
+# Sign all the apks in the directory PARAM_DIRECTORY
+for file in ${PARAM_DIRECTORY}/*.apk
+do
+  sh ./tools/release/sign_apk_yubi.sh "${PARAM_PKCS11_CONFIG_PATH}" "${file}" "${pin}"
+done
+
+unset pin
+
+# Rename and Hash all the apks in the directory PARAM_DIRECTORY
+for file in ${PARAM_DIRECTORY}/*.apk
+do
+  # Rename Apk: remove unsigned by signed
+  apkName="$(echo ${file} | sed -e 's/\-unsigned/-signed/')" ;
+  mv "${file}" "${apkName}" ;
+
+  # Hash application with SHA 256
+  echo "Hash SHA 256 on file... ${apkName}"
+  result="$(shasum "-a" "256" ${apkName})"
+
+  # Save hash in file: Checksum.txt
+  resultSplit=(${result})
+  newName="$(echo ${resultSplit[1]} | sed 's/.*\///')"
+  echo "SHA256(${newName})=${resultSplit[0]}" >> ${PARAM_DIRECTORY}/${CHECKSUM_FILE}
+done
+
+echo "done !! :)"
diff --git a/tools/release/sign_apk_yubi.sh b/tools/release/sign_apk_yubi.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+
+# Copy and adaptation of ./sign_apk.sh, which takes 2 more params: key store pass and the path of PKCS11 config file.
+# It's unsafe to use it because it takes password as parameter, so passwords will
+# remain in the terminal history.
+
+set -e
+
+if [[ -z "${ANDROID_HOME}" ]]; then
+    echo "Env variable ANDROID_HOME is not set, should be set to something like ~/Library/Android/sdk"
+    exit 1
+fi
+
+if [[ "$#" -ne 3 ]]; then
+  echo "Usage: $0 PKCS11_CONFIG_PATH APK KS_PASS" >&2
+  exit 1
+fi
+
+# Get the command line parameters
+PARAM_PKCS11_CONFIG_PATH=$1
+PARAM_APK=$2
+PARAM_KS_PASS=$3
+
+# Other params
+BUILD_TOOLS_VERSION="31.0.0"
+MIN_SDK_VERSION=21
+BUILD_TOOLS_PATH=${ANDROID_HOME}/build-tools/${BUILD_TOOLS_VERSION}
+
+if [[ ! -d ${BUILD_TOOLS_PATH} ]]; then
+    printf "Fatal: ${BUILD_TOOLS_PATH} folder not found, ensure that you have installed the SDK version ${BUILD_TOOLS_VERSION}.\n"
+    exit 1
+fi
+
+echo "\n\nSigning ${PARAM_APK} with build-tools version ${BUILD_TOOLS_VERSION} for min SDK version ${MIN_SDK_VERSION}..."
+
+${BUILD_TOOLS_PATH}/apksigner -J-add-exports"=jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED" sign \
+    -v \
+    --ks NONE \
+    --ks-pass "pass:${PARAM_KS_PASS}" \
+    --ks-type PKCS11 \
+    --ks-key-alias "X.509 Certificate for PIV Authentication" \
+    --provider-class sun.security.pkcs11.SunPKCS11 \
+    --provider-arg ${PARAM_PKCS11_CONFIG_PATH} \
+    --min-sdk-version ${MIN_SDK_VERSION} \
+    ${PARAM_APK}
+
+# Verify the signature
+echo "\nVerifying the signature..."
+
+# Note: we ignore warning on META-INF files
+${BUILD_TOOLS_PATH}/apksigner verify \
+    -v \
+    --min-sdk-version ${MIN_SDK_VERSION} \
+    ${PARAM_APK} \
+    | grep -v "WARNING: META-INF/"
+
+echo "\nPackage info..."
+${BUILD_TOOLS_PATH}/aapt dump badging ${PARAM_APK} | grep package
+
+echo "\nCongratulations! The APK ${PARAM_APK} is now signed!\n"