Qeedji TAB10s, Developer'S Manual

10

1.3  

System APK signing

☛

 When the 

 ISV 

 wants to design, on the TAB10s, some APK not requiring 

 system 

 rights to be executed, in this case no APK signing is required.

To design an APK having 

 system 

 privileges like the surround light driving, reboot control or URL launcher, the ISV needs to sign its APK with a 

 Java Keystore 

 having a

certificate 

 signed by 

 Qeedji 

.

☛

 The ISV may use his 

 Java Keystore 

 for all its 

 system 

 applica ons and the same cer ficate for all the ISV TAB10s devices. When APK signing is required, each 

 ISV 

 must

apply this procedure once.

Procedure to create a system Java Keystore

☛

 In the example, it is considered that the company name is Contoso. ISD means IT Service Department. In the procedure, it is required to use the generic email of the

Chief Informa on Security Officer (CISO) of the company, for example 

 ciso@contoso.com 

.

◬

 In the following procedure, the following example values have been used.

Label type

Label value examples

C

US

ST

California

L

San-Francisco

O

Contoso

OU

Contoso_ISD

CN

CISO

E

ciso@contoso.com

Passphrase

1234

Java_keystore basename file

contoso_qeedji_java_keystore

Java_keystore password

567890

Friendly_name / name / key_alias

qeedji_aosp_key

1 . GENERATE YOUR PRIVATE KEY

◬

Y ou are responsible for your private key storing which has to be never communicated to a third party.

Generate your private key with a length of 2048 bits with the 

R SA 2 0 4 8  Bits

 key type.

For example:

openssl genrsa -f4 2048 > contoso_private_key_for_android.key

2 . GENERATE YOUR OWN CSR (CERTIFICATE SIGNING REQUEST)

Generate your own 

 .csr 

 cer ficate signing request thanks to your private key and some applicant iden fica on used to digitally sign the request. Thanks to match the

filename pa ern by replacing contoso by your own organiza on name.

For example:

openssl req -new -key contoso_private_key_for_android.key -subj '/C=US/ST=California/L=San-

Francisco/O=Contoso/OU=Contoso_ISD/CN=CISO/emailAddress=ciso@contoso.com' > contoso-for_qeedji_aosp.csr

3 . SEND YOUR CSR TO QEEDJI

Once generated, send a email to the 

csr@ qeedji.tech

 with your 

 CSR 

 (

 contoso-for_qeedji_aosp.csr 

 file for example) in a achment.

4 . WAIT FOR THE QEEDJI ANSWER

 Qeedji 

 should then return an answer within 7 days.

◬

Qeedji will send its answer to the email defi ned into the CSR  fi le ( ciso@ contoso.com for example) , which may be not the same email used to send the CSR  to Qeedji.

 Qeedji 

 sends 2 files: the signed cer ficate (extension .crt) and the CA file (extension .pem).

For example:

 contoso-qeedji_aosp-certificate-001A.crt 

,

 contoso-qeedji_aosp-certificate_authority-001A.pem 

5 . GENERATE YOUR PUBLIC CERTIFICATE KEY

You have first to generate your public cer ficate key. For example:

openssl pkcs12 -export -in contoso-qeedji_aosp-cer ficate-001A.crt -inkey contoso_private_key_for_android.key -out

contoso_cer ficate_and_key_for_qeedji_aosp.pk12 -password pass:1234 -name qeedji_aosp_key -chain -CAfile contoso-qeedji_aosp-cer ficate_authority-001A.pem

6 . GENERATE THE JAVA KEYSTORE

Generate then a 

 Java Keystore 

 from your public cer ficate key with the 

 keytool 

¹ toolbox.

The 

 Java Keystore 

 system is now usable in 

 Android Studio 

.

For example:

keytool -importkeystore -deststorepass 567890 -destkeystore contoso_qeedji_java_keystore.jks -srckeystore contoso_cer ficate_and_key_for_qeedji_aosp.pk12 -

srcstoretype PKCS12 -srcstorepass 1234

¹ 

Keytool is a toolbox to handle cer fi cates for J ava products. It is provided by default in the J DK since version 1 .1 .