How to sign AAR Artifacts in Android?

Question

I'm currently developing a .AAR android library and I would like to sign the released artifacts with my own key, so that I can determine if a fake aar with the same name and functionality has been released by mine or not.

Notice 1 :

I want to be able to check the authenticity of my library programmatically, even if a fakely-cooked one, is forging just part of the functionality of my aar file.

Notice 2 :

I am not going to publish this aar into maven, sonatype or any other public repository. So I'm going to sign it for a typical release flow like signing an apk file.

Answer 1

You can use jarsigner to sign you aar library, and you can use keytool to generate the signing keys. Both tools are located in the embedded JDK that comes with Android Studio. Do the following to sign your library.

Signing

Generate a keystore with a key pair. You'll need to provide the certificate fields:

keytool -genkeypair -alias aarsign -keypass mypassword -keystore aarsign.keystore -storepass mypassword -v

Export the generated certificate into a PEM file:

keytool -exportcert -rfc -alias aarsign -file aarsign-public.pem -keystore aarsign.keystore -storepass mypassword -v

Create a keystore containing the certificate:

keytool -importcert -alias aarsign -file aarsign-public.pem -keystore aarsign-public.keystore -storepass mypassword -v

Sign the library:

jarsigner -keystore aarsign.keystore -storepass mypassword -keypass mypassword -signedjar lib-signed.aar -verbose lib.aar aarsign

Verifying

Anyone who wishes to attest the authenticity of the library needs to obtain your certificate (or the keystore with it) in a reliable way, and enter this command:

jarsigner -keystore aarsign-public.keystore -storepass mypassword -verify -verbose -certs lib-signed.aar aarsign

It will give the message

jar verified.

with some warnings about certificate expiration and signature timestamp. You can get rid of these warnings by creating a stricter certificate. Refer to keytool and jarsigner documentation.

There are two ways in which you can find out whether your library has been tampered: unmatching digests or unmatching certificate. If someone generates an aar from a different source code or with different resources, the digest won't match and jarsigner will warn, for example:

jarsigner: java.lang.SecurityException: invalid SHA-256 signature file digest for <file>

And, if someone provides a different certificate than your own, jarsigner will warn:

Warning: 
This jar contains entries whose certificate chain is not validated.
This jar contains signed entries which are not signed by the specified alias(es).
This jar contains signed entries that are not signed by alias in this keystore.

Answer 2

You can generate it by execute:

./gradlew assembleRelease

Or from gradle menu, on the right side of the Android Studio, select YourLibraryProject->Tasks->Build->AssembleRelease.

But of course you need to add the signing key in your library project. Please read at Sign Your App

Answer 3

I haven't tried but this "should" work:

Create a block like this in your gradle config file for the aar you're going to create:

signedAar {
    signedConfig{
        storeFile file("path/to/keystore")
        storePassword "Password"
        keyAlias "Alias"
        keyPassword "AliasPassword"
    }
}

then add this to the buildTypes -> release block of the same config file:

signingConfig  signedAar.signedConfig

Let us know if this works

Answer 4

Because variant.signingConfig doesn't work for me I have used

apply plugin: 'com.android.library'

...

android {
    ...

    signingConfigs {
        release {
            storeFile file("${rootProject.projectDir}/keystore.jks")
            storePassword "XXXX"
            keyAlias "alias"
            keyPassword "XXXX"
        }
    }

    ...
}

tasks.whenTaskAdded { task ->
    if (task.name == 'assembleRelease') {
        def aarPath = "${project.buildDir}/outputs/aar/XXX-release.aar"

        task.doLast {
            ant.signjar(
                    alias: android.signingConfigs.release.keyAlias,
                    jar: aarPath,
                    keystore: android.signingConfigs.release.storeFile,
                    storepass: android.signingConfigs.release.storePassword,
                    keypass: android.signingConfigs.release.keyPassword,
                    preservelastmodified: 'true')

            ant.verifyjar(
                    alias: android.signingConfigs.release.keyAlias,
                    jar: aarPath,
                    keystore: android.signingConfigs.release.storeFile,
                    storepass: android.signingConfigs.release.storePassword,
                    keypass: android.signingConfigs.release.keyPassword)
        }
    }
}

Answer 5

Why don't you sha-256 hash your aar file? even if someone messed around, the hash of the aar changes and you'll get to know. it works for me ;)