Load and use Android code signing certificate

This is a step-by-step guide on how to load and use an android code signing key and certificate.

Prerequisites

  • a YubiKey with the PIV application

  • the yubico-piv-tool software

  • the OpenSC software

  • jarsigner and keytool from the JDK (OpenJDK 8 used here)

Steps

  1. Import the key and cert, do one of the below:

    1. Import the key and cert (PEM format) in slot 9a:

      yubico-piv-tool -s 9a -a import-key -i key.pem
      yubico-piv-tool -s 9a -a import-certificate -i cert.pem
      
    2. Import the key and cert (PKCS12 format) in slot 9a:

      yubico-piv-tool -s 9a -a import-key -a import-cert -i key.p12 -K PKCS12
      
  2. Create a java pkcs11 configuration file:

    cat > /tmp/pkcs11_java.cfg
    name = OpenSC-PKCS11
    description = SunPKCS11 via OpenSC
    library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
    slotListIndex = 1
    
  3. Check that keytool can see the key:

    keytool -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /tmp/pkcs11_java.cfg \
      -keystore NONE -storetype PKCS11 -list
    Enter keystore password:
    
    Keystore type: PKCS11
    Keystore provider: SunPKCS11-OpenSC-PKCS11
    
    Your keystore contains 1 entry
    
    Certificate for PIV Authentication, PrivateKeyEntry,
    Certificate fingerprint (SHA1): 26:D7:CB:71:6D:42:3C:AB:58:69:E0:9D:F0:16:DF:84:7E:1C:5A:9A
    

    Password here is the PIN of the key (default 123456).

  4. Sign the apk with jarsigner:

    jarsigner -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /tmp/pkcs11_java.cfg \
      -keystore NONE -storetype PKCS11 app.apk "Certificate for PIV Authentication"
    Enter Passphrase for keystore:
    jar signed.
    
  5. Verify the signature with jarsigner:

    jarsigner -verify app.apk