Hi all, Thanks a lot. I am able to generate signer tag using below link- http://seandroid.bitbucket.org/InstalltimeMAC.html
Couldn't test it though, but I guess it should work. Thanks Pankaj Kushwaha On Mon, Dec 15, 2014 at 4:40 PM, Robert Craig <[email protected]> wrote: > > Best bet is to run setool which we maintain on our seandroid-5.0.1 and > seandroid branches. This will directly create the needed signer stanza for > you. You'll have to build it separately though as it's not part of any > normal device build. When run, just pass the apk in question and the hex > encoded X.509 certificate used to sign the app, which is also the cert > needed for the policy, will be dumped for you. > > You could also just pull out the cert yourself. The following command > should work where CERT.RSA is the DER contents of your app's cert aftert > unzipping the apk. > > openssl pkcs7 -inform DER -print_certs -in CERT.RSA | tail -n +4 | head -n -2 > | base64 -d -i | hexdump -v -e '/1 "%02x" ' > > > On 12/15/2014 01:29 AM, Pankaj Kushwaha wrote: > > I tried below tag in mac_permissions.xml as my .mk flle in vendors had > local cetificate as presigned- > > <signer signature="@PRESIGNED" > > <seinfo value="mysevalue" /> > </signer> > > But I wasn't able to label it perfectly. > > Then I tried below tag- > <package name="com.mypackage"> > <seinfo value="mysevalue" /> > </package> > > But still I wasn't able to label it perfectly. > > Am is missing something ?? > > On Mon, Dec 15, 2014 at 11:17 AM, Pankaj Kushwaha < > [email protected]> wrote: >> >> I am currently thinking to add a signer tag in mac_permisison.xml and >> include package stanzas in that tag, but I am not sure what sign shall I >> use for this third party app. >> I will give a custom seinfo in that tag for my package. >> >> >> On Mon, Dec 15, 2014 at 10:58 AM, Pankaj Kushwaha < >> [email protected]> wrote: >>> >>> Thanks a lot for the info. >>> But I am in still in other issues. I don't have the keys from which app >>> is signed and the client for which I am working won't share the key (due to >>> the fear that if I have the key I might replace their app from devices). So >>> that's the reason I was trying to find other ways. >>> >>> On Fri, Dec 12, 2014 at 9:41 PM, William Roberts < >>> [email protected]> wrote: >>>> >>>> >>>> On Dec 12, 2014 5:33 AM, "Stephen Smalley" <[email protected]> wrote: >>>> > >>>> > With regard to your other question (about reverting the changes and >>>> just >>>> > using name= with seinfo=default in your seapp_contexts), I don't think >>>> > anything would currently prevent you from doing that but you'll lose >>>> the >>>> > safety check for any future changes you make, and if that app is ever >>>> > removed from your build but the corresponding seapp_contexts line is >>>> not >>>> > removed, you'll leave open the potential for any app with the same >>>> name >>>> > to run in that domain. So I wouldn't recommend it. At some point, we >>>> > will likely add something to the CTS to check that the device >>>> > seapp_contexts file does not have any such entries, so it will be >>>> > enforced for production devices, but that doesn't exist in the current >>>> > CTS AFAIK. >>>> >>>> As stephen mentioned not using a signing key is very bad practice. I >>>> would also strongly emphasize that you take the advice given here. It is >>>> really no additional work to just add the signing key into the build files >>>> and use your own seinfo. >>>> >>>> > >>>> > On 12/12/2014 06:02 AM, Pankaj Kushwaha wrote: >>>> > > Hi, >>>> > > >>>> > > In my case, our app is a 3rd party app which will be pre-built >>>> (part of >>>> > > system.img) and will be uploaded on google play as well for any >>>> updated >>>> > > (just like gmail, google maps, etc). >>>> > > >>>> > > So there are no chances that anyone else will install app with same >>>> > > package name. >>>> > > Will there be any other consequences if I revert these two patches ? >>>> > > >>>> > > Also can you please guide me on how to add a new signer for my app ? >>>> > > Because my apk doesn't have any .mk file so how will the system know >>>> > > that app has to pick which seinfo from mac_permissions.xml ? >>>> > > I just keep my signed apk in vendor/<oem>/common/apps/ folder. >>>> > > >>>> > > Thanks >>>> > > Pankaj Kushwaha >>>> > > >>>> > > On Thu, Dec 11, 2014 at 8:18 PM, Stephen Smalley <[email protected] >>>> > > <mailto:[email protected]>> wrote: >>>> > > >>>> > > Correct. We simply want to preclude the unsafe practice of >>>> assigning >>>> > > domain by package name only, as anyone can create an app with >>>> any >>>> > > package name, and first one to be installed with that name >>>> wins. So you >>>> > > must bind it to a specific signature as well. >>>> > > >>>> > > On 12/11/2014 09:35 AM, William Roberts wrote: >>>> > > > It appears to me that you can just specify a signer in Mac >>>> perms XML >>>> > > > with and use a custom seinfo in seapp contexts. >>>> > > > >>>> > > > On Dec 10, 2014 10:56 PM, "Pankaj Kushwaha" >>>> > > > <[email protected] >>>> > > <mailto:[email protected]> >>>> > > <mailto:[email protected] >>>> > > <mailto:[email protected]>>> >>>> > > > wrote: >>>> > > > >>>> > > > Hi, >>>> > > > >>>> > > > I was running some of the third party apps in my custom >>>> domain, by >>>> > > > adding below line in seapp_context- >>>> > > > user=_app seinfo=default name=<pacakge_name> >>>> domain=<custom_domain> >>>> > > > type=<custom_file_type> >>>> > > > and tehre were few other changes as well. >>>> > > > >>>> > > > But in android L I am unable to do so because of below >>>> patches- >>>> > > > https://android-review.googlesource.com/#/c/90142/ >>>> > > > https://android-review.googlesource.com/#/c/90143/ >>>> > > > >>>> > > > I just wanted to know that is there any other way to run >>>> my app in >>>> > > > custom domain in andorid L ? >>>> > > > If not, if I remove above two patches in what way will it >>>> effect my >>>> > > > other functionality ? >>>> > > > >>>> > > > Thanks >>>> > > > Pankaj Kushwaha >>>> > > > >>>> > > > _______________________________________________ >>>> > > > Seandroid-list mailing list >>>> > > > [email protected] >>>> > > <mailto:[email protected]> >>>> > > <mailto:[email protected] >>>> > > <mailto:[email protected]>> >>>> > > > To unsubscribe, send email to >>>> [email protected] >>>> > > <mailto:[email protected]> >>>> > > > <mailto:[email protected] >>>> > > <mailto:[email protected]>>. >>>> > > > To get help, send an email containing "help" to >>>> > > > [email protected] >>>> > > <mailto:[email protected]> >>>> > > > <mailto:[email protected] >>>> > > <mailto:[email protected]>>. >>>> > > > >>>> > > > >>>> > > > >>>> > > > _______________________________________________ >>>> > > > Seandroid-list mailing list >>>> > > > [email protected] <mailto: >>>> [email protected]> >>>> > > > To unsubscribe, send email to >>>> [email protected] >>>> > > <mailto:[email protected]>. >>>> > > > To get help, send an email containing "help" to >>>> > > [email protected] >>>> > > <mailto:[email protected]>. >>>> > > > >>>> > > >>>> > > >>>> > > >>>> > > _______________________________________________ >>>> > > Seandroid-list mailing list >>>> > > [email protected] >>>> > > To unsubscribe, send email to [email protected]. >>>> > > To get help, send an email containing "help" to >>>> [email protected]. >>>> > > >>>> > >>>> > _______________________________________________ >>>> > Seandroid-list mailing list >>>> > [email protected] >>>> > To unsubscribe, send email to [email protected]. >>>> > To get help, send an email containing "help" to >>>> [email protected]. >>>> >>> > > _______________________________________________ > Seandroid-list mailing [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > > >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
