Best bet is to run setool which we maintain on our seandroid-5.0.1 and
seandroid branches. This will directly create the needed signer stanza
for you. You'll have to build it separately though as it's not part of
any normal device build. When run, just pass the apk in question and the
hex encoded X.509 certificate used to sign the app, which is also the
cert needed for the policy, will be dumped for you.
You could also just pull out the cert yourself. The following command
should work where CERT.RSA is the DER contents of your app's cert aftert
unzipping the apk.
openssl pkcs7 -inform DER -print_certs -in CERT.RSA | tail -n +4 | head -n -2 | base64 -d
-i | hexdump -v -e '/1 "%02x" '
On 12/15/2014 01:29 AM, Pankaj Kushwaha wrote:
I tried below tag in mac_permissions.xml as my .mk flle in vendors had
local cetificate as presigned-
<signer signature="@PRESIGNED" >
<seinfo value="mysevalue" />
</signer>
But I wasn't able to label it perfectly.
Then I tried below tag-
<package name="com.mypackage">
<seinfo value="mysevalue" />
</package>
But still I wasn't able to label it perfectly.
Am is missing something ??
On Mon, Dec 15, 2014 at 11:17 AM, Pankaj Kushwaha
<[email protected]
<mailto:[email protected]>> wrote:
I am currently thinking to add a signer tag
in mac_permisison.xml and include package stanzas in that tag, but
I am not sure what sign shall I use for this third party app.
I will give a custom seinfo in that tag for my package.
On Mon, Dec 15, 2014 at 10:58 AM, Pankaj Kushwaha
<[email protected]
<mailto:[email protected]>> wrote:
Thanks a lot for the info.
But I am in still in other issues. I don't have the keys from
which app is signed and the client for which I am working
won't share the key (due to the fear that if I have the key I
might replace their app from devices). So that's the reason I
was trying to find other ways.
On Fri, Dec 12, 2014 at 9:41 PM, William Roberts
<[email protected] <mailto:[email protected]>>
wrote:
On Dec 12, 2014 5:33 AM, "Stephen Smalley"
<[email protected] <mailto:[email protected]>> wrote:
>
> With regard to your other question (about reverting the
changes and just
> using name= with seinfo=default in your seapp_contexts),
I don't think
> anything would currently prevent you from doing that but
you'll lose the
> safety check for any future changes you make, and if
that app is ever
> removed from your build but the corresponding
seapp_contexts line is not
> removed, you'll leave open the potential for any app
with the same name
> to run in that domain. So I wouldn't recommend it. At
some point, we
> will likely add something to the CTS to check that the
device
> seapp_contexts file does not have any such entries, so
it will be
> enforced for production devices, but that doesn't exist
in the current
> CTS AFAIK.
As stephen mentioned not using a signing key is very bad
practice. I would also strongly emphasize that you take
the advice given here. It is really no additional work to
just add the signing key into the build files and use your
own seinfo.
>
> On 12/12/2014 06:02 AM, Pankaj Kushwaha wrote:
> > Hi,
> >
> > In my case, our app is a 3rd party app which will be
pre-built (part of
> > system.img) and will be uploaded on google play as
well for any updated
> > (just like gmail, google maps, etc).
> >
> > So there are no chances that anyone else will install
app with same
> > package name.
> > Will there be any other consequences if I revert these
two patches ?
> >
> > Also can you please guide me on how to add a new
signer for my app ?
> > Because my apk doesn't have any .mk file so how will
the system know
> > that app has to pick which seinfo from
mac_permissions.xml ?
> > I just keep my signed apk in vendor/<oem>/common/apps/
folder.
> >
> > Thanks
> > Pankaj Kushwaha
> >
> > On Thu, Dec 11, 2014 at 8:18 PM, Stephen Smalley
<[email protected] <mailto:[email protected]>
> > <mailto:[email protected] <mailto:[email protected]>>>
wrote:
> >
> > Correct. We simply want to preclude the unsafe
practice of assigning
> > domain by package name only, as anyone can create
an app with any
> > package name, and first one to be installed with
that name wins. So you
> > must bind it to a specific signature as well.
> >
> > On 12/11/2014 09:35 AM, William Roberts wrote:
> > > It appears to me that you can just specify a
signer in Mac perms XML
> > > with and use a custom seinfo in seapp contexts.
> > >
> > > On Dec 10, 2014 10:56 PM, "Pankaj Kushwaha"
> > > <[email protected]
<mailto:[email protected]>
> > <mailto:[email protected]
<mailto:[email protected]>>
> > <mailto:[email protected]
<mailto:[email protected]>
> > <mailto:[email protected]
<mailto:[email protected]>>>>
> > > wrote:
> > >
> > > Hi,
> > >
> > > I was running some of the third party apps
in my custom domain, by
> > > adding below line in seapp_context-
> > > user=_app seinfo=default name=<pacakge_name>
domain=<custom_domain>
> > > type=<custom_file_type>
> > > and tehre were few other changes as well.
> > >
> > > But in android L I am unable to do so
because of below patches-
> > > https://android-review.googlesource.com/#/c/90142/
> > > https://android-review.googlesource.com/#/c/90143/
> > >
> > > I just wanted to know that is there any
other way to run my app in
> > > custom domain in andorid L ?
> > > If not, if I remove above two patches in
what way will it effect my
> > > other functionality ?
> > >
> > > Thanks
> > > Pankaj Kushwaha
> > >
> > > _______________________________________________
> > > Seandroid-list mailing list
> > > [email protected]
<mailto:[email protected]>
> > <mailto:[email protected]
<mailto:[email protected]>>
> > <mailto:[email protected]
<mailto:[email protected]>
> > <mailto:[email protected]
<mailto:[email protected]>>>
> > > To unsubscribe, send email to
[email protected]
<mailto:[email protected]>
> > <mailto:[email protected]
<mailto:[email protected]>>
> > > <mailto:[email protected]
<mailto:[email protected]>
> > <mailto:[email protected]
<mailto:[email protected]>>>.
> > > To get help, send an email containing "help" to
> > > [email protected]
<mailto:[email protected]>
> > <mailto:[email protected]
<mailto:[email protected]>>
> > > <mailto:[email protected]
<mailto:[email protected]>
> > <mailto:[email protected]
<mailto:[email protected]>>>.
> > >
> > >
> > >
> > > _______________________________________________
> > > Seandroid-list mailing list
> > > [email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
> > > To unsubscribe, send email to
[email protected]
<mailto:[email protected]>
> > <mailto:[email protected]
<mailto:[email protected]>>.
> > > To get help, send an email containing "help" to
> > [email protected]
<mailto:[email protected]>
> > <mailto:[email protected]
<mailto:[email protected]>>.
> > >
> >
> >
> >
> > _______________________________________________
> > Seandroid-list mailing list
> > [email protected]
<mailto:[email protected]>
> > To unsubscribe, send email to
[email protected]
<mailto:[email protected]>.
> > To get help, send an email containing "help" to
[email protected]
<mailto:[email protected]>.
> >
>
> _______________________________________________
> Seandroid-list mailing list
> [email protected]
<mailto:[email protected]>
> To unsubscribe, send email to
[email protected]
<mailto:[email protected]>.
> To get help, send an email containing "help" to
[email protected]
<mailto:[email protected]>.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
