前言

這篇文章主要是分析apksigner rotate，從字面意思理解，這是簽名輪轉(zhuǎn)。但是我們不講原理，我們直接旋轉(zhuǎn)，簽名。
我們先貼兩個(gè)鏈接，如果一看就明白就不用往后看了。

1.具有密鑰輪轉(zhuǎn)的 APK 簽名方案
相應(yīng)的圖如下：

輪轉(zhuǎn)簽名

命令執(zhí)行

分析和實(shí)戰(zhàn)

1.具體的位置和準(zhǔn)備工作

工具的存放位置（apksigner在哪里）：
apksigner是Google官方提供的針對(duì)Android apk簽名及驗(yàn)證的專用工具,
位于Android SDK/build-tools/SDK版本/apksigner.bat

位置

我們來(lái)一張?jiān)斍閳D：

內(nèi)部詳情

2.1 apksigner的基本使用：

打開命令行進(jìn)入D:\Sdk\build-tools\29.0.0-rc2輸入apksigner，得到下面的結(jié)果：

D:\Sdk\build-tools\29.0.0-rc2>apksigner
USAGE: apksigner <command> [options]
       apksigner --version
       apksigner --help

EXAMPLE:
       apksigner sign --ks release.jks app.apk
       apksigner verify --verbose app.apk

apksigner is a tool for signing Android APK files and for checking whether
signatures of APK files will verify on Android devices.


        COMMANDS
rotate                Add a new signing certificate to the SigningCertificateLineage

sign                  Sign the provided APK

verify                Check whether the provided APK is expected to verify on
                      Android

lineage               Modify the capabilities of one or more signers in an existing
                      SigningCertificateLineage

version               Show this tool's version number and exit

help                  Show this usage page and exit

在其他的文件夾下面運(yùn)行上面的命令得到的結(jié)果是不同的。比如：

D:\Sdk\build-tools\28.0.0>apksigner
USAGE: apksigner <command> [options]
       apksigner --version
       apksigner --help

EXAMPLE:
       apksigner sign --ks release.jks app.apk
       apksigner verify --verbose app.apk

apksigner is a tool for signing Android APK files and for checking whether
signatures of APK files will verify on Android devices.


        COMMANDS

sign                  Sign the provided APK

verify                Check whether the provided APK is expected to verify on
                      Android

version               Show this tool's version number and exit

help                  Show this usage page and exit

2.1.1 verify的使用：

 apksigner verify -v --print-certs xxx.apk

參數(shù):
    -v, --verbose 顯示詳情(顯示是否使用V1,V2,V3簽名)
    --print-certs 顯示簽名證書信息

詳細(xì)的結(jié)果如下：

D:\Sdk\build-tools\29.0.0-rc2>apksigner verify -v --print-certs   release.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 1
Signer #1 certificate DN: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: c8a2e9bccf597c2fb6dc66bee293fc13f2fc47ec77bc6b2b0d52c11f51192ab8
Signer #1 certificate SHA-1 digest: 27196e386b875e76adf700e7ea84e4c6eee33dfa
Signer #1 certificate MD5 digest: 8ddb342f2da5408402d7568af21e29f9
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 3d3df7dc9bf26e02d4cd76256d41d45e41a4dedebe7feb95c40e3697681be8a7
Signer #1 public key SHA-1 digest: 06cac910fdbd67398c0bb8e297ef679dea589f61
Signer #1 public key MD5 digest: f3714d30107c5b7d1e29325669b80e05

我這里只是粘取了部分信息。這算是對(duì)我們的apk一個(gè)簡(jiǎn)單的驗(yàn)證。

3. 輪轉(zhuǎn)簽名apk

1. 首先是不知道rotate都有那些指令的，只需要運(yùn)行apksigner rotate:

  D:\Sdk\build-tools\29.0.0-rc2>apksigner rotate
USAGE: apksigner rotate [options]

This takes the provided keys and creates a SigningCertificateLineage entry linking the old to the
new, for use in a key rotation scenario using APK Signature Scheme v3.


......
省略部分
.....
        EXAMPLES

1. Create a new SigningCertificateLineage to enable rotation:
$ apksigner rotate --out /path/to/new/file --old-signer --ks release.jks \
    --new-signer --ks release2.jks

2. Extend an existing SigningCertificateLineage to rotate again after previous rotation:
$ apksigner rotate --in /path/to/existing/lineage --out /path/to/new/file \
    --old-signer --ks release2.jks --new-signer --ks release3.jks

3. Create a new SigningCertificateLineage with explicit capabilities for the previous signer:
$ apksigner rotate --out /path/to/new/file --old-signer --ks release.jks \
    --set-installed-data true --set-shared-uid true --set-permission true --set-rollback false \
    --set-auth true --new-signer --ks release2.jks

我們只需要看懂上面的EXAMPLES就可以了：
1.就是普通的輪轉(zhuǎn)簽名
2.可以理解為1生成的簽名再次輪轉(zhuǎn)
3.生成一個(gè)顯示的簽名證書沿襲（具體沒有使用）

開始執(zhí)行輪轉(zhuǎn)：

D:\Sdk\build-tools\29.0.0-rc2>apksigner rotate --out /path --old-signer   --ks release.jks --new-signer --ks release2.jks
Keystore password for old signer:
Keystore password for new signer:
D:\Sdk\build-tools\29.0.0-rc2>

輸入release.jks的密碼，輸入release2.jks的密碼然后就導(dǎo)出了path文件，這個(gè)path文件是一個(gè)什么呢？？其實(shí)就是一個(gè)二進(jìn)制的文件。
但是就是找不到path的路徑，其實(shí)path文件的位置是在D:\,就在我電腦的D盤根目錄。

2. 那么要生成旋轉(zhuǎn)apk，一定會(huì)有apk簽名的。
   不清楚 sign有哪些指令，只需要運(yùn)行一下。

D:\Sdk\build-tools\29.0.0-rc2>apksigner sign
USAGE: apksigner sign [options] apk

This signs the provided APK, stripping out any pre-existing signatures. Signing
is performed using one or more signers, each represented by an asymmetric key
pair and a corresponding certificate. Typically, an APK is signed by just one
signer. For each signer, you need to provide the signer's private key and
certificate.

.........
     省略      GENERAL OPTIONS  和   PER-SIGNER OPTIONS
.........

        EXAMPLES

1. Sign an APK, in-place, using the one and only key in keystore release.jks:
$ apksigner sign --ks release.jks app.apk

1. Sign an APK, without overwriting, using the one and only key in keystore
   release.jks:
$ apksigner sign --ks release.jks --in app.apk --out app-signed.apk

3. Sign an APK using a private key and certificate stored as individual files:
$ apksigner sign --key release.pk8 --cert release.x509.pem app.apk

4. Sign an APK using two keys:
$ apksigner sign --ks release.jks --next-signer --ks magic.jks app.apk

5. Sign an APK using PKCS #11 JCA Provider:
$ apksigner sign --provider-class sun.security.pkcs11.SunPKCS11 \
    --provider-arg token.cfg --ks NONE --ks-type PKCS11 app.apk

6. Sign an APK using a non-ASCII password KeyStore created on English Windows.
   The --pass-encoding parameter is not needed if apksigner is being run on
   English Windows with Java 8 or older.
$ apksigner sign --ks release.jks --pass-encoding ibm437 app.apk

7. Sign an APK on Windows using a non-ASCII password KeyStore created on a
   modern OSX or Linux machine:
$ apksigner sign --ks release.jks --pass-encoding utf-8 app.apk

8. Sign an APK with rotated signing certificate:
$ apksigner sign --ks release.jks --next-signer --ks release2.jks \
    --lineage /path/to/signing/history/lineage app.apk

從上面可以看到第8條就是我們今天的主角了。
下面開始簽名：

D:\Sdk\build-tools\29.0.0-rc2>apksigner sign --ks release.jks --next-signer --ks release2.jks   --lineage /path   release.apk
Keystore password for signer #1:
Keystore password for signer #2:
D:\Sdk\build-tools\29.0.0-rc2>

執(zhí)行完成上面的步驟，我們的簽名就算是完成了。

3. 驗(yàn)證簽名：
   直接來(lái)一個(gè)圖解釋問題：

   
   
   驗(yàn)證
   
   

   從上圖看到支持V3簽名。

4.驗(yàn)證

先安裝一個(gè)支持V2簽名的apk到手機(jī)。然后看支持V3簽名的apk能否覆蓋安裝。如果可以表示安裝成功。

總結(jié)

今天主要就是學(xué)習(xí)一下輪轉(zhuǎn)簽名和apksigner的一些使用，算是一個(gè)小技能的提升。