Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APKSigner RSA-HSM support #44205

Open
2 tasks done
lukeacadogan opened this issue Feb 14, 2025 · 0 comments
Open
2 tasks done

APKSigner RSA-HSM support #44205

lukeacadogan opened this issue Feb 14, 2025 · 0 comments
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@lukeacadogan
Copy link

Query/Question
I am using APKSigner and the Azure Key Vault and azure-security-keyvault-jca-2.10.0.jar to attempt to sign an APK.

Why APKSigner and not jarsigner...well as far as I know jarsigner does not support the later versions of the Android signing schemes (v2 and higher) that incorporate the concept of lineage

I am able to successfully sign my APK with this method when using a code signing certificate issued by Sectigo a few years ago that was subsequently uploaded to the Azure Key Vault using a pfx file containing the full certificate chain.

When I switch to using the new RSA-HSM certificate that was issued by GlobalSign I get the error java.security.InvalidKeyException: No installed provider supports this key: com.azure.security.keyvault.jca.implementation.KeyVaultPrivateKey

My questions are:

  • Are RSA-HSM keys fully supported in this JCA?
  • Are there any options that need to be set either in java or Azure to support this?

Full Exception below

Exception in thread "main" java.security.InvalidKeyException: Signer #1 failed
at com.android.apksig.internal.apk.v3.V3SchemeSigner.generateApkSignatureSchemeV3Block(V3SchemeSigner.java:250)
at com.android.apksig.internal.apk.v3.V3SchemeSigner.generateApkSignatureSchemeV3BlockAndDigests(V3SchemeSigner.java:234)
at com.android.apksig.DefaultApkSignerEngine.outputZipSectionsInternal(DefaultApkSignerEngine.java:1105)
at com.android.apksig.DefaultApkSignerEngine.outputZipSections2(DefaultApkSignerEngine.java:1025)
at com.android.apksig.ApkSigner.sign(ApkSigner.java:629)
at com.android.apksig.ApkSigner.sign(ApkSigner.java:237)
at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:425)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:94)
Caused by: java.security.InvalidKeyException: Failed to sign using SHA512withRSA
at com.android.apksig.internal.apk.ApkSigningBlockUtils.generateSignaturesOverData(ApkSigningBlockUtils.java:1159)
at com.android.apksig.internal.apk.v3.V3SchemeSigner.generateSignerBlock(V3SchemeSigner.java:310)
at com.android.apksig.internal.apk.v3.V3SchemeSigner.generateApkSignatureSchemeV3Block(V3SchemeSigner.java:248)
... 7 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: com.azure.security.keyvault.jca.implementation.KeyVaultPrivateKey
at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1302)
at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1359)
at java.base/java.security.Signature.initSign(Signature.java:635)
at com.android.apksig.JcaSignerEngine.sign(JcaSignerEngine.java:53)
at com.android.apksig.internal.apk.ApkSigningBlockUtils.generateSignaturesOverData(ApkSigningBlockUtils.java:1157)

Why is this not a Bug or a feature Request?
I am not sure if this is a bug or just my lack of understanding. The key type (RSA-HSM size 4096) is in the list of supported key types.

Setup (please complete the following information if applicable):

  • OS: Windows
  • IDE: Android Studio (Koala 2024.1.1)
  • Library/Libraries: azure-security-keyvault-jca-2.10.0.jar
  • Executed like below after "fixing" apksigner.bat to pass through -J parameters to the java opts
    apksigner.bat sign --v1-signing-enabled false --v2-signing-enabled false --ks NONE --ks-type AzureKeyVault --ks-key-alias "CERTALIAS" --ks-pass pass: --ks-provider-class com.azure.security.keyvault.jca.KeyVaultJcaProvider --v -in our.apk -out oursigned.apk -J--module-path="""PATH TO azure-security-keyvault-jca-2.10.0.jar""" -J--add-modules="""com.azure.security.keyvault.jca""" -J-Dazure.keyvault.uri=azurekeyvaulturl -J-Dazure.keyvault.tenant-id=azuretenantid -J-Dazure.keyvault.client-id=azureapplicationclientid -J-Dazure.keyvault.client-secret=azureapplicationclientsecret

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Query Added
  • Setup information Added
@github-actions github-actions bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Feb 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lukeacadogan