In the Android Open Source Project (AOSP) build system, the releasekey.x509.pem key is typically used for signing production-ready apps, system components, and system images. It is part of the signing infrastructure provided in AOSP and is intended for apps that don’t require elevated platform-level privileges.
When releasekey.x509.pem Is Used
- Production Builds:
releasekeyis commonly used for apps and components that are intended for release in production builds.- It ensures that user-facing apps, such as pre-installed apps or optional system apps, are signed with a key different from the core system (
platformkey), isolating them from elevated privileges.
- Default Key for User Apps:
- If no specific signing key is assigned to an app or system component, and the default signing key (
PRODUCT_DEFAULT_DEV_CERTIFICATE) is set toreleasekey, thereleasekey.x509.pemkey is used.
- If no specific signing key is assigned to an app or system component, and the default signing key (
- Custom ROMs:
- Custom ROM developers often replace the default
platformandreleasekeykeys with their own, but the usage pattern remains the same:releasekeyfor general apps andplatformfor core system apps.
- Custom ROM developers often replace the default
How releasekey.x509.pem Is Used by the Build System
- Defined in the Build Configuration
- The build system determines the signing key using the
PRODUCT_DEFAULT_DEV_CERTIFICATEvariable inBoardConfig.mkorproduct.mk. Forreleasekey, it looks like this:PRODUCT_DEFAULT_DEV_CERTIFICATE := build/target/product/security/releasekey
- The build system determines the signing key using the
- Used in
Android.mkorAndroid.bp- Individual components can explicitly specify the
releasekeyas their signing key:LOCAL_CERTIFICATE := releasekey
- Individual components can explicitly specify the
- Build Process:
- During the build process, the
build/make/core/Makefileuses theLOCAL_CERTIFICATEvariable to identify which key (e.g.,releasekey,platform) should be used to sign the APK or JAR. - The
build/target/product/security/releasekey.pk8andreleasekey.x509.pemfiles are passed to the signing tools (likeapksignerorsignapk.jar) to sign the component.
- During the build process, the
- APK Signing:
- The APKs are signed using the specified key during the build:
releasekey.pk8: The private key used to sign the APK.releasekey.x509.pem: The certificate used to verify the signature.
- Example signing command (executed by the build system):
java -jar signapk.jar build/target/product/security/releasekey.x509.pem build/target/product/security/releasekey.pk8 input.apk output.apk
- The APKs are signed using the specified key during the build:
- System Image Signing:
- When building the system image (
system.img), the samereleasekeycan be used to sign APKs and other artifacts included in the image if configured.
- When building the system image (
How to Specify releasekey for Specific Use Cases
- Set as the Default Key:
- To use
releasekeyfor all components by default, modify theBoardConfig.mkfile:PRODUCT_DEFAULT_DEV_CERTIFICATE := build/target/product/security/releasekey
- To use
- Assign per Component:
- For components or apps that specifically need the
releasekey, update theirAndroid.mkorAndroid.bp:LOCAL_CERTIFICATE := releasekey
- For components or apps that specifically need the
- Use for System Images:
- Configure
sign_target_files_apksto usereleasekeywhen signing target files or images:sign_target_files_apks -o -d build/target/product/security target_files.zip signed_target_files.zip
- Configure
Why releasekey Is Used
- Separation of Privileges:
- Using
releasekeyseparates user-facing apps from system-level apps signed with theplatformkey, reducing security risks.
- Using
- Key Rotation:
- It allows better management of key rotation for apps that don’t need core system privileges.
- Security Best Practices:
- Assigning different keys to apps helps isolate vulnerabilities, ensuring that a compromised app cannot affect other components signed with a different key.
Example Workflow in AOSP
- Key Configuration:
releasekey.pk8andreleasekey.x509.pemare placed in thebuild/target/product/securitydirectory.- The
PRODUCT_DEFAULT_DEV_CERTIFICATEis set toreleasekeyinBoardConfig.mk:PRODUCT_DEFAULT_DEV_CERTIFICATE := build/target/product/security/releasekey
- App Build:
- During the build process, each app is checked for a
LOCAL_CERTIFICATEsetting in itsAndroid.mk:- If it is
releasekey, the corresponding.pk8and.x509.pemare used to sign the app.
- If it is
- During the build process, each app is checked for a
- Signed Output:
- The output APKs, JARs, and images are signed with the
releasekey, ensuring they can be verified during runtime.
- The output APKs, JARs, and images are signed with the
Conclusion
The releasekey.x509.pem is used in AOSP primarily for signing non-core system components, general-purpose apps, and system images in production builds. Its usage is determined by the build configuration (PRODUCT_DEFAULT_DEV_CERTIFICATE), module-specific configurations (LOCAL_CERTIFICATE), and the build signing tools. For production environments, it is critical to replace the default releasekey with a custom, securely managed key.
If you have additional questions or need guidance on customizing key usage, feel free to ask in comments !