Understanding releasekey.x509.pem in AOSP: Usage and Configuration

In the Android Open Source Project (AOSP) build system, the releasekey.x509.pem key is typically used for signing production-ready apps, system components, and system images. It is part of the signing infrastructure provided in AOSP and is intended for apps that don’t require elevated platform-level privileges.

When releasekey.x509.pem Is Used

1. Production Builds:
   • releasekey is commonly used for apps and components that are intended for release in production builds.
   • It ensures that user-facing apps, such as pre-installed apps or optional system apps, are signed with a key different from the core system (platform key), isolating them from elevated privileges.
2. Default Key for User Apps:
   • If no specific signing key is assigned to an app or system component, and the default signing key (PRODUCT_DEFAULT_DEV_CERTIFICATE) is set to releasekey, the releasekey.x509.pem key is used.
3. Custom ROMs:
   • Custom ROM developers often replace the default platform and releasekey keys with their own, but the usage pattern remains the same: releasekey for general apps and platform for core system apps.

How releasekey.x509.pem Is Used by the Build System

1. Defined in the Build Configuration
   • The build system determines the signing key using the PRODUCT_DEFAULT_DEV_CERTIFICATE variable in BoardConfig.mk or product.mk. For releasekey, it looks like this:
     PRODUCT_DEFAULT_DEV_CERTIFICATE := build/target/product/security/releasekey
2. Used in Android.mk or Android.bp
   • Individual components can explicitly specify the releasekey as their signing key:
     LOCAL_CERTIFICATE := releasekey
3. Build Process:
   • During the build process, the build/make/core/Makefile uses the LOCAL_CERTIFICATE variable to identify which key (e.g., releasekey, platform) should be used to sign the APK or JAR.
   • The build/target/product/security/releasekey.pk8 and releasekey.x509.pem files are passed to the signing tools (like apksigner or signapk.jar) to sign the component.
4. APK Signing:
   • The APKs are signed using the specified key during the build:
     • releasekey.pk8: The private key used to sign the APK.
     • releasekey.x509.pem: The certificate used to verify the signature.
   • Example signing command (executed by the build system):
     java -jar signapk.jar build/target/product/security/releasekey.x509.pem build/target/product/security/releasekey.pk8 input.apk output.apk
5. System Image Signing:
   • When building the system image (system.img), the same releasekey can be used to sign APKs and other artifacts included in the image if configured.

How to Specify releasekey for Specific Use Cases

1. Set as the Default Key:
   • To use releasekey for all components by default, modify the BoardConfig.mk file: PRODUCT_DEFAULT_DEV_CERTIFICATE := build/target/product/security/releasekey
2. Assign per Component:
   • For components or apps that specifically need the releasekey, update their Android.mk or Android.bp: LOCAL_CERTIFICATE := releasekey
3. Use for System Images:
   • Configure sign_target_files_apks to use releasekey when signing target files or images: sign_target_files_apks -o -d build/target/product/security target_files.zip signed_target_files.zip

Why releasekey Is Used

• Separation of Privileges:
  • Using releasekey separates user-facing apps from system-level apps signed with the platform key, reducing security risks.
• Key Rotation:
  • It allows better management of key rotation for apps that don’t need core system privileges.
• Security Best Practices:
  • Assigning different keys to apps helps isolate vulnerabilities, ensuring that a compromised app cannot affect other components signed with a different key.

Example Workflow in AOSP

1. Key Configuration:
   • releasekey.pk8 and releasekey.x509.pem are placed in the build/target/product/security directory.
   • The PRODUCT_DEFAULT_DEV_CERTIFICATE is set to releasekey in BoardConfig.mk: PRODUCT_DEFAULT_DEV_CERTIFICATE := build/target/product/security/releasekey
2. App Build:
   • During the build process, each app is checked for a LOCAL_CERTIFICATE setting in its Android.mk:
     • If it is releasekey, the corresponding .pk8 and .x509.pem are used to sign the app.
3. Signed Output:
   • The output APKs, JARs, and images are signed with the releasekey, ensuring they can be verified during runtime.

Conclusion

The releasekey.x509.pem is used in AOSP primarily for signing non-core system components, general-purpose apps, and system images in production builds. Its usage is determined by the build configuration (PRODUCT_DEFAULT_DEV_CERTIFICATE), module-specific configurations (LOCAL_CERTIFICATE), and the build signing tools. For production environments, it is critical to replace the default releasekey with a custom, securely managed key.