Thanks all.. It worked..
On Mon, Dec 15, 2014 at 5:54 PM, Pankaj Kushwaha < [email protected]> wrote: > > Hi all, > > Thanks a lot. I am able to generate signer tag using below link- > http://seandroid.bitbucket.org/InstalltimeMAC.html > > Couldn't test it though, but I guess it should work. > > Thanks > Pankaj Kushwaha > > On Mon, Dec 15, 2014 at 4:40 PM, Robert Craig <[email protected]> > wrote: >> >> Best bet is to run setool which we maintain on our seandroid-5.0.1 and >> seandroid branches. This will directly create the needed signer stanza for >> you. You'll have to build it separately though as it's not part of any >> normal device build. When run, just pass the apk in question and the hex >> encoded X.509 certificate used to sign the app, which is also the cert >> needed for the policy, will be dumped for you. >> >> You could also just pull out the cert yourself. The following command >> should work where CERT.RSA is the DER contents of your app's cert aftert >> unzipping the apk. >> >> openssl pkcs7 -inform DER -print_certs -in CERT.RSA | tail -n +4 | head -n >> -2 | base64 -d -i | hexdump -v -e '/1 "%02x" ' >> >> >> On 12/15/2014 01:29 AM, Pankaj Kushwaha wrote: >> >> I tried below tag in mac_permissions.xml as my .mk flle in vendors had >> local cetificate as presigned- >> >> <signer signature="@PRESIGNED" > >> <seinfo value="mysevalue" /> >> </signer> >> >> But I wasn't able to label it perfectly. >> >> Then I tried below tag- >> <package name="com.mypackage"> >> <seinfo value="mysevalue" /> >> </package> >> >> But still I wasn't able to label it perfectly. >> >> Am is missing something ?? >> >> On Mon, Dec 15, 2014 at 11:17 AM, Pankaj Kushwaha < >> [email protected]> wrote: >>> >>> I am currently thinking to add a signer tag in mac_permisison.xml and >>> include package stanzas in that tag, but I am not sure what sign shall I >>> use for this third party app. >>> I will give a custom seinfo in that tag for my package. >>> >>> >>> On Mon, Dec 15, 2014 at 10:58 AM, Pankaj Kushwaha < >>> [email protected]> wrote: >>>> >>>> Thanks a lot for the info. >>>> But I am in still in other issues. I don't have the keys from which app >>>> is signed and the client for which I am working won't share the key (due to >>>> the fear that if I have the key I might replace their app from devices). So >>>> that's the reason I was trying to find other ways. >>>> >>>> On Fri, Dec 12, 2014 at 9:41 PM, William Roberts < >>>> [email protected]> wrote: >>>>> >>>>> >>>>> On Dec 12, 2014 5:33 AM, "Stephen Smalley" <[email protected]> wrote: >>>>> > >>>>> > With regard to your other question (about reverting the changes and >>>>> just >>>>> > using name= with seinfo=default in your seapp_contexts), I don't >>>>> think >>>>> > anything would currently prevent you from doing that but you'll lose >>>>> the >>>>> > safety check for any future changes you make, and if that app is ever >>>>> > removed from your build but the corresponding seapp_contexts line is >>>>> not >>>>> > removed, you'll leave open the potential for any app with the same >>>>> name >>>>> > to run in that domain. So I wouldn't recommend it. At some point, we >>>>> > will likely add something to the CTS to check that the device >>>>> > seapp_contexts file does not have any such entries, so it will be >>>>> > enforced for production devices, but that doesn't exist in the >>>>> current >>>>> > CTS AFAIK. >>>>> >>>>> As stephen mentioned not using a signing key is very bad practice. I >>>>> would also strongly emphasize that you take the advice given here. It is >>>>> really no additional work to just add the signing key into the build files >>>>> and use your own seinfo. >>>>> >>>>> > >>>>> > On 12/12/2014 06:02 AM, Pankaj Kushwaha wrote: >>>>> > > Hi, >>>>> > > >>>>> > > In my case, our app is a 3rd party app which will be pre-built >>>>> (part of >>>>> > > system.img) and will be uploaded on google play as well for any >>>>> updated >>>>> > > (just like gmail, google maps, etc). >>>>> > > >>>>> > > So there are no chances that anyone else will install app with same >>>>> > > package name. >>>>> > > Will there be any other consequences if I revert these two patches >>>>> ? >>>>> > > >>>>> > > Also can you please guide me on how to add a new signer for my app >>>>> ? >>>>> > > Because my apk doesn't have any .mk file so how will the system >>>>> know >>>>> > > that app has to pick which seinfo from mac_permissions.xml ? >>>>> > > I just keep my signed apk in vendor/<oem>/common/apps/ folder. >>>>> > > >>>>> > > Thanks >>>>> > > Pankaj Kushwaha >>>>> > > >>>>> > > On Thu, Dec 11, 2014 at 8:18 PM, Stephen Smalley < >>>>> [email protected] >>>>> > > <mailto:[email protected]>> wrote: >>>>> > > >>>>> > > Correct. We simply want to preclude the unsafe practice of >>>>> assigning >>>>> > > domain by package name only, as anyone can create an app with >>>>> any >>>>> > > package name, and first one to be installed with that name >>>>> wins. So you >>>>> > > must bind it to a specific signature as well. >>>>> > > >>>>> > > On 12/11/2014 09:35 AM, William Roberts wrote: >>>>> > > > It appears to me that you can just specify a signer in Mac >>>>> perms XML >>>>> > > > with and use a custom seinfo in seapp contexts. >>>>> > > > >>>>> > > > On Dec 10, 2014 10:56 PM, "Pankaj Kushwaha" >>>>> > > > <[email protected] >>>>> > > <mailto:[email protected]> >>>>> > > <mailto:[email protected] >>>>> > > <mailto:[email protected]>>> >>>>> > > > wrote: >>>>> > > > >>>>> > > > Hi, >>>>> > > > >>>>> > > > I was running some of the third party apps in my custom >>>>> domain, by >>>>> > > > adding below line in seapp_context- >>>>> > > > user=_app seinfo=default name=<pacakge_name> >>>>> domain=<custom_domain> >>>>> > > > type=<custom_file_type> >>>>> > > > and tehre were few other changes as well. >>>>> > > > >>>>> > > > But in android L I am unable to do so because of below >>>>> patches- >>>>> > > > https://android-review.googlesource.com/#/c/90142/ >>>>> > > > https://android-review.googlesource.com/#/c/90143/ >>>>> > > > >>>>> > > > I just wanted to know that is there any other way to run >>>>> my app in >>>>> > > > custom domain in andorid L ? >>>>> > > > If not, if I remove above two patches in what way will >>>>> it effect my >>>>> > > > other functionality ? >>>>> > > > >>>>> > > > Thanks >>>>> > > > Pankaj Kushwaha >>>>> > > > >>>>> > > > _______________________________________________ >>>>> > > > Seandroid-list mailing list >>>>> > > > [email protected] >>>>> > > <mailto:[email protected]> >>>>> > > <mailto:[email protected] >>>>> > > <mailto:[email protected]>> >>>>> > > > To unsubscribe, send email to >>>>> [email protected] >>>>> > > <mailto:[email protected]> >>>>> > > > <mailto:[email protected] >>>>> > > <mailto:[email protected]>>. >>>>> > > > To get help, send an email containing "help" to >>>>> > > > [email protected] >>>>> > > <mailto:[email protected]> >>>>> > > > <mailto:[email protected] >>>>> > > <mailto:[email protected]>>. >>>>> > > > >>>>> > > > >>>>> > > > >>>>> > > > _______________________________________________ >>>>> > > > Seandroid-list mailing list >>>>> > > > [email protected] <mailto: >>>>> [email protected]> >>>>> > > > To unsubscribe, send email to >>>>> [email protected] >>>>> > > <mailto:[email protected]>. >>>>> > > > To get help, send an email containing "help" to >>>>> > > [email protected] >>>>> > > <mailto:[email protected]>. >>>>> > > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > _______________________________________________ >>>>> > > Seandroid-list mailing list >>>>> > > [email protected] >>>>> > > To unsubscribe, send email to [email protected]. >>>>> > > To get help, send an email containing "help" to >>>>> [email protected]. >>>>> > > >>>>> > >>>>> > _______________________________________________ >>>>> > Seandroid-list mailing list >>>>> > [email protected] >>>>> > To unsubscribe, send email to [email protected]. >>>>> > To get help, send an email containing "help" to >>>>> [email protected]. >>>>> >>>> >> >> _______________________________________________ >> Seandroid-list mailing [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. >> >> >>
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
