APK Hash Signer
ENTERPRISE
The APK Hash signer has the fully qualified class name: org.signserver.module.apk.signer.ApkHashSigner
Overview
The APK Hash Signer can sign hashed data for Client-Side Hashing and construction of signed Android Package Kit (APK) files. For more information on Android signing and how to set it up in SignServer, see Setting up Android Signing.
The signer supports the following types of requests:
- Pre-request with an empty body: The result is a pre-response with information containing the signer certificate chain and the following signers. For more information, see APK Hash Signer#Pre-response Format.
- Signing request with a non-empty body: The result is a plain signature, as when using the Plain SIgner.
Available Properties
Property | Description |
---|---|
SIGNATUREALGORITHM | Property specifying the algorithm used to sign the data. The default value depends on the signing key: NONEwithECDSA for ECDSA keys, otherwise NONEwithRSA. The algorithms NONEwithRSA and NONEwithECDSA are also supported and should be used when hash digest is supplied for signing not the data itself. When using the NONEwithRSA algorithm, the input format should be specified according to RFC#3447. When using SignClient with client-side hashing and construction, the signer should use an RSA or ECDSA key and use NONEwithRSA, or NONEwithECDSA (the default if not configured). Optional. |
LOGREQUEST_DIGESTALGORITHM | Specifies the algorithm used to create the message digest (hash) of the request document to put in the log. Default: SHA256. Optional. |
DO_LOGREQUEST_DIGEST | Specifies if the message digest of the requested document should be put in the log. Default: true. Optional. |
OTHER_SIGNERS | When requesting a pre-response (by sending a request with an empty request body), specify the signers whose names and certificate chains to include in the response. Optional. |
LINEAGE_FILE_CONTENT | The base 64-encoded content of a lineage file to include. Optional. |
Worker Log Fields
Field | Description |
---|---|
REQUEST_DIGEST | A message digest (hash) for the request document in HEX encoding. |
REQUEST_DIGEST_ALGORITHM | The name of the message digest (hash) algorithm used for the request digest in the log. |
RESPONSE_ENCODED | The response document (plain signature) in base64 encoding. |
Pre-response Format
The pre-response is encoded using key/value pairs (KEY=Value), in the same manner as used in Java properties files.
Field | Description |
---|---|
SIGNER_CERTIFICATE_CHAIN | Semicolon-separated base 64-encoded certificates of the signer's own signer certificate chain. |
NUMBER_OF_OTHER_SIGNERS | Number of other signers whose names and certificates are to be included in the response. |
LINEAGE_FILE_CONTENT | The base 64-encoded content of the lineage file, when one is configured with the corresponding worker property APK Hash Signer#LINEAGE_FILE_CONTENT. |
OTHER_SIGNER_n.NAME | Name of other signer with index n. Index is 0-based. |
OTHER_SIGNER_n.CERTIFICATE_CHAIN | Certificate chain of other signer with index n. Index is 0-based. Certificate chain uses the same encoding as for APK Hash Signer#SIGNER_CERTIFICATE_CHAIN. |