Go to file
openharmony_ci 4704ce1b37
!115 增加非开发者模式下OH证书
Merge pull request !115 from blc/cbl_local
2024-03-29 01:46:50 +00:00
figures update docs 2023-12-19 11:09:18 +08:00
interfaces/innerkits !114 校验本地签名证书的合法性 2024-03-19 07:31:32 +00:00
services pc trusts Application Release 2024-03-28 21:11:39 +08:00
test verify cert chain from local code sign SA 2024-03-18 21:54:50 +08:00
utils verify cert chain from local code sign SA 2024-03-18 21:54:50 +08:00
BUILD.gn 提供用户态设置ownerid接口 2023-11-25 11:56:59 +08:00
bundle.json pc trusts Application Release 2024-03-28 21:11:39 +08:00
code_signature.gni pc trusts Application Release 2024-03-28 21:11:39 +08:00
hisysevent.yaml feat:新增设备id校验 2023-11-18 08:45:30 +08:00
LICENSE 添加代码签名开源合规文件 2023-08-19 11:28:12 +08:00
OAT.xml add unittest for enabling code signing ioctl 2023-11-08 11:32:55 +08:00
README_zh.md readme 接口说明补充 2023-12-18 10:41:28 +08:00
README.md update docs 2023-12-19 11:09:18 +08:00

Code Signature

Introduction

The code signature component implements the code signing mechanism of OpenHarmony, which provides validity check and integrity protection for apps in runtime, eliminating execution of malicious code on devices and malicious tampering of app code by attackers.

Architecture of the code signature component

The code signature component provides the following functions:

  • Trusted certificate management: imports the device certificate and local code signing certificate and validates the certificate chain and its trusted source.
  • Code signing enabling: provides APIs in user mode to enable code signing of apps or code files during installation.
  • Local code signing: runs the signing service on the device and provides interfaces to sign local code (e.g. native code generated by the AOT).
  • Code attribute setting: provides APIs for setting the code owner ID and initializing the XPM region.

Directory Structure

/base/security/code_signature
├── interfaces                   # Interface layer
│   └── innerkits                #
│       ├── code_sign_attr_utils # APIs for setting code signing attributes
│       ├── code_sign_utils      # APIs for enabling code signing
│       ├── common               # Common basic capacities
│       └── local_code_sign      # APIs for local code signing
├── services                     # Service layer
│    ├── key_enable              # Certificate initialization
│    └── local_code_sign         # Local code signing service
├── test                         # Test cases
│    ├── fuzztest                # Fuzz test cases
│    └── unittest                # Unit test cases
└── utils                        # Common basic capabilities

Usage

Available APIs

API Description
int32_t EnforceCodeSignForApp(const EntryMap &entryPath, const std::string &signatureFile); Enforces code signing for HAPs.
int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type); Enforces code signing for HAPs.
int32_t EnforceCodeSignForFile(const std::string &path, const ByteBuffer &signature); Enforces code signing for files.
int32_t EnforceCodeSignForAppWithOwnerId(std::string ownerId, const std::string &path, const EntryMap &entryPathMap, FileType type); Enforces code signing for HAPs with the owner ID.
int ParseOwnerIdFromSignature(const ByteBuffer &sigbuffer, std::string &ownerID); Parses the owner ID from the signature.
int32_t EnableKeyInProfile(const std::string &bundleName, const ByteBuffer &profileBuffer); Trusts a developer certificate.
int32_t RemoveKeyInProfile(const std::string &bundleName); Revokes a trusted developer certificate.
int32_t InitLocalCertificate(ByteBuffer &cert); Initializes a local code signing certificate.
int32_t SignLocalCode(const std::string &filePath, ByteBuffer &signature); Signs the local code.
int32_t SignLocalCode(const std::string &ownerID, const std::string &filePath, ByteBuffer &signature); Signs the local code with the owner ID.
int InitXpmRegion(void); Initializes the XPM region.
int SetXpmOwnerId(uint32_t idType, const char *ownerId); Sets an owner ID.

Usage Guidelines

hapsigner User Guide

Repositories Involved

developtools_hapsigner

kernel_linux_common_modules

third_party_fsverity-utils