APK Lineage Signer

ENTERPRISE  This is a SignServer Enterprise feature.

The signer has the fully qualified class name: org.signserver.module.apk.signer.ApkLineageSigner

Overview

The APK Lineage Signer supports Android Package Kit (APK) key rotation. Key rotation supports signing with a new key by rolling over to the new key using a lineage file.

The APK Lineage Signer allows you to print the content of an APK lineage file and update it, that is, changing the capabilities of one of the signers. This requires that the APK Lineage Signer points to the APK Signer you want to modify in the lineage file (by setting the OTHER_SIGNERS property). The lineage file is then sent in together with the updated capability options and returns an updated lineage file.

Note that this signer is configured without a crypto token, as no crypto token is used from this signer but instead from the other signers.

For more information on Android signing and how to set it up in SignServer, see Setting up Android Signing.

Available Properties

PropertyDescriptionRequired

OTHER_SIGNERS

APK Signer to update lineage for. Specify exactly one signer, pointing out the signer to update in the lineage. (tick)
SET_INSTALLED_DATASpecifies the installed data capability of the signer in the updated lineage (true or false), if set. Default: unset.
SET_SHARED_UIDSpecifies the shared UID capability of the signer in the updated lineage (true or false), if set. Default: unset.
SET_PERMISSIONSpecifies the permission capability of the signer in the updated lineage (true or false), if set. Default: unset.
SET_ROLLBACKSpecifies the rollback capability of the signer in the updated lineage (true or false), if set. Default: unset.
SET_AUTHSpecifies the auth capability of the signer in the updated lineage (true or false), if set. Default: unset.

Request Parameters

PropertyDescription
PRINT_CERTSIf set to true, the process output is a textual representation of the signers in the supplied lineage file instead of an updated lineage. Accepted values: true or false. If set to false (or not included), the output is the updated lineage for the specified signer (default).

Worker Log Fields

FieldDescription
REQUEST_DIGEST A message digest (hash) for the request document in hex encoding.
REQUEST_DIGEST_ALGORITHM The name of the message digest (hash) algorithm used for the request digest in the log.
RESPONSE_DIGEST A message digest (hash) for the response document in HEX encoding.
RESPONSE_DIGEST_ALGORITHM The name of the message digest (hash) algorithm used for the response digest in the log.