This makes life a lot easier for themers who no longer have to worry about breaking framework-res' signature and being unable to re-sign it as it's signed with an obscure manufacturer certificate. It is necessary to re-sign the framework-res APK AND (to avoid horrible problems) those APKs in /system/app that have the matching certificate. To identify these, I have a script (certs.sh) that takes a directory and splits the APKs into directories based on the certificate. It will put APKs signed with the AOSP certs (platform, shared, media, test) in so-named directories, and everything else in an 'other' directory.
THIS IS MY QUICK AND DIRTY SCRIPT THAT I CREATED ONLY FOR MY OWN PURPOSES, which I am sharing by request. I know it's not flawless by a long shot (I should use more of the serialnumber cert serial probably) but it works for me. You should use at your own risk!
This is the script (I use a mac, but it should be easily editable to the OS of your choice):
#!/bin/bash cd $1 for filename in *.apk do unzip -d $filename.extract $filename META-INF/CERT.RSA if [ -f $filename.extract/META-INF/CERT.RSA ] then mkdir `keytool -printcert -v -file $filename.extract/META-INF/CERT.RSA|grep SerialNumber| cut -c 19-23` mv $filename `keytool -printcert -v -file $filename.extract/META-INF/CERT.RSA|grep SerialNumber| cut -c 19-23`/$filename mv `echo $filename | sed 's/\(.*\.\)apk/\1odex/'` `keytool -printcert -v -file $filename.extract/META-INF/CERT.RSA|grep SerialNumber| cut -c 19-23`/`echo $filename | sed 's/\(.*\.\)apk/\1odex/'` rm -rf $filename.extract else mkdir none mv $filename none mv `echo $filename | sed 's/\(.*\.\)apk/\1odex/'` none rm -rf $filename.extract fi done; mkdir other mv * other mv other/b399 platform mv other/f2a7 shared mv other/f2b9 media mv other/936e testSimple.
Now, once I have identified which APKs are signed with the same cert as framework-res, I put them all in the same directory and sign them. The required pk8 and x509.pem files are in AOSP (in build/target/product/security/), and my 'sign' script looks like this (this is my platform signing script):
cd $1 for filename in `find . -name '*.apk' -or -name '*.jar'` do echo $filename java -Xmx512M -jar ~/ROMs/tools/signapk.jar ~/ROMs/tools/platform.x509.pem ~/ROMs/tools/platform.pk8 $filename $filename.signed rm $filename mv $filename.signed $filename done;Same disclaimer as above applies - don't forget to zipalign afterwards too.
Re-signing the key parts of my MCR ROMs with the platform cert has worked out very well for themers, so if you're a dev, it's worth thinking about.
So, just to be 100% clear, this is how the process I use for my ROMs:
- copy /system/app APKs and /system/framework/framework-res.apk to a directory
- Run certs.sh against that directory
- Identify directory containing framework-res.apk
- Sign said directory with AOSP platform key
- Use newly signed APKs to replace those in ROM
I hope this is useful to someone!