hapsigntool-guidelines.md 26.1 KB
Newer Older
A
annie_wangli 已提交
1 2 3 4 5 6 7
# hapsigner Guide

## Build

 1. Check that Gradle 7.1 has been installed.

    ```shell 
A
Annie_wang 已提交
8
    gradle -v
A
annie_wangli 已提交
9 10 11 12 13
    ```
  
 2. Download the code, open the file directory **developtools_hapsigner/hapsigntool**, and run the following command to build the code:

    ```shell    
A
Annie_wang 已提交
14
    gradle build 
A
annie_wangli 已提交
15 16 17
    ```
     Or
    ```shell
A
Annie_wang 已提交
18
    gradle jar
A
annie_wangli 已提交
19 20 21 22 23 24 25 26
    ```
    
 3. Check that **hap-sign-tool.jar** (binary files) is generated in the **./hap_sign_tool/build/libs** directory.

## Usage Guidelines

### When to Use

27
The OpenHarmony system has a built-in KeyStore (KS) file named **OpenHarmony.p12**. This file contains the root CA certificate, intermediate CA certificate, and end-entity certificate information. The hapsigner tool signs the OpenHarmony applications based on this KS file.
A
annie_wangli 已提交
28 29 30

The usage of hapsigner varies depending on whether an application signing certificate is available. 

A
annie_wangli 已提交
31
- If no application signing certificate is available:<br/>
A
annie_wangli 已提交
32
  You need to generate a key pair, generate an application signing certificate, sign the profile, and sign the application.
A
annie_wangli 已提交
33
- If an application signing certification is available:<br/>
A
annie_wangli 已提交
34 35
  You need to sign the profile, and use the application signing certificate and the local KS file (containing the corresponding key) to sign the application.

A
Annie_wang 已提交
36
### Description
A
annie_wangli 已提交
37

A
Annie_wang 已提交
38
1. Display command help information.
A
annie_wangli 已提交
39

A
Annie_wang 已提交
40 41 42
     ```
     -help     # If no parameter is specified, the command help information is displayed by default.
     ```
A
annie_wangli 已提交
43

A
Annie_wang 已提交
44
2. Display version information
A
annie_wangli 已提交
45

A
Annie_wang 已提交
46 47 48
     ```
     -version  # Display the tool version information.
     ```
A
annie_wangli 已提交
49

A
Annie_wang 已提交
50
3. Generate a key pair.
A
annie_wangli 已提交
51

A
Annie_wang 已提交
52 53 54 55 56 57 58 59 60
     ```
     generate-keypair: Generate a key pair.
         ├── -keyAlias          # Key alias. It is mandatory.
         ├── -keyPwd            # Key password. It is optional.
         ├── -keyAlg            # Key algorithm, which can be RSA or ECC. It is mandatory.
         ├── -keySize           # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits if RSA is used and is NIST-P-256 or NIST-P-384 if ECC is used.
         ├── -keystoreFile      # KS file, in JKS or P12 format. It is mandatory.
         ├── -keystorePwd       # KS password. It is optional.
     ```
A
annie_wangli 已提交
61 62

4. Generate a CSR.
A
Annie_wang 已提交
63 64 65 66 67
     ```
     generate-csr: Generate a CSR.
         ├── -keyAlias          # Key alias. It is mandatory.
         ├── -keyPwd            # Key password. It is optional.
         ├── -subject           # Certificate subject. It is mandatory.
A
Annie_wang 已提交
68
         ├── -signAlg           # Signing algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory.
A
Annie_wang 已提交
69 70 71 72 73
         ├── -keystoreFile      # KS file, in JKS or P12 format. It is mandatory.
         ├── -keystorePwd       # KS password. It is optional.
         ├── -outFile           # CSR to generate. It is optional. If you do not specify this parameter, the CSR is output to the console.
     ```
     
74
5. Generate a root CA or intermediate CA certificate.
A
annie_wangli 已提交
75

A
Annie_wang 已提交
76 77 78 79 80 81 82 83 84 85 86
     ```
     generate-ca: Generate a root CA or intermediate CA certificate. If the key does not exist, generate a key together with the certificate.
         ├── -keyAlias                        # Key alias. It is mandatory.
         ├── -keyPwd                          # Key password. It is optional.
         ├── -keyAlg                          # Key algorithm, which can be RSA or ECC. It is mandatory.
         ├── -keySize                         # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits if RSA is used and is NIST-P-256 or NIST-P-384 if ECC is used.
         ├── -issuer                          # Issuer of the certificate. It is optional. It indicates a root CA certificate if not specified.
         ├── -issuerKeyAlias                  # Key alias of the issuer. It is optional. It indicates a root CA certificate if not specified.
         ├── -issuerKeyPwd                    # Key password of the issuer. It is optional.
         ├── -subject                         # Certificate subject. It is mandatory.
         ├── -validity                        # Validity period of the certificate. It is optional. The default value is 3650 days.
A
Annie_wang 已提交
87
         ├── -signAlg                         # Signing algorithm, which can be SHA256withRSA, SHA384withRSA,  SHA256withECDSA, or SHA384withECDSA. It is mandatory.
A
Annie_wang 已提交
88 89 90 91 92 93 94
         ├── -basicConstraintsPathLen         # Path length. It is optional. The default value is 0.
         ├── -keystoreFile                    # KS file, in JKS or P12 format. It is mandatory.
         ├── -keystorePwd                     # KS password. It is optional.
         ├── -issuerKeystoreFile              # KS file of the issuer, in JKS or P12 format. It is optional.
         ├── -issuerKeystorePwd               # KS password of the issuer. It is optional. 
         ├── -outFile                         # File to generate. It is optional. The file is output to the console if this parameter is not specified.
     ```
A
annie_wangli 已提交
95 96 97

6. Generate an application debug or release certificate.

A
Annie_wang 已提交
98 99 100 101 102 103 104 105 106
     ```
     generate-app-cert: Generate an application debug or release certificate.
         ├── -keyAlias                        # Key alias. It is mandatory.
         ├── -keyPwd                          # Key password. It is optional.
         ├── -issuer                          # Issuer of the certificate. It is mandatory.
         ├── -issuerKeyAlias                  # Key alias of the issuer. It is mandatory.
         ├── -issuerKeyPwd                    # Key password of the issuer. It is optional.
         ├── -subject                         # Certificate subject. It is mandatory.
         ├── -validity                        # Validity period of the certificate. It is optional. The default value is 3650 days.
A
Annie_wang 已提交
107
         ├── -signAlg                         # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA.
A
Annie_wang 已提交
108 109 110 111 112 113 114 115 116
         ├── -issuerKeystoreFile              # KS file of the issuer, in JKS or P12 format. It is optional.
         ├── -issuerKeystorePwd               # KS password of the issuer. It is optional. 
         ├── -keystoreFile                    # KS file, in JKS or P12 format. It is mandatory.
         ├── -keystorePwd                     # KS password. It is optional.
         ├── -outForm                         # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain.
         ├── -rootCaCertFile                  # Root CA certificate, which is mandatory when outForm is certChain.
         ├── -subCaCertFile                   # Intermediate CA certificate, which is mandatory when outForm is certChain.
         ├── -outFile                         # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified.
     ```
A
annie_wangli 已提交
117 118 119

7. Generate a profile debug or release certificate.

A
Annie_wang 已提交
120 121 122 123 124 125 126 127 128
     ```
     generate-profile-cert: Generate a profile debug or release certificate.
         ├── -keyAlias                        # Key alias. It is mandatory.
         ├── -keyPwd                          # Key password. It is optional.
         ├── -issuer                          # Issuer of the certificate. It is mandatory.
         ├── -issuerKeyAlias                  # Key alias of the issuer. It is mandatory.
         ├── -issuerKeyPwd                    # Key password of the issuer. It is optional.
         ├── -subject                         # Certificate subject. It is mandatory.
         ├── -validity                        # Validity period of the certificate. It is optional. The default value is 3650 days.
A
Annie_wang 已提交
129
         ├── -signAlg                         # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA.
A
Annie_wang 已提交
130 131 132 133 134 135 136 137 138
         ├── -issuerKeystoreFile              # KS file of the issuer, in JKS or P12 format. It is optional.
         ├── -issuerKeystorePwd               # KS password of the issuer. It is optional. 
         ├── -keystoreFile                    # KS file, in JKS or P12 format. It is mandatory.
         ├── -keystorePwd                     # KS password. It is optional.
         ├── -outForm                         # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain.
         ├── -rootCaCertFile                  # Root CA certificate, which is mandatory when outForm is certChain.
         ├── -subCaCertFile                   # Intermediate CA certificate, which is mandatory when outForm is certChain.
         ├── -outFile                         # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified.
     ```
A
annie_wangli 已提交
139 140 141

8. Generate a common certificate, which can be used to generate a custom certificate.

A
Annie_wang 已提交
142 143 144 145 146 147
     ```
     generate-cert: Generate a common certificate, which can be used to generate a custom certificate.
         ├── -keyAlias                          # Key alias. It is mandatory.
         ├── -keyPwd                            # Key password. It is optional.
         ├── -issuer                            # Issuer of the certificate. It is mandatory.
         ├── -issuerKeyAlias                    # Key alias of the issuer. It is mandatory.
A
Annie_wang 已提交
148 149 150
         ├── -issuerKeyPwd                      # Key password of the issuer. It is optional.
         ├── -subject                           # Certificate subject. It is mandatory.
         ├── -validity                          # Validity period of the certificate. It is optional. The default value is 1095 days.
A
Annie_wang 已提交
151 152 153 154 155 156 157
         ├── -keyUsage                          # Usages of the key. It is mandatory. The key usages include digitalSignature, nonRepudiation, keyEncipherment,
         ├                                        dataEncipherment, keyAgreement, certificateSignature, crlSignature,
         ├                                        encipherOnly, and decipherOnly. Use a comma (,) to separate multiple values.
         ├── -keyUsageCritical                  # Whether keyUsage is a critical option. It is optional. The default value is true.
         ├── -extKeyUsage                       # Extended key usages. It is optional. The extended key usages include clientAuthentication, serverAuthentication,
         ├                                        codeSignature, emailProtection, smartCardLogin, timestamp, and ocspSignature.
         ├── -extKeyUsageCritical               # Whether extKeyUsage is a critical option. It is optional. The default value is false.
A
Annie_wang 已提交
158
         ├── -signAlg                           # Signing algorithm, which can be SHA256withRSA, SHA384withRSA,  SHA256withECDSA, or SHA384withECDSA. It is mandatory.
A
Annie_wang 已提交
159 160 161
         ├── -basicConstraints                  # Whether basicConstraints is contained. It is optional. The default value is false.
         ├── -basicConstraintsCritical          # Whether basicConstraints is a critical option. It is optional. The default value is false.
         ├── -basicConstraintsCa                # Whether it is CA. It is optional. The default value is false.
A
Annie_wang 已提交
162 163 164 165 166
         ├── -basicConstraintsPathLen           # Path length. It is optional. The default value is 0.
         ├── -issuerKeystoreFile                # KS file of the issuer, in JKS or P12 format. It is optional.
         ├── -issuerKeystorePwd                 # KS password of the issuer. It is optional. 
         ├── -keystoreFile                      # KS file, in JKS or P12 format. It is mandatory.
         ├── -keystorePwd                       # KS password. It is optional.
A
Annie_wang 已提交
167 168 169 170 171 172 173 174 175 176 177 178
         ├── -outFile                           # Certificate file to generate. It is optional. The file is output to the console if this parameter is not specified.
     ```

9. Sign a profile.

     ```
     sign-profile: Sign a profile.
         ├── -mode            # Signing mode, which can be localSign or remoteSign. It is mandatory.
         ├── -keyAlias        # Key alias. It is mandatory.
         ├── -keyPwd          # Key password. It is optional.
         ├── -profileCertFile # Profile signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory.
         ├── -inFile          # Raw profile template in JSON format (developtools_hapsigner/autosign/UnsgnedReleasedProfileTemplate.json). It is mandatory.
A
Annie_wang 已提交
179
         ├── -signAlg         # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
A
Annie_wang 已提交
180
         ├── -keystoreFile    # KS file, in JKS or P12 format. It is mandatory if the signing mode is localSign.
A
Annie_wang 已提交
181 182 183 184 185 186 187 188
         ├── -keystorePwd     # KS password. It is optional.
         ├── -outFile         # Signed profile to generate, in p7b format. This parameter is mandatory.
     ```

10. Verify the signature of the profile.

     ```
     verify-profile: Verify the profile signature.
A
Annie_wang 已提交
189
         ├── -inFile        # Signed profile in p7b format. This parameter is mandatory.
A
Annie_wang 已提交
190
         ├── -outFile       # Verification result file (including the verification result and profile content), in json format. It is optional. The file is output to the console if this parameter is not specified.
A
Annie_wang 已提交
191
     ```
A
annie_wangli 已提交
192 193 194

11. Sign a HAP.

A
Annie_wang 已提交
195 196 197 198
      ```
      sign-app: Sign a HAP.
          ├── -mode          # Signing mode, which can be localSign, remoteSign, or remoteResign. It is mandatory.
          ├── -keyAlias      # Key alias. It is mandatory.
A
Annie_wang 已提交
199
          ├── -keyPwd        # Key password. It is optional.
A
Annie_wang 已提交
200 201 202
          ├── -appCertFile   # Application signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory.
          ├── -profileFile   # Name of the signed profile in p7b format. This parameter is mandatory.
          ├── -profileSigned # Whether the profile is signed. The value 1 means signed, and value 0 means unsigned. The default value is 1. This parameter is optional.
A
Annie_wang 已提交
203
          ├── -inForm        # Raw file, in .zip (default) or .bin format. It is optional.
A
Annie_wang 已提交
204
          ├── -inFile        # Raw application package, in HAP or .bin format. It is mandatory.
A
Annie_wang 已提交
205
          ├── -signAlg       # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
A
Annie_wang 已提交
206 207 208 209
          ├── -keystoreFile  # KS file, in JKS or P12 format. It is mandatory if the signing mode is localSign.
          ├── -keystorePwd   # KS password. It is optional.
          ├── -outFile       # Signed HAP file to generate. It is mandatory.
      ```
A
annie_wangli 已提交
210 211 212

12. Verify the HAP signature.

A
Annie_wang 已提交
213 214 215 216 217 218
      ```
      verify-app: Verify the HAP signature.
          ├── -inFile          # Signed application file, in HAP or bin format. It is mandatory.
          ├── -outCertchain    # Signed certificate chain file. It is mandatory.
          ├── -outProfile      # Profile of the application. It is mandatory.
      ```
A
annie_wangli 已提交
219 220

### Signing Procedure
A
annie_wangli 已提交
221 222 223 224 225
The process of signing a HAP is as follows:

1. Generate a key pair for an application signing certificate.
2. Generate an application signing certificate.
3. Sign the profile.
A
annie_wangli 已提交
226
4. Sign the HAP.
A
annie_wangli 已提交
227 228


A
Annie_wang 已提交
229
> **Precautions** <br>
A
annie_wangli 已提交
230
>
A
Annie_wang 已提交
231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278
> For security purposes, use ECC to generate the key pair in step 1. Do not use RSA.
>
> You are advised to place the HAP to be signed, profile, **OpenHarmony.p12**, root CA certificate, intermediate CA certificate, and hapsigner in the same directory for easy operation. The [**developtools_hapsigner/autosign/result**](https://gitee.com/openharmony/developtools_hapsigner/tree/master/autosign/result) directory has the following files:
>
> - OpenHarmony KS file: **OpenHarmony.p12** 
> - Root CA certificate: **rootCA.cer**
> - Intermediate CA certificate: **subCA.cer**
> - Profile signing certificate: **OpenHarmonyProfileRelease.pem**

1. **Generate a key pair for the application signing certificate.**

   Generate a signing key pair and save it to the KS.

   Example:

   ```shell
   java -jar hap-sign-tool.jar generate-keypair -keyAlias "oh-app1-key-v1" -keyAlg "ECC"  -keySize "NIST-P-256" -keystoreFile "OpenHarmony.p12" -keyPwd "123456" -keystorePwd "123456"
   ```
   
   > Note:<br>Record the values of **keyAlias**, **keyStorePwd**, and **keyPwd**. These values will be used when the application signing certificate is generated and the HAP is signed.

   The command parameters are described as follows:

   ```
   generate-keypair: Generate a key pair for the application signing certificate.
       ├── -keyAlias         # Alias of the key used to generate the application signing certificate. It is stored in the OpenHarmony.p12 file. This parameter is mandatory.
       ├── -keyAlg           # Key algorithm. It is mandatory. ECC is recommended.
       ├── -keySize          # Key length. It is NIST-P-256/NIST-P-384 if ECC is used. This parameter is mandatory.
       ├── -keyStoreFile     # KS file. OpenHarmony.p12 is recommended. This parameter is mandatory.
       ├── -keyStorePwd      # KS password. It is mandatory. The default password 123456 for OpenHarmony.p12.
       ├── -keyPwd           # Key password. It is optional. If this parameter is not specified, the generated key pair has no password.
   ```

2. **Generate an application signing certificate.**

   Use the local intermediate CA certificate to issue an application signing certificate.

   Example:

   ```shell
   java -jar hap-sign-tool.jar generate-app-cert -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA"  -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Team,CN= OpenHarmony Application CA" -issuerKeyAlias "openharmony application ca" -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Team,CN=OpenHarmony Application Release" -keystoreFile "OpenHarmony.p12" -subCaCertFile "subCA.cer" -rootCaCertFile "rootCA.cer" -outForm "certChain" -outFile "app1.pem" -keyPwd "123456" -keystorePwd "123456" -issuerKeyPwd "123456" -validity "365"
   ```

   The command parameters are described as follows:

   ```
   generate-app-cert: Generate an application signing certificate.
       ├── -keyAlias         # Key alias, which must be the same as that in the previous step.
A
Annie_wang 已提交
279
       ├── -signAlg          # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
A
Annie_wang 已提交
280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308
       ├── -issuer           #  Issuer of the certificate. Enter the issuer of the intermediate CA certificate. It is mandatory and cannot be changed.
       ├── -issuerKeyAlias   # Key alias of the issuer. Enter the key alias of the intermediate CA certificate. This parameter is mandatory and cannot be changed.
       ├── -subject          # Subject of the certificate. Enter the subject in the same sequence specified in the command. This parameter is mandatory.
       ├── -issuerKeyPwd     # Key password of the issuer. Enter the key password of the intermediate CA certificate. It is mandatory and cannot be changed. In this example, it is 123456. 
       ├── -keystoreFile     # KS file. Use OpenHarmony.p12. It is mandatory and cannot be changed.
       ├── -rootCaCertFile   # Root certificate. It is mandatory and cannot be changed.
       ├── -subCaCertFile    # Intermediate CA certificate. This parameter is mandatory and cannot be changed.
       ├── -outForm          # Format of the certificate file to generate. certChain is recommended.
       ├── -outFile          # File to generate. It is optional. The file is output to the console if this parameter is not specified.
       ├── -keyPwd           # Key password. It is optional. It is the key password set when the key pair is generated. 
       ├── -keystorePwd      # KS password. The default value is 123456.
       ├── -validity         # Validity period of the certificate. It is optional. The default value is 3650 days.
   ```

3. **Sign the profile.**

   Call the profile signing API to sign the profile using the profile signing key.

   Example:

   ```shell
   java -jar hap-sign-tool.jar  sign-profile -keyAlias "openharmony application profile release" -signAlg "SHA256withECDSA" -mode "localSign" -profileCertFile "OpenHarmonyProfileRelease.pem" -inFile "UnsgnedReleasedProfileTemplate.json" -keystoreFile "OpenHarmony.p12" -outFile "app1-profile.p7b" -keyPwd "123456" -keystorePwd "123456"
   ```

   The command parameters are described as follows:

   ```
   sign-profile: Sign a profile.
       ├── -keyAlias         # Alias of the key for generating the profile certificate. It is mandatory and cannot be changed.
A
Annie_wang 已提交
309
       ├── -signAlg          # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
A
Annie_wang 已提交
310 311 312 313
       ├── -mode             # Signing mode, which must be localSign. It is mandatory.
       ├── -profileCertFile  # Profile signing certificate. Use the certificate provided. It is mandatory and cannot be changed.
       ├── -inFile           # Raw profile template in JSON format (developtools_hapsigner/autosign/UnsgnedReleasedProfileTemplate.json). It is mandatory.
       ├── -keystoreFile     # KS file. Use OpenHarmony.p12. It is mandatory and cannot be changed.
A
Annie_wang 已提交
314
       ├── -outFile          # Signed profile to generate, in p7b format. This parameter is mandatory.
A
Annie_wang 已提交
315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334
       ├── -keyPwd           # Key password. The default key password in OpenHarmony.p12 is 123456.
       ├── -keystorePwd      # KS password. The default key password in OpenHarmony.p12 is 123456.
   ```

4. **Sign the HAP.**

   Call the HAP signing API to sign the HAP using the application signing key.

   Example:

   ```shell
   java -jar hap-sign-tool.jar sign-app -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA" -mode "localSign" -appCertFile "app1.pem" -profileFile "app1-profile.p7b" -inFile "app1-unsigned.zip" -keystoreFile "OpenHarmony.p12" -outFile "app1-signed.hap" -keyPwd "123456" -keystorePwd "123456"
   ```
   > Note:<br>The following parameters are used when there is no application signing certificate available. If the application signing certificate is available, the following parameters must be modified.
   >
   > - **keyAlias**: Enter the key alias of the application signing certificate. This parameter is mandatory. 
   > - **appCertFile**: Enter the application signing certificate. This parameter is mandatory.
   > - **keystoreFile**: Enter the KS file of the application signing certificate. This parameter is mandatory. 
   > - **keyPwd**: Enter the key password in the KS file. 
   > - **keystorePwd**: Enter the KS password in the KS file.
A
annie_wangli 已提交
335

A
Annie_wang 已提交
336
   The command parameters are described as follows:
A
annie_wangli 已提交
337

A
Annie_wang 已提交
338 339 340
   ```
   sign-app: Sign a HAP.
       ├──-keyAlias          # Key alias, which must be the same as the alias of the key pair generated. This parameter is mandatory.
A
Annie_wang 已提交
341
       ├── -signAlg          # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
A
Annie_wang 已提交
342 343 344 345 346 347 348 349 350
       ├── -mode             # Signing mode, which must be localSign. It is mandatory.
       ├── -appCertFile      # Application signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). Enter the application signing certificate generated in step 2. This parameter is mandatory.
       ├── -profileFile      # Signed profile in p7b format. Enter the profile generated. This parameter is mandatory.
       ├── -inFile           # Raw application package. It is mandatory.
       ├── -keystoreFile     # KS file, which must be the same as the KS file generated. It is mandatory and cannot be changed.
       ├── -outFile          # Signed file to generate. It is mandatory.
       ├── -keyPwd           # Key password, which must be the actual key password.
       ├── -keystorePwd      # KS password, which must be the actual KS password. 
   ```
A
annie_wangli 已提交
351 352 353 354


## FAQs

A
Annie_wang 已提交
355
1. When the application signing certificate is generated, the console displays the result but no file is output.
A
annie_wangli 已提交
356

A
Annie_wang 已提交
357
   - **Symptom**
A
annie_wangli 已提交
358

A
Annie_wang 已提交
359
     When the tool is used to generate an application signing certificate, the certificate content is displayed on the console and no certificate is generated.  
A
annie_wangli 已提交
360

A
Annie_wang 已提交
361 362 363 364 365 366 367
   - **Possible Causes**
   
     The path in the **outFile** parameter is incorrect, or the hyphen (-) in **-outFile** is not an English character.
   
   - **Solution**
   
     Check and correct the value of **outFile**, and ensure the hyphen (-) in **-outFile** is an English character.
A
annie_wangli 已提交
368

A
Annie_wang 已提交
369
2. Failed to sign the profile.
A
annie_wangli 已提交
370

A
Annie_wang 已提交
371
   - **Symptom**
A
annie_wangli 已提交
372

A
Annie_wang 已提交
373
     When the tool is used to sign a profile, any of the following information is displayed:
A
annie_wangli 已提交
374

A
Annie_wang 已提交
375
     (1) ` "SIGN_ERROR, code: 107. Details: Failed to verify signature: Wrong key usage"`
A
annie_wangli 已提交
376

A
Annie_wang 已提交
377
     (2) `"NOT_SUPPORT_ERROR, code: 105. Details: Profile cert 'result\profile1.pem' must a cert chain"`
A
annie_wangli 已提交
378

A
Annie_wang 已提交
379
     (3) ` "VERIFY_ERROR, code: 108. Details: Failed to verify signature: unable to find valid certification path to requested target"`
A
annie_wangli 已提交
380

A
Annie_wang 已提交
381
   - **Possible Causes**
A
annie_wangli 已提交
382

A
Annie_wang 已提交
383
     (1) The certificate chain of the profile signing certificate is in incorrect order.
A
annie_wangli 已提交
384

A
Annie_wang 已提交
385
     (2) The profile signing certificate is not a certificate chain.
A
annie_wangli 已提交
386

A
Annie_wang 已提交
387
     (3) The certificate subject is in incorrect sequence, or the **-issuerKeyAlias** parameter set to generate the application signing certificate is incorrect.
A
annie_wangli 已提交
388

A
Annie_wang 已提交
389
   - **Solution**
A
annie_wangli 已提交
390

A
Annie_wang 已提交
391
     (1) Check that the certificate chain is in ascending or descending order of seniority.
A
annie_wangli 已提交
392

A
Annie_wang 已提交
393
     (2) Check that the certificate is a certificate chain.
A
annie_wangli 已提交
394

A
Annie_wang 已提交
395
     (3) Check that the certificate subject is in the C, O, OU, and CN order.
A
annie_wangli 已提交
396

A
Annie_wang 已提交
397
3. An error message is displayed when the tool is used to sign a HAP.
A
annie_wangli 已提交
398

A
Annie_wang 已提交
399
   - **Symptom**
A
annie_wangli 已提交
400

A
Annie_wang 已提交
401
     The following information is displayed after the command is executed:<br>`NOT_SUPPORT_ERROR, code: 105. Details: SignAlg params is incorrect, signature algorithms include SHA256withECDSA,SHA384withECDSA`
A
annie_wangli 已提交
402

A
Annie_wang 已提交
403
   - **Possible Causes**
A
annie_wangli 已提交
404

A
Annie_wang 已提交
405
     The signing algorithm is not supported. Check the value of **signAlg**.
A
annie_wangli 已提交
406

A
Annie_wang 已提交
407
   - **Solution**
A
annie_wangli 已提交
408

A
Annie_wang 已提交
409
     Use ECC to generate the key pair for the application or profile signing certificate. Use SHA256withECDSA or SHA384withECDSA as the HAP signing algorithm.