In this example, the app requires the **ohos.permission.PERMISSION1** and **ohos.permission.PERMISSION2** permissions to implement core functions.
In this example, the app requires the **ohos.permission.PERMISSION1** and **ohos.permission.PERMISSION2** permissions to implement core functions.
- The ability privilege level (APL) of the app is normal.
- The ability privilege level (APL) of the app is **normal**.
- The level of **ohos.permission.PERMISSION1** is normal, and the authorization mode is system_grant.
- The level of **ohos.permission.PERMISSION1** is **normal**, and the authorization mode is **system_grant**.
- The level of **ohos.permission.PERMISSION2** is system_basic, and the authorization mode is user_grant.
- The level of **ohos.permission.PERMISSION2** is **system_basic**, and the authorization mode is **user_grant**.
> **Precautions**
> **NOTICE**
>
>
> In this scenario, the required permissions include a user_grant permission. You can check whether the caller has the required permission through permission verification.
> In this scenario, the required permissions include a **user_grant** permission. You can check whether the caller has the required permission through permission verification.
>
>
> If the permission verification result indicates that the app has not obtained that permission, dynamic user authorization is required.
> If the permission verification result indicates that the app has not obtained that permission, dynamic user authorization is required.
>
>
...
@@ -26,7 +26,7 @@ The table below lists only the API used in this guide. For more information, see
...
@@ -26,7 +26,7 @@ The table below lists only the API used in this guide. For more information, see
### config.json
### config.json
Declare the permissions required by the app one by one in the **config.json** file. The app cannot obtain a permission if it is not declared in the **config.json** file.
Declare the permissions required by the app one by one in the **config.json** file. The app can obtain permissions that have been declared in the **config.json** file.
**Description of config.json**
**Description of config.json**
...
@@ -35,7 +35,7 @@ Declare the permissions required by the app one by one in the **config.json** fi
...
@@ -35,7 +35,7 @@ Declare the permissions required by the app one by one in the **config.json** fi
| name | Name of the permission. |
| name | Name of the permission. |
| reason | Reason for requesting the permission. This field is mandatory for a user_grant permission.|
| reason | Reason for requesting the permission. This field is mandatory for a user_grant permission.|
| usedScene | Scenario of the permission. This field is mandatory for a user_grant permission.|
| usedScene | Scenario of the permission. This field is mandatory for a user_grant permission.|
| abilities | Abilities that use the permission. The value is an array.|
| abilities | Abilities that use the permission. The value is an array.|
| when | Time when the permission is used. The value can be **inuse** (the permission can be used only in the foreground) or **always** (the permission can be used in foreground and background).|
| when | Time when the permission is used. The value can be **inuse** (the permission can be used only in the foreground) or **always** (the permission can be used in foreground and background).|
**Example**
**Example**
...
@@ -43,7 +43,7 @@ Declare the permissions required by the app one by one in the **config.json** fi
...
@@ -43,7 +43,7 @@ Declare the permissions required by the app one by one in the **config.json** fi
```json
```json
{
{
"module":{
"module":{
"requesetPermissions":[
"requestPermissions":[
{
{
"name":"ohos.permission.PERMISSION1",
"name":"ohos.permission.PERMISSION1",
"reason":"$string:reason",
"reason":"$string:reason",
...
@@ -70,7 +70,7 @@ Declare the permissions required by the app one by one in the **config.json** fi
...
@@ -70,7 +70,7 @@ Declare the permissions required by the app one by one in the **config.json** fi
```
```
## Declaring the ACL
## Declaring the ACL
The permission level of **ohos.permission.PERMISSION2** is system_basic, which is higher than the app's APL. In this case, use the ACL.
The permission level of **ohos.permission.PERMISSION2** is **system_basic**, which is higher than the app's APL. In this case, use the ACL.
In addition to declaring all the permissions in the **config.json** file, you must declare the permissions whose levels are higher than the app's APL in the app's profile. In this example, declare the permission under the **acls** field:
In addition to declaring all the permissions in the **config.json** file, you must declare the permissions whose levels are higher than the app's APL in the app's profile. In this example, declare the permission under the **acls** field:
```json
```json
...
@@ -107,7 +107,7 @@ In addition to declaring all the permissions in the **config.json** file, you mu
...
@@ -107,7 +107,7 @@ In addition to declaring all the permissions in the **config.json** file, you mu
After the permissions are declared, the system grants the system_grant permission during the installation of the app. The user_grant permission must be authorized by the user.
After the permissions are declared, the system grants the system_grant permission during the installation of the app. The user_grant permission must be authorized by the user.
Therefore, before invoking the API protected by the **ohos.permission.PERMISSION2 permission**, the app needs to verify whether it has the permission.
Therefore, before allowing the app to call the API protected by the **ohos.permission.PERMISSION2** permission, the system needs to verify whether the app has the permission to do so.
If the verification result indicates that the app has the permission, the app can access the target API. Otherwise, the app needs to request user authorization and then proceeds based on the authorization result. For details, see [Access Control Overview](accesstoken-overview.md).
If the verification result indicates that the app has the permission, the app can access the target API. Otherwise, the app needs to request user authorization and then proceeds based on the authorization result. For details, see [Access Control Overview](accesstoken-overview.md).
...
@@ -119,34 +119,26 @@ If the verification result indicates that the app has the permission, the app ca
...
@@ -119,34 +119,26 @@ If the verification result indicates that the app has the permission, the app ca
The procedure is as follows:
The procedure is as follows:
1. Obtain the caller's identity tokenId.
1. Obtain the ability context.
2. Determine the permission to be verified. In this example, the permission is **permissionNameUser**.
2. Call **requestPermissionsFromUser** to verify whether the app has required permissions.
3. Call **verifyAccessToken** to verify the permissions of the caller.
3. Proceed based on the permission verification result.
4. Proceed based on the permission verification result.
AccessTokenManager (ATM) implements unified app permission management based on access tokens on OpenHarmony.
AccessTokenManager (ATM) implements unified app permission management based on access tokens on OpenHarmony.
By default, apps can access limited system resources. However, in some cases, an app needs to access excess data (including personal data) and functions of the system or another app to implement extended functions. Systems or apps must also share their data or functions through interfaces in an explicit manner. OpenHarmony uses app permissions to perform access control and prevent improper or malicious use of these data or functions.
By default, apps can access limited system resources. However, in some cases, an app needs to access excess data (including personal data) and functions of the system or another app to implement extended functions. The system or apps must also share their data or functions through interfaces in an explicit manner. OpenHarmony uses app permissions to perform access control and prevent improper or malicious use of these data or functions.
App permissions are used to protect the following objects:
App permissions are used to protect the following objects:
- Data: personal data (such as photos, Contacts, calendar, and location), device data (such as device ID, camera, and microphone), and app data.
- Data: personal data (such as photos, contacts, calendar, and location), device data (such as device ID, camera, and microphone), and app data.
- Functions: device functions (such as making calls, sending SMS messages, and connecting to the Internet) and app functions (such as displaying windows and creating shortcuts).
- Functions: device functions (such as making calls, sending SMS messages, and connecting to the Internet) and app functions (such as displaying windows and creating shortcuts).
Without the required permissions, an app cannot access or perform operations on the target object. Permissions must be clearly defined for apps. With app permissions, the system can standardize the behavior of apps and protect user privacy. Before an app accesses the target object, the target object verifies the app's permissions and denies the access if the app does not have required permissions.
Without the required permissions, an app cannot access or perform operations on the target object. Permissions must be clearly defined for apps. With well-defined app permissions, the system can standardize the behavior of apps and protect user privacy. Before an app accesses the target object, the target object verifies the app's permissions and denies the access if the app does not have required permissions.
Currently, ATM performs app permission verification based on the token identity (Token ID). A token ID identifies an app. The ATM manages app permissions based on the app's token ID.
Currently, ATM performs app permission verification based on the token identity (Token ID). A token ID identifies an app. The ATM manages app permissions based on the app's token ID.
...
@@ -36,25 +36,25 @@ The following describes two common scenarios.
...
@@ -36,25 +36,25 @@ The following describes two common scenarios.
Video playback apps need to use multimedia functions and read and write media files stored on storage devices. Therefore, the apps must have at least the following permissions:
Video playback apps need to use multimedia functions and read and write media files stored on storage devices. Therefore, the apps must have at least the following permissions:
* ohos.permission.READ_MEDIA (allowing the app to read external media files)
* ohos.permission.READ_MEDIA (allowing the apps to read external media files)
* ohos.permission.WRITE_MEDIA (allowing the app to read and write external media files)
* ohos.permission.WRITE_MEDIA (allowing the apps to read and write external media files)
-**Photography apps**
-**Photography apps**
Photography apps need to use the camera function. Before accessing the camera service, the app must have the following permission:
Photography apps need to use the camera function. Before accessing the camera service, the apps must have the following permission:
ohos.permission.CAMERA (allowing the app to use the camera to take photos and record videos).
ohos.permission.CAMERA (allowing the apps to use the camera to take photos and record videos)
### Basic Principles
### Basic Principles
Observe the following principles for permission management:
Observe the following principles for permission management:
- Provide clear description about the app functions and scenarios and permissions required for using the app so that users can clearly know why, when, and how to apply for permissions for using the app. Do not induce or mislead users' authorization. The permissions on an app must comply with the description provided in the app.
- Provide clear description about the app functions and scenarios for each permission required by the app so that users can clearly know why and when these permissions are required. Do not induce or mislead users' authorization. The permissions on an app must comply with the description provided in the app.
- Use the principle of least authority for user permissions. Allow only necessary permissions for service functions.
- Use the principle of least authority for user permissions. Allow only necessary permissions for service functions.
- When an app is started for the first time, avoid frequently displaying pop-up windows for users to apply for multiple permissions. Allow users to apply for permissions only when they need to use the corresponding service functions.
- When an app is started for the first time, avoid frequently displaying dialog boxes to request permissions. Allow the app to apply for permissions only when it needs to use the corresponding service functions.
- If a user rejects to authorize a permission, the user can still use functions irrelevant to this permission and can register and access the app.
- If a user rejects to authorize a permission, the user can still use functions irrelevant to this permission and can register and access the app.
- Provide no more message if a user rejects the authorization required by a function. Provide onscreen instructions to direct the user to give authorization in System Settings if the user triggers this function again or needs to use this function.
- Provide no more message if a user rejects the authorization required by a function. Provide onscreen instructions to direct the user to grant the permission in **Settings** if the user triggers this function again or needs to use this function.
- All the permissions granted to apps must come from the Permission List. Custom permissions are not allowed for apps currently.
- All the permissions granted to apps must come from the Permission List. Custom permissions are not allowed for apps currently.
...
@@ -74,9 +74,9 @@ The table below describes the APLs.
...
@@ -74,9 +74,9 @@ The table below describes the APLs.
| system_basic| The apps of this level provide basic system services. |
| system_basic| The apps of this level provide basic system services. |
| Normal | The apps of this level are normal apps. |
| Normal | The apps of this level are normal apps. |
By default, apps are of the normal APL. To declare the system_basic or higher APL:
By default, apps are of the normal APL.
- The APL must be approved by the app store.
- The APL must be declared in the **apl** field of the app's profile in the app installation package, and a profile signing certificate must be generated. For details, see [Configuring OpenHarmony App Signature Information](https://developer.harmonyos.com/en/docs/documentation/doc-guides/ohos-debugging-and-running-0000001263040487#section17660437768).
For the app of the system_basic or system_core APL, declare the app APL level in the **apl** field in the app's profile, and use the profile signing tool to generate a certificate when developing the app installation package. For details about the signing process, see [Hapsigner Guide](hapsigntool-guidelines.md).
### Permission Levels
### Permission Levels
...
@@ -104,13 +104,28 @@ The permissions open to apps vary with the permission level. The permission leve
...
@@ -104,13 +104,28 @@ The permissions open to apps vary with the permission level. The permission leve
As described above, permission levels and app APLs are in one-to-one correspondence. In principle, **an app with a lower APL cannot apply for higher permissions by default**.
As described above, permission levels and app APLs are in one-to-one correspondence. In principle, **an app with a lower APL cannot apply for higher permissions by default**.
The Access Control List (ACL) makes low-level apps to have high-level permissions.
The Access Control List (ACL) makes low-level apps have high-level permissions.
**Example**
**Example**
The APL of app A is normal. App A needs to have permission B (system_basic level) and permission C (normal level). In this case, you can use the ACL to grant permission B to app A.
The APL of app A is normal. App A needs to have permission B (system_basic level) and permission C (normal level).
In this case, you can use the ACL to grant permission B to app A.
For details, see [Using the ACL](#using-the-acl).
For details, see [Using the ACL](#using-the-acl).
For details about whether the ACL is enabled for a permission, see [Permission List](permission-list.md).
### Using the ACL
If the permission required by an app has higher level than the app's APL, you can use the ACL to grant the permissions required.
In addition to the preceding [authorization processes](#authorization-processes), you must declare the ACL.
In other words, in addition to declaring the required permissions in the **config.json** file, you must declare the high-level permissions in the app's [profile](accesstoken-guidelines.md#declaring-the-acl). The subsequent steps of authorization are the same.
**NOTE**
Declare the target ACL in the **acl** field of the app's profile in the app installation package, and generate a certificate using the profile signing tool. For details about the signing process, see [Hapsigner Guide](hapsigntool-guidelines.md).
## Permission Authorization Modes
## Permission Authorization Modes
...
@@ -118,9 +133,9 @@ Permissions can be classified into the following types based on the authorizatio
...
@@ -118,9 +133,9 @@ Permissions can be classified into the following types based on the authorizatio
-**system_grant**
-**system_grant**
The app permissions are authorized by the system. This type of apps cannot access user or device sensitive information. The allowed operations have minor impact on the system or other apps.
The app permissions are authorized by the system. This type of apps cannot access user or device sensitive information. The allowed operations have minor impact on the system or other apps.
For a system_grant app, the system automatically grants the required permissions to the app when the app is installed. The system_grant permission list must be presented to users on the details page of the app store.
For a system_grant app, the system automatically grants the required permissions to the app when the app is installed. The system_grant permission list must be presented to users on the details page of the app in the app store.
-**user_grant**
-**user_grant**
...
@@ -128,15 +143,13 @@ Permissions can be classified into the following types based on the authorizatio
...
@@ -128,15 +143,13 @@ Permissions can be classified into the following types based on the authorizatio
This type of permissions must be declared in the app installation package and authorized by users dynamically during the running of the app. The app has the permission only after user authorization.
This type of permissions must be declared in the app installation package and authorized by users dynamically during the running of the app. The app has the permission only after user authorization.
For example, in the [Permission List](#permission-list), the permissions for the microphone and camera are user_grant permissions. The list provides reasons for using the permissions.
For example, in the [Permission List](permission-list.md), the permissions for the microphone and camera are user_grant. The list provides reasons for using the permissions.
The user_grant permission list must also be presented on the details page of the app store.
The user_grant permission list must also be presented on the details page of the app in the app store.
## Authorization Processes
### Authorization Processes
The process for an app obtaining the required permissions varies
The process for an app obtaining the required permissions varies depending on the permission authorization mode.
depending on the permission authorization mode.
- For a system_grant permission, you need to [declare the permission](accesstoken-guidelines.md) in the **config.json** file. The permission will be pre-granted when the app is installed.
- For a system_grant permission, you need to [declare the permission](accesstoken-guidelines.md) in the **config.json** file. The permission will be pre-granted when the app is installed.
...
@@ -150,7 +163,7 @@ The procedure is as follows:
...
@@ -150,7 +163,7 @@ The procedure is as follows:
2. Associate the object that requires the permissions in the app with the target permissions. In this way, the user knows the operations to be granted with the specified permissions.
2. Associate the object that requires the permissions in the app with the target permissions. In this way, the user knows the operations to be granted with the specified permissions.
3. Check whether the user has granted the required permissions to the app when the app is running. If yes, the app can access the data or perform the operation. If the user has not granted the permissions to the app, display a dialog box requesting the user authorization when the app attempts to access the data or perform the operation.
3. Check whether the user has granted the required permissions to the app when the app is running. If yes, the app can access the data or perform the operation. If the user has not granted the permissions to the app, display a dialog box requesting the user authorization when the app attempts to access the data.
4. Check the user authorization result. Allow the next step only after the user has granted the permissions to the app.
4. Check the user authorization result. Allow the next step only after the user has granted the permissions to the app.
...
@@ -161,112 +174,3 @@ The procedure is as follows:
...
@@ -161,112 +174,3 @@ The procedure is as follows:
- To check whether a user has granted specific permissions to your app, use the [verifyAccessToken](../reference/apis/js-apis-abilityAccessCtrl.md) method. This method returns [PERMISSION_GRANTED](../reference/apis/js-apis-abilityAccessCtrl.md) or [PERMISSION_DENIED](../reference/apis/js-apis-abilityAccessCtrl.md). For details about the sample code, see [Access Control Development](accesstoken-guidelines.md).
- To check whether a user has granted specific permissions to your app, use the [verifyAccessToken](../reference/apis/js-apis-abilityAccessCtrl.md) method. This method returns [PERMISSION_GRANTED](../reference/apis/js-apis-abilityAccessCtrl.md) or [PERMISSION_DENIED](../reference/apis/js-apis-abilityAccessCtrl.md). For details about the sample code, see [Access Control Development](accesstoken-guidelines.md).
- Users must be able to understand and control the authorization of user_grant permissions. During the running process, the app requiring user authorization must proactively call the API to dynamically request the authorization. Then, the system displays a dialog box asking the user to grant the requested permission. The user will determine whether to grant the permission based on the running context of the app.
- Users must be able to understand and control the authorization of user_grant permissions. During the running process, the app requiring user authorization must proactively call the API to dynamically request the authorization. Then, the system displays a dialog box asking the user to grant the requested permission. The user will determine whether to grant the permission based on the running context of the app.
- The permission authorized is not permanent, because the user may revoke the authorization at any time. Therefore, even if the user has granted the requested permission to the app, the app must check for the permission before calling the API controlled by this permission.
- The permission authorized is not permanent, because the user may revoke the authorization at any time. Therefore, even if the user has granted the requested permission to the app, the app must check for the permission before calling the API controlled by this permission.
### Using the ACL
If the permission required by an app has higher level than the app's APL, you can use the ACL to grant the permissions required.
In addition to the preceding [authorization processes](#authorization-processes), you need to declare the ACL.
In addition to declaring the required permissions in the **config.json** file, you must declare the high-level permissions in the app's [profile](accesstoken-guidelines.md). The subsequent steps remain unchanged.
**NOTE**
* The ACL must be approved by the app store.
* Declare the target ACL in the **acl** field of the app's profile in the app installation package, and generate a profile signing certificate. For details, see [Configuring OpenHarmony App Signature Information](https://developer.harmonyos.com/en/docs/documentation/doc-guides/ohos-debugging-and-running-0000001263040487#section17660437768).
## Permission List
The following lists the permissions defined by the system.
| ohos.permission.USE_BLUETOOTH | normal | system_grant | TRUE | Allows an app to access to Bluetooth configuration. |
| ohos.permission.DISCOVER_BLUETOOTH | normal | system_grant | TRUE | Allows an app to configure Bluetooth on a device, initiate or cancel a scan for Bluetooth devices, and pair with Bluetooth devices. |
| ohos.permission.MANAGE_BLUETOOTH | system_basic | system_grant | TRUE | Allows an app to pair with a Bluetooth device and access the Contacts or messages of the device. |
| ohos.permission.INTERNET | normal | system_grant | TRUE | Allows an app to access the Internet. |
| ohos.permission.MODIFY_AUDIO_SETTINGS | normal | system_grant | TRUE | Allows an app to modify audio settings. |
| ohos.permission.GET_TELEPHONY_STATE | system_basic | system_grant | TRUE | Allows an app to read telephony information. |
| ohos.permission.REQUIRE_FORM | system_basic | system_grant | TRUE | Allows an app to obtain the Ability Form. |
| ohos.permission.GET_NETWORK_INFO | normal | system_grant | TRUE | Allows an app to obtain network information. |
| ohos.permission.PLACE_CALL | system_basic | system_grant | TRUE | Allows an app to make calls without starting the dialer. |
| ohos.permission.SET_NETWORK_INFO | normal | system_grant | TRUE | Allows an app to set data network information. |
| ohos.permission.REMOVE_CACHE_FILES | system_basic | system_grant | TRUE | Allows the cache of the specified app to be cleared. |
| ohos.permission.REBOOT | system_basic | system_grant | TRUE | Allows an app to restart the device. |
| ohos.permission.RUNNING_LOCK | normal | system_grant | TRUE | Allows an app to obtain a running lock. |
| ohos.permission.ENROLL_BIOMETRIC | system_core | system_grant | FALSE | Allows an app to add or remove biometric data. |
| ohos.permission.ACCESS_BIOMETRIC | normal | system_grant | FALSE | Allows an app to use biometric recognition for identity authentication. |
| ohos.permission.ACCESS_BIOMETRIC_INTERNAL | system_core | system_grant | FALSE | Allows an app to apply for or release biometric recognition resources. |
| ohos.permission.RESET_BIOMETRIC_LOCKOUT | system_core | system_grant | FALSE | Allows an app to reset the maximum number of failures allowed before biometric authentication is locked. |
| ohos.permission.SET_TIME | system_basic | system_grant | TRUE | Allows an app to set the system time. |
| ohos.permission.SET_TIME_ZONE | system_basic | system_grant | TRUE | Allows an app to set the system time zone. |
| ohos.permission.DOWNLOAD_SESSION_MANAGER | system_core | system_grant | TRUE | Allows an app to manage the downloaded sessions. |
| ohos.permission.COMMONEVENT_STICKY | normal | system_grant | TRUE | Allows an app to publish sticky common events. |
| ohos.permission.SYSTEM_FLOAT_WINDOW | normal | system_grant | TRUE | Allows an app to be displayed in a floating window on top of other apps. |
| ohos.permission.POWER_MANAGER | system_core | system_grant | TRUE | Allows an app to hibernate or wake up the device by calling APIs. |
| ohos.permission.REFRESH_USER_ACTION | system_basic | system_grant | TRUE | Allows an app to reset the screen timeout counter when a user input event occurs, such as pressing a key or tapping the screen. |
| ohos.permission.POWER_OPTIMIZATION | system_basic | system_grant | TRUE | Allows an app to set power saving mode, obtain configuration of the power saving mode, and receive notifications of the configuration changes.|
| ohos.permission.REBOOT_RECOVERY | system_basic | system_grant | TRUE | Allows an app to restart the device and enter Recovery mode. |
| ohos.permission.MANAGE_LOCAL_ACCOUNTS | system_basic | system_grant | TRUE | Allows an app to manage local user accounts. |
| ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS | system_basic | system_grant | TRUE | Allows access between multiple OS accounts. |
| ohos.permission.VIBRATE | normal | system_grant | TRUE | Allows an app to control motor vibration. |
| ohos.permission.CONNECT_IME_ABILITY | system_core | system_grant | TRUE | Allows an app or service to bind the **InputMethodAbility**. |
| ohos.permission.CONNECT_SCREEN_SAVER_ABILITY | system_core | system_grant | TRUE | Allows an app or service to bind the **ScreenSaverAbility**. |
| ohos.permission.READ_SCREEN_SAVER | system_basic | system_grant | TRUE | Allows an app to read the screen saver information, such as the list of screen savers that have been installed and the activated one. |
| ohos.permission.WRITE_SCREEN_SAVER | system_basic | system_grant | TRUE | Allows an app to modify the screen saver information, such as activating and previewing a screen saver. |
| ohos.permission.SET_WALLPAPER | normal | system_grant | TRUE | Allows an app to set a static wallpaper. |
| ohos.permission.GET_WALLPAPER | system_basic | system_grant | TRUE | Allows an app to read wallpaper files. |
| ohos.permission.CHANGE_ABILITY_ENABLED_STATE | system_basic | system_grant | TRUE | Allows an app to enable or disable an app or component. |
| ohos.permission.ACCESS_MISSIONS | system_basic | system_grant | TRUE | Allows an app to obtain information about running processes and tasks in a task stack. |
| ohos.permission.CLEAN_BACKGROUND_PROCESSES | normal | system_grant | TRUE | Allows an app to clear background processes based on their bundle names. |
| ohos.permission.KEEP_BACKGROUND_RUNNING | normal | system_grant | TRUE | Allows a service ability to keep running in the background. |
| ohos.permission.UPDATE_CONFIGURATION | system_basic | system_grant | TRUE | Allows an app to modify system settings. |
| ohos.permission.GRANT_SENSITIVE_PERMISSIONS | system_core | system_grant | TRUE | Allows an app to grant sensitive permissions to other apps. |
| ohos.permission.REVOKE_SENSITIVE_PERMISSIONS | system_core | system_grant | TRUE | Allows an app to revoke sensitive permissions granted to other apps. |
| ohos.permission.GET_SENSITIVE_PERMISSIONS | system_core | system_grant | TRUE | Allows an app to obtain the sensitive permissions that have been granted to other apps. |
| ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION | system_core | system_grant | TRUE | Allows an app to set the attributes of apps of other users. |
| ohos.permission.LISTEN_BUNDLE_CHANGE | system_basic | system_grant | TRUE | Allows an app to listen for changes in other apps, when they are installed, updated, or uninstalled. |
| ohos.permission.GET_BUNDLE_INFO | normal | system_grant | TRUE | Allows a non-system app to obtain information about other apps. |
| ohos.permission.ACCELEROMETER | normal | system_grant | TRUE | Allows an app to read data from an acceleration sensor, uncalibrated acceleration sensor, or linear acceleration sensor. |
| ohos.permission.GYROSCOPE | normal | system_grant | TRUE | Allows an app to read data from a gyroscope sensor or uncalibrated gyroscope sensor. |
| ohos.permission.GET_BUNDLE_INFO_PRIVILEGED | system_basic | system_grant | TRUE | Allows a non-system app to obtain information about other apps. |
| ohos.permission.INSTALL_BUNDLE | system_core | system_grant | TRUE | Allows an app to install and uninstall other apps. |
| ohos.permission.MANAGE_SHORTCUTS | system_core | system_grant | TRUE | Allows an app to query and start shortcuts of other apps.|
| ohos.permission.radio.ACCESS_FM_AM | system_core | system_grant | TRUE | Allows an app to access radio services. |
| ohos.permission.SET_TELEPHONY_STATE | system_basic | system_grant | TRUE | Allows an app to change the telephone state. |
| ohos.permission.START_ABILIIES_FROM_BACKGROUND | system_basic | system_grant | TRUE | Allows an app to start Feature abilities in the background. |
| ohos.permission.BUNDLE_ACTIVE_INFO | system_basic | system_grant | TRUE | Allows an app to obtain how long other apps have been running in the foreground or background. |
| ohos.permission.START_INVISIBLE_ABILITY | system_core | system_grant | TRUE | Allows an app to start an invisible ability. |
| ohos.permission.sec.ACCESS_UDID | system_basic | system_grant | TRUE | Allows an app to obtain the Unified Device ID (UDID). |
| ohos.permission.LAUNCH_DATA_PRIVACY_CENTER | system_basic | system_grant | TRUE | Allows an app to switch from its privacy statement page to the <b>Data & privacy</b> page. |
| ohos.permission.MANAGE_MEDIA_RESOURCES | system_basic | system_grant | TRUE | Allows an app to obtain and manage the media resources that are being played on the device.|
| ohos.permission.PUBLISH_AGENT_REMINDER | normal | system_grant | TRUE | Allows an app to use agent-powered reminders. |
| ohos.permission.CONTROL_TASK_SYNC_ANIMATOR | system_core | system_grant | TRUE | Allows apps to use sync task animations. |
| ohos.permission.INPUT_MONITORING | system_core | system_grant | TRUE | Allows the app to listen for input events. Only the system signature apps can apply for this permission. |
| ohos.permission.NOTIFICATION_CONTROLLER | system_core | system_grant | TRUE | Allows an app to manage and subscribe to notifications. Currently, only system apps can apply for this permission. |
| ohos.permission.CONNECTIVITY_INTERNAL | system_basic | system_grant | TRUE | Allows the app to obtain network information or modify network settings. Currently, only system apps can apply for this permission.|
| ohos.permission.ANSWER_CALL | system_basic | user_grant | TRUE | Allows the app to answer incoming calls. |
| ohos.permission.READ_CALENDAR | normal | user_grant | TRUE | Allows an app to read calendar data. |
| ohos.permission.READ_CALL_LOG | system_basic | user_grant | TRUE | Allows an app to read call logs. |
| ohos.permission.READ_CELL_MESSAGES | system_basic | user_grant | TRUE | Allows an app to read cell broadcast messages received by the device. |
| ohos.permission.READ_CONTACTS | system_basic | user_grant | TRUE | Allows an app to read contacts. |
| ohos.permission.READ_MESSAGES | system_basic | user_grant | TRUE | Allows an app to read messages. |
| ohos.permission.RECEIVE_MMS | system_basic | user_grant | TRUE | Allows the app to receive and process MMS messages. |
| ohos.permission.RECEIVE_SMS | system_basic | user_grant | TRUE | Allows the app to receive and process SMS messages. |
| ohos.permission.RECEIVE_WAP_MESSAGES | system_basic | user_grant | TRUE | Allows the app to receive and process WAP messages. |
| ohos.permission.MICROPHONE | normal | user_grant | TRUE | Allows an app to access the microphone. |
| ohos.permission.SEND_MESSAGES | system_basic | user_grant | TRUE | Allows an app to send messages. |
| ohos.permission.WRITE_CALENDAR | normal | user_grant | TRUE | Allows an app to add, remove, and modify calendar events. |
| ohos.permission.WRITE_CALL_LOG | system_basic | user_grant | TRUE | Allows an app to add, remove, and modify call logs. |
| ohos.permission.WRITE_CONTACTS | system_basic | user_grant | TRUE | Allows an app to add, remove, and modify contacts. |
| ohos.permission.DISTRIBUTED_DATASYNC | normal | user_grant | TRUE | Allows an app to exchange data with other devices. |
| ohos.permission.MANAGE_VOICEMAIL | system_basic | user_grant | TRUE | Allows an app to add messages in the voice mailbox. |
| ohos.permission.LOCATION_IN_BACKGROUND | normal | user_grant | FALSE | Allows an app running in the background to obtain the device location. |
| ohos.permission.LOCATION | normal | user_grant | TRUE | Allows an app to obtain the device location. |
| ohos.permission.MEDIA_LOCATION | normal | user_grant | TRUE | Allow an app to access geographical locations in the user's media file. |
| ohos.permission.CAMERA | normal | user_grant | TRUE | Allows an app to use the camera to take photos and record videos. |
| ohos.permission.READ_MEDIA | normal | user_grant | TRUE | Allows an app to read media files from the user's external storage. |
| ohos.permission.WRITE_MEDIA | normal | user_grant | TRUE | Allows an app to read media files from and write media files into the user's external storage. |
| ohos.permission.ACTIVITY_MOTION | normal | user_grant | TRUE | Allows an app to read the current workout status of the user. |
| ohos.permission.READ_HEALTH_DATA | normal | user_grant | TRUE | Allows an app to read the health data of the user. |
To ensure the integrity and secure source of OpenHarmony applications, the applications must be signed during the build process. Only signed applications can be installed, run, and debugged on real devices. [developtools_hapsigner](https://gitee.com/openharmony/developtools_hapsigner) provides the source code of the OpenHarmony Ability Package (HAP) signing tool - hapsigner. This tool can be used to generate key pairs, certificate signing requests (CSRs), certificates, profile signatures, and HAP signatures.
### Key Concepts
The hapsigner tool is implemented based on the Public Key Infrastructure (PKI). Before using this tool, you should understand the following concepts:
- Asymmetric key pair
The asymmetric key algorithm is the basis of data signature and signature verification. The hapsigner tool can generate standard asymmetric key pairs, including ECC P384/256 and RSA 2048/3072/4096.
- CSR
The CSR contains the public key, subject, and private key signature of a certificate. Before applying for a certificate, you must generate a CSR based on the key pair and submit the CSR to the Certificate Authority (CA).
- Certificate
OpenHarmony uses the RFC5280 standard to build the X.509 certificate trust system. The OpenHarmony certificates used for application signatures are classified into the root CA certificate, intermediate CA certificate, and end-entity certificate (application or profile signing certificate). The application signing certificate indicates the identity of the application developer, which ensures the traceability of the source of the applications. The profile signing certificate is used to verify the signature of the profile, which ensures the integrity of the profile.
- HAP
HAP is a package used to deploy an ability, which is the basic unit for OpenHarmony application development. An OpenHarmony application consists of one or more abilities.
- Profile
The profile in a HAP contains information such as the authorized certificate permission and device ID.
### Constraints
- hapsigner is developed in Java and must run in JRE 8.0 or later.
- The scripts, such as the one-click signature script, are developed in Python, and must run on Python 3.5 or later.
## Build
## Build
1. Check that Gradle 7.1 has been installed.
1. Check that Gradle 7.1 has been installed.
```shell
```shell
gradle -v
gradle -v
```
```
2. Download the code, open the file directory **developtools_hapsigner/hapsigntool**, and run the following command to build the code:
2. Download the code, open the file directory **developtools_hapsigner/hapsigntool**, and run the following command to build the code:
```shell
```shell
gradle build
gradle build
```
```
Or
Or
```shell
```shell
gradle jar
gradle jar
```
```
3. Check that **hap-sign-tool.jar** (binary files) is generated in the **./hap_sign_tool/build/libs** directory.
3. Check that **hap-sign-tool.jar** (binary files) is generated in the **./hap_sign_tool/build/libs** directory.
...
@@ -70,169 +33,191 @@ The usage of hapsigner varies depending on whether an application signing certif
...
@@ -70,169 +33,191 @@ The usage of hapsigner varies depending on whether an application signing certif
- If an application signing certification is available:<br/>
- If an application signing certification is available:<br/>
You need to sign the profile, and use the application signing certificate and the local KS file (containing the corresponding key) to sign the application.
You need to sign the profile, and use the application signing certificate and the local KS file (containing the corresponding key) to sign the application.
### Usage
### Description
#### Description
1. Display command help information.
1. Display help information.
-help # If no parameter is specified, the command help information is displayed by default.
```
-help # If no parameter is specified, the command help information is displayed by default.
```
2. Display the version information.
2. Display version information
-version # Display the tool version information.
```
-version # Display the tool version information.
```
3. Generate a key pair.
3. Generate a key pair.
generate-keypair: Generate a key pair.
```
├── -keyAlias # Key alias. It is mandatory.
generate-keypair: Generate a key pair.
├── -keyPwd # Key password. It is optional.
├── -keyAlias # Key alias. It is mandatory.
├── -keyAlg # Key algorithm, which can be RSA or ECC. It is mandatory.
├── -keyPwd # Key password. It is optional.
├── -keySize # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits if RSA is used and is NIST-P-256 or NIST-P-384 if ECC is used.
├── -keyAlg # Key algorithm, which can be RSA or ECC. It is mandatory.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory.
├── -keySize # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits if RSA is used and is NIST-P-256 or NIST-P-384 if ECC is used.
├── -keystorePwd # KS password. It is optional.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory.
├── -keystorePwd # KS password. It is optional.
```
4. Generate a CSR.
4. Generate a CSR.
```
generate-csr: Generate a CSR.
generate-csr: Generate a CSR.
├── -keyAlias # Key alias. It is mandatory.
├── -keyAlias # Key alias. It is mandatory.
├── -keyPwd # Key password. It is optional.
├── -keyPwd # Key password. It is optional.
├── -subject # Certificate subject. It is mandatory.
├── -subject # Certificate subject. It is mandatory.
├── -signAlg # Signature algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory.
├── -signAlg # Signature algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory.
├── -keystorePwd # KS password. It is optional.
├── -keystorePwd # KS password. It is optional.
├── -outFile # CSR to generate. It is optional. If you do not specify this parameter, the CSR is output to the console.
├── -outFile # CSR to generate. It is optional. If you do not specify this parameter, the CSR is output to the console.
```
5. Generate a root CA or intermediate CA certificate.
5. Generate a root CA or intermediate CA certificate.
generate-ca: Generate a root CA or intermediate CA certificate. If the key does not exist, generate a key together with the certificate.
```
├── -keyAlias # Key alias. It is mandatory.
generate-ca: Generate a root CA or intermediate CA certificate. If the key does not exist, generate a key together with the certificate.
├── -keyPwd # Key password. It is optional.
├── -keyAlias # Key alias. It is mandatory.
├── -keyAlg # Key algorithm, which can be RSA or ECC. It is mandatory.
├── -keyPwd # Key password. It is optional.
├── -keySize # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits if RSA is used and is NIST-P-256 or NIST-P-384 if ECC is used.
├── -keyAlg # Key algorithm, which can be RSA or ECC. It is mandatory.
├── -issuer # Issuer of the certificate. It is optional. It indicates a root CA certificate if not specified.
├── -keySize # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits if RSA is used and is NIST-P-256 or NIST-P-384 if ECC is used.
├── -issuerKeyAlias # Key alias of the issuer. It is optional. It indicates a root CA certificate if not specified.
├── -issuer # Issuer of the certificate. It is optional. It indicates a root CA certificate if not specified.
├── -issuerKeyPwd # Key password of the issuer. It is optional.
├── -issuerKeyAlias # Key alias of the issuer. It is optional. It indicates a root CA certificate if not specified.
├── -subject # Certificate subject. It is mandatory.
├── -issuerKeyPwd # Key password of the issuer. It is optional.
├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days.
├── -subject # Certificate subject. It is mandatory.
├── -signAlg # Signature algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory.
├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days.
├── -basicConstraintsPathLen # Path length. It is optional. The default value is 0.
├── -signAlg # Signature algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory.
├── -basicConstraintsPathLen # Path length. It is optional. The default value is 0.
├── -keystorePwd # KS password. It is optional.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory.
├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional.
├── -keystorePwd # KS password. It is optional.
├── -issuerKeystorePwd # KS password of the issuer. It is optional.
├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional.
├── -outFile # File to generate. It is optional. The file is output to the console if this parameter is not specified.
├── -issuerKeystorePwd # KS password of the issuer. It is optional.
├── -outFile # File to generate. It is optional. The file is output to the console if this parameter is not specified.
```
6. Generate an application debug or release certificate.
6. Generate an application debug or release certificate.
generate-app-cert: Generate an application debug or release certificate.
```
├── -keyAlias # Key alias. It is mandatory.
generate-app-cert: Generate an application debug or release certificate.
├── -keyPwd # Key password. It is optional.
├── -keyAlias # Key alias. It is mandatory.
├── -issuer # Issuer of the certificate. It is mandatory.
├── -keyPwd # Key password. It is optional.
├── -issuerKeyAlias # Key alias of the issuer. It is mandatory.
├── -issuer # Issuer of the certificate. It is mandatory.
├── -issuerKeyPwd # Key password of the issuer. It is optional.
├── -issuerKeyAlias # Key alias of the issuer. It is mandatory.
├── -subject # Certificate subject. It is mandatory.
├── -issuerKeyPwd # Key password of the issuer. It is optional.
├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days.
├── -subject # Certificate subject. It is mandatory.
├── -signAlg # Signature algoritym, which can be SHA256withECDSA or SHA384withECDSA.
├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days.
├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional.
├── -signAlg # Signature algoritym, which can be SHA256withECDSA or SHA384withECDSA.
├── -issuerKeystorePwd # KS password of the issuer. It is optional.
├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory.
├── -issuerKeystorePwd # KS password of the issuer. It is optional.
├── -keystorePwd # KS password. It is optional.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory.
├── -outForm # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain.
├── -keystorePwd # KS password. It is optional.
├── -rootCaCertFile # Root CA certificate, which is mandatory when outForm is certChain.
├── -outForm # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain.
├── -subCaCertFile # Intermediate CA certificate, which is mandatory when outForm is certChain.
├── -rootCaCertFile # Root CA certificate, which is mandatory when outForm is certChain.
├── -outFile # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified.
├── -subCaCertFile # Intermediate CA certificate, which is mandatory when outForm is certChain.
├── -outFile # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified.
```
7. Generate a profile debug or release certificate.
7. Generate a profile debug or release certificate.
generate-profile-cert: Generate a profile debug or release certificate.
```
├── -keyAlias # Key alias. It is mandatory.
generate-profile-cert: Generate a profile debug or release certificate.
├── -keyPwd # Key password. It is optional.
├── -keyAlias # Key alias. It is mandatory.
├── -issuer # Issuer of the certificate. It is mandatory.
├── -keyPwd # Key password. It is optional.
├── -issuerKeyAlias # Key alias of the issuer. It is mandatory.
├── -issuer # Issuer of the certificate. It is mandatory.
├── -issuerKeyPwd # Key password of the issuer. It is optional.
├── -issuerKeyAlias # Key alias of the issuer. It is mandatory.
├── -subject # Certificate subject. It is mandatory.
├── -issuerKeyPwd # Key password of the issuer. It is optional.
├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days.
├── -subject # Certificate subject. It is mandatory.
├── -signAlg # Signature algoritym, which can be SHA256withECDSA or SHA384withECDSA.
├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days.
├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional.
├── -signAlg # Signature algoritym, which can be SHA256withECDSA or SHA384withECDSA.
├── -issuerKeystorePwd # KS password of the issuer. It is optional.
├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory.
├── -issuerKeystorePwd # KS password of the issuer. It is optional.
├── -keystorePwd # KS password. It is optional.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory.
├── -outForm # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain.
├── -keystorePwd # KS password. It is optional.
├── -rootCaCertFile # Root CA certificate, which is mandatory when outForm is certChain.
├── -outForm # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain.
├── -subCaCertFile # Intermediate CA certificate, which is mandatory when outForm is certChain.
├── -rootCaCertFile # Root CA certificate, which is mandatory when outForm is certChain.
├── -outFile # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified.
├── -subCaCertFile # Intermediate CA certificate, which is mandatory when outForm is certChain.
├── -outFile # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified.
```
8. Generate a common certificate, which can be used to generate a custom certificate.
8. Generate a common certificate, which can be used to generate a custom certificate.
generate-cert: Generate a common certificate, which can be used to generate a custom certificate.
```
├── -keyAlias # Key alias. It is mandatory.
generate-cert: Generate a common certificate, which can be used to generate a custom certificate.
├── -keyPwd # Key password. It is optional.
├── -keyAlias # Key alias. It is mandatory.
├── -issuer # Issuer of the certificate. It is mandatory.
├── -keyPwd # Key password. It is optional.
├── -issuerKeyAlias # Key alias of the issuer. It is mandatory.
├── -issuer # Issuer of the certificate. It is mandatory.
├── -issuerKeyPwd # Key password of the issuer. It is optional.
├── -issuerKeyAlias # Key alias of the issuer. It is mandatory.
├── -subject # Certificate subject. It is mandatory.
├── -issuerKeyPwd # Key password of the issuer. It is optional.
├── -validity # Validity period of the certificate. It is optional. The default value is 1095 days.
├── -subject # Certificate subject. It is mandatory.
├── -keyUsage # Usages of the key. It is mandatory. The key usages include digitalSignature, nonRepudiation,
├── -validity # Validity period of the certificate. It is optional. The default value is 1095 days.
├── -keyUsageCritical # Whether keyUsage is a critical option. It is optional. The default value is true.
├ encipherOnly, and decipherOnly. Use a comma (,) to separate multiple values.
├── -extKeyUsage # Extended key usages. It is optional. The extended key usages include clientAuthentication,
├── -keyUsageCritical # Whether keyUsage is a critical option. It is optional. The default value is true.
├ serverAuthentication, codeSignature, emailProtection, smartCardLogin, timestamp, and ocspSignature.
├── -extKeyUsage # Extended key usages. It is optional. The extended key usages include clientAuthentication, serverAuthentication,
├── -extKeyUsageCritical # Whether extKeyUsage is a critical option. It is optional. The default value is false.
├ codeSignature, emailProtection, smartCardLogin, timestamp, and ocspSignature.
├── -signAlg # Signature algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory.
├── -extKeyUsageCritical # Whether extKeyUsage is a critical option. It is optional. The default value is false.
├── -basicConstraints # Whether basicConstraints is contained. It is optional. The default value is false.
├── -signAlg # Signature algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory.
├── -basicConstraintsCritical # Whether basicConstraints is a critical option. It is optional. The default value is false.
├── -basicConstraints # Whether basicConstraints is contained. It is optional. The default value is false.
├── -basicConstraintsCa # Whether it is CA. It is optional. The default value is false.
├── -basicConstraintsCritical # Whether basicConstraints is a critical option. It is optional. The default value is false.
├── -basicConstraintsPathLen # Path length. It is optional. The default value is 0.
├── -basicConstraintsCa # Whether it is CA. It is optional. The default value is false.
├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional.
├── -basicConstraintsPathLen # Path length. It is optional. The default value is 0.
├── -issuerKeystorePwd # KS password of the issuer. It is optional.
├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory.
├── -issuerKeystorePwd # KS password of the issuer. It is optional.
├── -keystorePwd # KS password. It is optional.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory.
├── -outFile # Certificate file to generate. It is optional. The file is output to the console if this parameter is not specified.
├── -keystorePwd # KS password. It is optional.
├── -outFile # Certificate file to generate. It is optional. The file is output to the console if this parameter is not specified.
9. Sign a provisioning profile.
```
sign-profile: Sign a provisioning profile.
9. Sign a profile.
├── -mode # Signing mode, which can be localSign or remoteSign. It is mandatory.
├── -keyAlias # Key alias. It is mandatory.
```
├── -keyPwd # Key password. It is optional.
sign-profile: Sign a profile.
├── -profileCertFile # Profile signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory.
├── -mode # Signing mode, which can be localSign or remoteSign. It is mandatory.
├── -inFile # Raw profile template in JSON format (developtools_hapsigner/autosign/UnsgnedReleasedProfileTemplate.json). It is mandatory.
├── -keyAlias # Key alias. It is mandatory.
├── -signAlg # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
├── -keyPwd # Key password. It is optional.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory if the signing mode is localSign.
├── -profileCertFile # Profile signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory.
├── -keystorePwd # KS password. It is optional.
├── -inFile # Raw profile template in JSON format (developtools_hapsigner/autosign/UnsgnedReleasedProfileTemplate.json). It is mandatory.
├── -outFile # Signed provisioning profile to generate, in p7b format. It is mandatory.
├── -signAlg # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory if the signing mode is localSign.
10. Verify the provisioning profile signature.
├── -keystorePwd # KS password. It is optional.
├── -outFile # Signed profile to generate, in p7b format. This parameter is mandatory.
verify-profile: Verify the provisioning profile signature.
```
├── -inFile # Signed provisioning profile, in p7b format. It is mandatory.
├── -outFile # Verification result file (including the verification result and profile content), in json format. It is optional. The file is output to the console if this parameter is not specified.
10. Verify the signature of the profile.
```
verify-profile: Verify the profile signature.
├── -inFile # Signed profile in p7b format. This parameter is mandatory.
├── -outFile # Verification result file (including the verification result and profile content), in json format. It is optional. The file is output to the console if this parameter is not specified.
```
11. Sign a HAP.
11. Sign a HAP.
sign-app: Sign a HAP.
├── -mode # Signing mode, which can be localSign, remoteSign, or remoteResign. It is mandatory.
```
├── -keyAlias # Key alias. It is mandatory.
sign-app: Sign a HAP.
├── -keyPwd # Key password. It is optional.
├── -mode # Signing mode, which can be localSign, remoteSign, or remoteResign. It is mandatory.
├── -appCertFile # Application signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory.
├── -keyAlias # Key alias. It is mandatory.
├── -profileFile # Singed provisioning profile, in p7b format. It is mandatory.
├── -keyPwd # Key password. It is optional.
├── -profileSigned # Whether the profile is signed. The value 1 means signed, and value 0 means unsigned. The default value is 1. It is optional.
├── -appCertFile # Application signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). It is mandatory.
├── -inForm # Raw file, in .zip (default) or .bin format. It is optional.
├── -profileFile # Name of the signed profile in p7b format. This parameter is mandatory.
├── -inFile # Raw application package, in HAP or .bin format. It is mandatory.
├── -profileSigned # Whether the profile is signed. The value 1 means signed, and value 0 means unsigned. The default value is 1. This parameter is optional.
├── -signAlg # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
├── -inForm # Raw file, in .zip (default) or .bin format. It is optional.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory if the signing mode is localSign.
├── -inFile # Raw application package, in HAP or .bin format. It is mandatory.
├── -keystorePwd # KS password. It is optional.
├── -signAlg # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
├── -outFile # Signed HAP file to generate. It is mandatory.
├── -keystoreFile # KS file, in JKS or P12 format. It is mandatory if the signing mode is localSign.
├── -keystorePwd # KS password. It is optional.
├── -outFile # Signed HAP file to generate. It is mandatory.
```
12. Verify the HAP signature.
12. Verify the HAP signature.
verify-app: Verify the HAP signature.
```
├── -inFile # Signed application file, in HAP or bin format. It is mandatory.
verify-app: Verify the HAP signature.
├── -outCertchain # Signed certificate chain file. It is mandatory.
├── -inFile # Signed application file, in HAP or bin format. It is mandatory.
├── -outProfile # Profile of the application. It is mandatory.
├── -outCertchain # Signed certificate chain file. It is mandatory.
├── -outProfile # Profile of the application. It is mandatory.
```
### Signing Procedure
### Signing Procedure
The process of signing a HAP is as follows:
The process of signing a HAP is as follows:
...
@@ -242,174 +227,183 @@ The process of signing a HAP is as follows:
...
@@ -242,174 +227,183 @@ The process of signing a HAP is as follows:
4. Sign the HAP.
4. Sign the HAP.
> **Precautions** <br/>
> **Precautions** <br>
>
>
> For security purposes, the ECC algorithm is recommended for generating key pairs for application signing signatures. The RSA algorithm is not recommended.<br/>
> For security purposes, use ECC to generate the key pair in step 1. Do not use RSA.
> You are advised to place the HAP, profile, KS file **OpenHarmony.p12**, root CA certificate, intermediate CA certificate, and hapsigner in the same directory for easy operation.
>
> The [**developtools_hapsigner/autosign/result**](https://gitee.com/openharmony/developtools_hapsigner/tree/master/autosign/result) directory has the following files:<br/>- OpenHarmony KS file **OpenHarmony.p12** <br/>- Root CA certificate **rootCA.cer**<br/>- Intermediate CA certificate **subCA.cer**<br/>- Profile signing certificate **OpenHarmonyProfileRelease.pem**
> You are advised to place the HAP to be signed, profile, **OpenHarmony.p12**, root CA certificate, intermediate CA certificate, and hapsigner in the same directory for easy operation. The [**developtools_hapsigner/autosign/result**](https://gitee.com/openharmony/developtools_hapsigner/tree/master/autosign/result) directory has the following files:
>
> - OpenHarmony KS file: **OpenHarmony.p12**
**1. Generate a key pair for the application signing certificate.**
> - Root CA certificate: **rootCA.cer**
> - Intermediate CA certificate: **subCA.cer**
Generate a signature key pair and save it to the KS.
Generate a signing key pair and save it to the KS.
```
>  **NOTE**<br/>Record the values of **keyAlias**, **keyStorePwd**, and **keyPwd**. These values will be used when the application signing certificate is generated and the HAP is signed.
generate-keypair: Generate a key pair for the application signing certificate.
```
├── -keyAlias # Alias of the key used to generate the application signing certificate. It is stored in the OpenHarmony.p12 file. This parameter is mandatory.
├── -keyAlg # Key algorithm. It is mandatory. ECC is recommended.
> Note:<br>Record the values of **keyAlias**, **keyStorePwd**, and **keyPwd**. These values will be used when the application signing certificate is generated and the HAP is signed.
├── -keySize # Key length. It is NIST-P-256/NIST-P-384 if ECC is used. This parameter is mandatory.
├── -keyStoreFile # KS file. OpenHarmony.p12 is recommended. This parameter is mandatory.
The command parameters are described as follows:
├── -keyStorePwd # KS password. It is mandatory. The default password 123456 for OpenHarmony.p12.
├── -keyPwd # Key password. It is optional. If this parameter is not specified, the generated key pair has no password.
```
generate-keypair: Generate a key pair for the application signing certificate.
├── -keyAlias # Alias of the key used to generate the application signing certificate. It is stored in the OpenHarmony.p12 file. This parameter is mandatory.
├── -keyAlg # Key algorithm. It is mandatory. ECC is recommended.
**2. Generate an application signing certificate.**
├── -keySize # Key length. It is NIST-P-256/NIST-P-384 if ECC is used. This parameter is mandatory.
├── -keyStoreFile # KS file. OpenHarmony.p12 is recommended. This parameter is mandatory.
Use the local intermediate CA certificate to issue an application signing certificate.
├── -keyStorePwd # KS password. It is mandatory. The default password 123456 for OpenHarmony.p12.
├── -keyPwd # Key password. It is optional. If this parameter is not specified, the generated key pair has no password.
Example:
```
```shell
2.**Generate an application signing certificate.**
├── -issuer # Issuer of the certificate. Enter the issuer of the intermediate CA certificate. It is mandatory and cannot be changed.
```
├── -issuerKeyAlias # Key alias of the issuer. Enter the key alias of the intermediate CA certificate. It is mandatory and cannot be changed.
├── -subject # Subject of the certificate. Enter the subject in the same sequence specified in the command. This parameter is mandatory.
The command parameters are described as follows:
├── -issuerKeyPwd # Key password of the issuer. Enter the key password of the intermediate CA certificate. It is mandatory and cannot be changed. In this example, it is 123456.
├── -keystoreFile # KS file. Use OpenHarmony.p12. It is mandatory and cannot be changed.
```
├── -rootCaCertFile # Root certificate. It is mandatory and cannot be changed.
generate-app-cert: Generate an application signing certificate.
├── -subCaCertFile # Intermediate CA certificate. It is mandatory and cannot be changed.
├── -keyAlias # Key alias, which must be the same as that in the previous step.
├── -outForm # Format of the certificate file to generate. certChain is recommended.
├── -signAlg # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
├── -outFile # File to generate. It is optional. The file is output to the console if this parameter is not specified.
├── -issuer # Issuer of the certificate. Enter the issuer of the intermediate CA certificate. It is mandatory and cannot be changed.
├── -keyPwd # Key password. It is optional. It is the key password set when the key pair is generated.
├── -issuerKeyAlias # Key alias of the issuer. Enter the key alias of the intermediate CA certificate. This parameter is mandatory and cannot be changed.
├── -keystorePwd # KS password. The default value is 123456.
├── -subject # Subject of the certificate. Enter the subject in the same sequence specified in the command. This parameter is mandatory.
├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days.
├── -issuerKeyPwd # Key password of the issuer. Enter the key password of the intermediate CA certificate. It is mandatory and cannot be changed. In this example, it is 123456.
<br/>
├── -keystoreFile # KS file. Use OpenHarmony.p12. It is mandatory and cannot be changed.
├── -rootCaCertFile # Root certificate. It is mandatory and cannot be changed.
**3. Sign the profile.**
├── -subCaCertFile # Intermediate CA certificate. This parameter is mandatory and cannot be changed.
├── -outForm # Format of the certificate file to generate. certChain is recommended.
Use the profile signature key to sign the profile.
├── -outFile # File to generate. It is optional. The file is output to the console if this parameter is not specified.
├── -keyPwd # Key password. It is optional. It is the key password set when the key pair is generated.
Example:
├── -keystorePwd # KS password. The default value is 123456.
├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days.
├── -keyPwd # Key password. The default key password in OpenHarmony.p12 is 123456.
```
├── -keystorePwd # KS password. The default key password in OpenHarmony.p12 is 123456.
```
>  **NOTE**:<br/>The following parameters used are for the scenario where there is no application signing certificate available. If the application signing certificate is available, the following parameters need to be modified:<br/>
-**keyAlias**: Enter the key alias of the application signing certificate. This parameter is mandatory. <br/>
4.**Sign the HAP.**
-**appCertFile**: Enter the application signing certificate. This parameter is mandatory.<br/>
-**keystoreFile**: Enter the KS file of the application signing certificate. This parameter is mandatory. <br/>
Call the HAP signing API to sign the HAP using the application signing key.
-**keyPwd**: Enter the key password in the KS file. <br/>
-**keystorePwd**: Enter the KS password in the KS file.<br/>
├──-keyAlias # Key alias, which must be the same as the alias of the key pair generated. This parameter is mandatory.
> Note:<br>The following parameters are used when there is no application signing certificate available. If the application signing certificate is available, the following parameters must be modified.
├── -signAlg # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
> -**keyAlias**: Enter the key alias of the application signing certificate. This parameter is mandatory. <br/>
├── -mode # Signing mode, which must be localSign. It is mandatory.
> -**appCertFile**: Enter the application signing certificate. This parameter is mandatory.<br/>
├── -appCertFile # Application signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). Enter the application signing certificate generated. This parameter is mandatory.
> -**keystoreFile**: Enter the KS file of the application signing certificate. This parameter is mandatory. <br/>
├── -profileFile # Signed provisioning profile in p7b format. Enter the profile generated. This parameter is mandatory.
> -**keyPwd**: Enter the key password in the KS file. <br/>
├── -inFile # Raw application package. It is mandatory.
> -**keystorePwd**: Enter the KS password in the KS file.
├── -keystoreFile # KS file, which must be the same as the KS file generated. It is mandatory and cannot be changed.
├── -outFile # Signed file to generate. It is mandatory.
The command parameters are described as follows:
├── -keyPwd # Key password, which must be the actual key password.
├── -keystorePwd # KS password, which must be the actual KS password.
```
sign-app: Sign a HAP.
├──-keyAlias # Key alias, which must be the same as the alias of the key pair generated. This parameter is mandatory.
├── -signAlg # Signature algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory.
├── -mode # Signing mode, which must be localSign. It is mandatory.
├── -appCertFile # Application signing certificate (certificate chain, in the end-entity certificate, intermediate CA certificate, and root certificate order). Enter the application signing certificate generated in step 2. This parameter is mandatory.
├── -profileFile # Signed profile in p7b format. Enter the profile generated. This parameter is mandatory.
├── -inFile # Raw application package. It is mandatory.
├── -keystoreFile # KS file, which must be the same as the KS file generated. It is mandatory and cannot be changed.
├── -outFile # Signed file to generate. It is mandatory.
├── -keyPwd # Key password, which must be the actual key password.
├── -keystorePwd # KS password, which must be the actual KS password.
```
## FAQs
## FAQs
**1. When the application signing certificate is generated, the console displays the result but no file is output.**
1. When the application signing certificate is generated, the console displays the result but no file is output.
-**Symptom**
When the tool is used to to generate an application signing certificate, the certificate content is displayed on the console and no certificate is generated.
-**Possible Causes**
The path in the **outFile** parameter is incorrect, or the hyphen (-) in **-outFile** is not an English character.
-**Solution**
Check and correct the value of **outFile**, and ensure the hyphen (-) in **-outFile** is an English character.
-**Symptom**
**2. Failed to sign the profile.**
When the tool is used to generate an application signing certificate, the certificate content is displayed on the console and no certificate is generated.
-**Symptom**
-**Possible Causes**
The path in the **outFile** parameter is incorrect, or the hyphen (-) in **-outFile** is not an English character.
-**Solution**
Check and correct the value of **outFile**, and ensure the hyphen (-) in **-outFile** is an English character.
When the tool is used to sign a profile, any of the following information is displayed:
(2) `"NOT_SUPPORT_ERROR, code: 105. Details: Profile cert 'result\profile1.pem' must a cert chain"`
-**Possible Causes**
(3) ` "VERIFY_ERROR, code: 108. Details: Failed to verify signature: unable to find valid certification path to requested target"`
The possible causes for the error messages are as follows:
-**Possible Causes**
(1) The certificate chain of the profile signing certificate is in incorrect order.
(1) The certificate chain of the profile signing certificate is in incorrect order.
(2) The profile signing certificate is not a certificate chain.
(2) The profile signing certificate is not a certificate chain.
(3) The certificate subject is in incorrect sequence, or the **-issuerKeyAlias** parameter set to generate the application signing certificate is incorrect.
(3) The certificate subject is in incorrect sequence, or the **-issuerKeyAlias** parameter set to generate the application signing certificate is incorrect.
-**Solution**
-**Solution**
(1) Check that the certificate chain is in ascending or descending order of seniority.
(1) Check that the certificate chain is in ascending or descending order of seniority.
(2) Check that the certificate is a certificate chain.
(2) Check that the certificate is a certificate chain.
(3) Check that the certificate subject is in the C, O, OU, and CN order.
(3) Check that the certificate subject is in the C, O, OU, and CN order.
**3. An error message is displayed when the tool is used to sign a HAP.**
3. An error message is displayed when the tool is used to sign a HAP.
-**Symptom**
-**Symptom**
The following error message is displayed: "NOT_SUPPORT_ERROR, code: 105.Details: SignAlg params is incorrect, signature algorithms include SHA256withECDSA,SHA384withECDSA
The following information is displayed after the command is executed:<br>`NOT_SUPPORT_ERROR, code: 105. Details: SignAlg params is incorrect, signature algorithms include SHA256withECDSA,SHA384withECDSA`
-**Possible Causes**
-**Possible Causes**
The signature algorithm is not supported. Check the value of **signAlg**.
The signature algorithm is not supported. Check the value of **signAlg**.
-**Solution**
-**Solution**
Use ECC to generate the key pair for an application or profile signing certificate. Use **SHA256withECDSA** or **SHA384withECDSA** as the HAP signature algorithm.
Use ECC to generate the key pair for the application or profile signing certificate. Use SHA256withECDSA or SHA384withECDSA as the HAP signature algorithm.
To ensure the integrity and secure source of OpenHarmony applications, the applications must be signed during the build process. Only signed applications can be installed, run, and debugged on real devices. [developtools_hapsigner](https://gitee.com/openharmony/developtools_hapsigner) provides the source code of the OpenHarmony Ability Package (HAP) signing tool - hapsigner. This tool can be used to generate key pairs, certificate signing requests (CSRs), certificates, profile signatures, and HAP signatures.
## Basic Concepts
The hapsigner tool is implemented based on the Public Key Infrastructure (PKI). Before using this tool, you should understand the following concepts:
- Asymmetric key pair
The asymmetric key algorithm is the basis of data signature and signature verification. The hapsigner tool can generate standard asymmetric key pairs, including ECC P384/256 and RSA 2048/3072/4096.
- CSR
The CSR contains the public key, subject, and private key signature of a certificate. Before applying for a certificate, you must generate a CSR based on the key pair and submit the CSR to the Certificate Authority (CA).
- Certificate
OpenHarmony uses the RFC5280 standard to build the X.509 certificate trust system. The OpenHarmony certificates used for application signatures are classified into the root CA certificate, intermediate CA certificate, and end-entity certificate (application or profile signing certificate). The application signing certificate indicates the identity of the application developer, which ensures the traceability of the source of the applications. The profile signing certificate is used to verify the signature of the profile, which ensures the integrity of the profile.
- HAP
HAP is a package used to deploy an ability, which is the basic unit for OpenHarmony application development. An OpenHarmony application consists of one or more abilities.
- Profile
HarmonyAppProvision configuration file in a HAP contains information such as the authorized application permissions and device ID.
## Constraints
- hapsigner is developed in Java and must run in JRE 8.0 or later.
- The scripts, such as the one-click signature script, are developed in Python, and must run on Python 3.5 or later.
On the basis of the [principles for app permission management](accesstoken-overview.md#basic-principles), apply for permissions for an app by following the procedure illustrated in the figure below.
1. For details about the mapping between the app's ability privilege level (APL) and permission level, see [Permission Levels](accesstoken-overview.md#permission-levels).
2. Permissions can be authorized by the user (user_grant) or the system (system_grant). For details, see [Permission Authorization Modes](accesstoken-overview.md#permission-authorization-modes).
3. In principle, an app with a lower APL cannot apply for higher permissions by default. The Access Control List (ACL) makes low-level apps have high-level permissions. For details, see [ACL](accesstoken-overview.md#acl).
The following lists the permissions defined by the system. For details about permission usage examples, see [Access Control Development](accesstoken-guidelines.md).
| ohos.permission.USE_BLUETOOTH | normal | system_grant | TRUE | Allows an app to access to Bluetooth configuration. |
| ohos.permission.DISCOVER_BLUETOOTH | normal | system_grant | TRUE | Allows an app to configure Bluetooth on a device, initiate or cancel a scan for Bluetooth devices, and pair with Bluetooth devices. |
| ohos.permission.MANAGE_BLUETOOTH | system_basic | system_grant | TRUE | Allows an app to pair with a Bluetooth device and access the contacts or messages of the device. |
| ohos.permission.INTERNET | normal | system_grant | TRUE | Allows an app to access the Internet. |
| ohos.permission.MODIFY_AUDIO_SETTINGS | normal | system_grant | TRUE | Allows an app to modify audio settings. |
| ohos.permission.ACCESS_NOTIFICATION_POLICY | normal | system_grant | FALSE | Allows an app to access the notification policy on the device. |
| ohos.permission.GET_TELEPHONY_STATE | system_basic | system_grant | TRUE | Allows an app to read telephony information. |
| ohos.permission.REQUIRE_FORM | system_basic | system_grant | TRUE | Allows an app to obtain the Ability Form. |
| ohos.permission.GET_NETWORK_INFO | normal | system_grant | TRUE | Allows an app to obtain network information. |
| ohos.permission.PLACE_CALL | system_basic | system_grant | TRUE | Allows an app to make calls without starting the dialer. |
| ohos.permission.SET_NETWORK_INFO | normal | system_grant | TRUE | Allows an app to set data network information. |
| ohos.permission.REMOVE_CACHE_FILES | system_basic | system_grant | TRUE | Allows the cache of the specified app to be cleared. |
| ohos.permission.REBOOT | system_basic | system_grant | TRUE | Allows an app to restart the device. |
| ohos.permission.RUNNING_LOCK | normal | system_grant | TRUE | Allows an app to obtain a running lock. |
| ohos.permission.ENROLL_BIOMETRIC | system_core | system_grant | FALSE | Allows an app to add or remove biometric data. |
| ohos.permission.ACCESS_BIOMETRIC | normal | system_grant | FALSE | Allows an app to use biometric recognition for identity authentication. |
| ohos.permission.ACCESS_BIOMETRIC_INTERNAL | system_core | system_grant | FALSE | Allows an app to apply for or release biometric recognition resources. |
| ohos.permission.RESET_BIOMETRIC_LOCKOUT | system_core | system_grant | FALSE | Allows an app to reset the maximum number of failures allowed before biometric authentication is locked. |
| ohos.permission.SET_TIME | system_basic | system_grant | TRUE | Allows an app to set the system time. |
| ohos.permission.SET_TIME_ZONE | system_basic | system_grant | TRUE | Allows an app to set the system time zone. |
| ohos.permission.DOWNLOAD_SESSION_MANAGER | system_core | system_grant | TRUE | Allows an app to manage the download sessions. |
| ohos.permission.COMMONEVENT_STICKY | normal | system_grant | TRUE | Allows an app to publish sticky common events. |
| ohos.permission.SYSTEM_FLOAT_WINDOW | normal | system_grant | TRUE | Allows an app to be displayed in a floating window on top of other apps. |
| ohos.permission.POWER_MANAGER | system_core | system_grant | TRUE | Allows an app to hibernate or wake up the device by calling APIs. |
| ohos.permission.REFRESH_USER_ACTION | system_basic | system_grant | TRUE | Allows an app to reset the screen timeout counter when a user input event occurs, such as pressing a key or touching the screen. |
| ohos.permission.POWER_OPTIMIZATION | system_basic | system_grant | TRUE | Allows an app to set power saving mode, obtain configuration of the power saving mode, and receive notifications of the configuration changes.|
| ohos.permission.REBOOT_RECOVERY | system_basic | system_grant | TRUE | Allows an app to restart the device and enter Recovery mode. |
| ohos.permission.MANAGE_LOCAL_ACCOUNTS | system_basic | system_grant | TRUE | Allows an app to manage local user accounts. |
| ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS | system_basic | system_grant | TRUE | Allows access between multiple OS accounts. |
| ohos.permission.VIBRATE | normal | system_grant | TRUE | Allows an app to control vibration. |
| ohos.permission.CONNECT_IME_ABILITY | system_core | system_grant | TRUE | Allows an app or service to bind to the **InputMethodAbility**. |
| ohos.permission.CONNECT_SCREEN_SAVER_ABILITY | system_core | system_grant | TRUE | Allows an app or service to bind to the **ScreenSaverAbility**. |
| ohos.permission.READ_SCREEN_SAVER | system_basic | system_grant | TRUE | Allows an app to read the screen saver information, such as the list of screen savers that have been installed and the activated one. |
| ohos.permission.WRITE_SCREEN_SAVER | system_basic | system_grant | TRUE | Allows an app to modify the screen saver information, such as activating and previewing a screen saver. |
| ohos.permission.SET_WALLPAPER | normal | system_grant | TRUE | Allows an app to set a static wallpaper. |
| ohos.permission.GET_WALLPAPER | system_basic | system_grant | TRUE | Allows an app to read wallpaper files. |
| ohos.permission.CHANGE_ABILITY_ENABLED_STATE | system_basic | system_grant | TRUE | Allows an app to enable or disable an app or component. |
| ohos.permission.ACCESS_MISSIONS | system_basic | system_grant | TRUE | Allows an app to obtain information about running processes and mission in a mission stack. |
| ohos.permission.CLEAN_BACKGROUND_PROCESSES | normal | system_grant | TRUE | Allows an app to clear background processes based on their bundle names. |
| ohos.permission.KEEP_BACKGROUND_RUNNING | normal | system_grant | TRUE | Allows a Service ability to keep running in the background. |
| ohos.permission.UPDATE_CONFIGURATION | system_basic | system_grant | TRUE | Allows an app to modify system settings. |
| ohos.permission.UPDATE_SYSTEM | system_basic | system_grant | TRUE | Allows an app to call the update APIs. |
| ohos.permission.FACTORY_RESET | system_basic | system_grant | TRUE | Allows an app to call the APIs for restoring factory settings. |
| ohos.permission.GRANT_SENSITIVE_PERMISSIONS | system_core | system_grant | TRUE | Allows an app to grant sensitive permissions to other apps. |
| ohos.permission.REVOKE_SENSITIVE_PERMISSIONS | system_core | system_grant | TRUE | Allows an app to revoke sensitive permissions granted to other apps. |
| ohos.permission.GET_SENSITIVE_PERMISSIONS | system_core | system_grant | TRUE | Allows an app to obtain the sensitive permissions that have been granted to other apps. |
| ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION | system_core | system_grant | TRUE | Allows an app to set the attributes of apps of other users. |
| ohos.permission.LISTEN_BUNDLE_CHANGE | system_basic | system_grant | TRUE | Allows an app to listen for changes in other apps, when they are installed, updated, or uninstalled. |
| ohos.permission.GET_BUNDLE_INFO | normal | system_grant | TRUE | Allows a non-system app to obtain information about other apps. |
| ohos.permission.ACCELEROMETER | normal | system_grant | TRUE | Allows an app to read data from an acceleration sensor, uncalibrated acceleration sensor, or linear acceleration sensor. |
| ohos.permission.GYROSCOPE | normal | system_grant | TRUE | Allows an app to read data from a gyroscope sensor or uncalibrated gyroscope sensor. |
| ohos.permission.GET_BUNDLE_INFO_PRIVILEGED | system_basic | system_grant | TRUE | Allows a non-system app to obtain information about other apps. |
| ohos.permission.INSTALL_BUNDLE | system_core | system_grant | TRUE | Allows an app to install and uninstall other apps. |
| ohos.permission.MANAGE_SHORTCUTS | system_core | system_grant | TRUE | Allows an app to query and start shortcuts of other apps.|
| ohos.permission.radio.ACCESS_FM_AM | system_core | system_grant | TRUE | Allows an app to access radio services. |
| ohos.permission.SET_TELEPHONY_STATE | system_basic | system_grant | TRUE | Allows an app to change the telephone state. |
| ohos.permission.START_ABILIIES_FROM_BACKGROUND | system_basic | system_grant | TRUE | Allows an app to start Feature abilities in the background. |
| ohos.permission.BUNDLE_ACTIVE_INFO | system_basic | system_grant | TRUE | Allows an app to obtain how long other apps have been running in the foreground or background. |
| ohos.permission.START_INVISIBLE_ABILITY | system_core | system_grant | TRUE | Allows an app to start an invisible ability. |
| ohos.permission.sec.ACCESS_UDID | system_basic | system_grant | TRUE | Allows an app to obtain the Unified Device ID (UDID). |
| ohos.permission.LAUNCH_DATA_PRIVACY_CENTER | system_basic | system_grant | TRUE | Allows an app to switch from its privacy statement page to the <b>Data & privacy</b> page. |
| ohos.permission.MANAGE_MEDIA_RESOURCES | system_basic | system_grant | TRUE | Allows an app to obtain and manage the media resources that are being played on the device.|
| ohos.permission.PUBLISH_AGENT_REMINDER | normal | system_grant | TRUE | Allows an app to use agent-powered reminders. |
| ohos.permission.CONTROL_TASK_SYNC_ANIMATOR | system_core | system_grant | TRUE | Allows apps to use sync task animations. |
| ohos.permission.INPUT_MONITORING | system_core | system_grant | TRUE | Allows an app to listen for input events. Only the system signature apps can apply for this permission. |
| ohos.permission.MANAGE_MISSIONS | system_core | system_grant | TRUE | Allows an app to manage ability mission stacks. |
| ohos.permission.NOTIFICATION_CONTROLLER | system_core | system_grant | TRUE | Allows an app to manage and subscribe to notifications. |
| ohos.permission.CONNECTIVITY_INTERNAL | system_basic | system_grant | TRUE | Allows an app to obtain network information or modify network settings. |
| ohos.permission.SET_ABILITY_CONTROLLER | system_basic | system_grant | TRUE | Allows an app to set the start and stop of an ability. |
| ohos.permission.USE_USER_IDM | system_basic | system_grant | FALSE | Allows an app to access the system identity credential information. |
| ohos.permission.MANAGE_USER_IDM | system_basic | system_grant | FALSE | Allows an app to use the system identity credential management capability to enroll, modify, and delete PINs, face images, and fingerprints.|
| ohos.permission.ACCESS_BIOMETRIC | normal | system_grant | TRUE | Allows an app to use biometric recognition for identity authentication. |
| ohos.permission.ACCESS_USER_AUTH_INTERNAL | system_basic | system_grant | FALSE | Allows an app to use the system identity authentication capability to authenticate or identify users. |
| ohos.permission.ACCESS_PIN_AUTH | system_basic | system_grant | FALSE | Allows a system app to call the PIN input APIs to present a password input dialog box for users.|
| ohos.permission.GET_RUNNING_INFO | system_basic | system_grant | TRUE | Allows an app to obtain running status information. |
| ohos.permission.CLEAN_APPLICATION_DATA | system_basic | system_grant | TRUE | Allows an app to clear app data. |
| ohos.permission.RUNNING_STATE_OBSERVER | system_basic | system_grant | TRUE | Allows an app to observe the app status. |
| ohos.permission.CAPTURE_SCREEN | system_core | system_grant | TRUE | Allows an app to take screenshots. |
| ohos.permission.GET_WIFI_INFO | normal | system_grant | TRUE | Allows an app to obtain WLAN information. |
| ohos.permission.GET_WIFI_INFO_INTERNAL | system_core | system_grant | TRUE | Allows an app to obtain WLAN information. |
| ohos.permission.SET_WIFI_INFO | normal | system_grant | TRUE | Allows an app to set WLAN devices. |
| ohos.permission.GET_WIFI_PEERS_MAC | system_core | system_grant | TRUE | Allows an app to obtain the MAC address of the peer WLAN or Bluetooth device. |
| ohos.permission.GET_WIFI_LOCAL_MAC | system_basic | system_grant | TRUE | Allows an app to obtain the MAC address of the local WLAN or Bluetooth device. |
| ohos.permission.GET_WIFI_CONFIG | system_basic | system_grant | TRUE | Allows an app to obtain the WLAN configuration. |
| ohos.permission.SET_WIFI_CONFIG | system_basic | system_grant | TRUE | Allows an app to set WLAN information. |
| ohos.permission.MANAGE_WIFI_CONNECTION | system_core | system_grant | TRUE | Allows an app to manage WLAN connections. |
| ohos.permission.MANAGE_WIFI_HOTSPOT | system_core | system_grant | TRUE | Allows an app to enable or disable Wi-Fi hotspots. |
| ohos.permission.GET_ALL_APP_ACCOUNTS | system_core | system_grant | FALSE | Allows an app to obtain all app account information. |
| ohos.permission.MANAGE_SECURE_SETTINGS | system_basic | system_grant | TRUE | Allows an app to modify security settings. |
| ohos.permission.READ_DFX_SYSEVENT | system_basic | system_grant | FALSE | Allows an app to obtain all app account information. |
| ohos.permission.MANAGE_ADMIN | system_core | system_grant | TRUE | Allows an app to activate the device administrator app. |
| ohos.permission.EDM_MANAGE_DATETIME | normal | system_grant | FALSE | Allows the device administrator app to set the system time. |
| ohos.permission.NFC_TAG | normal | system_grant | FALSE | Allows an app to read NFC tag information. |
| ohos.permission.NFC_CARD_EMULATION | normal | system_grant | FALSE | Allows an app to implement card emulation. |
| ohos.permission.PERMISSION_USED_STATS | system_core | system_grant | TRUE | Allows a system application to access the permission usage records. |
| ohos.permission.NOTIFICATION_AGENT_CONTROLLER | system_core | system_grant | TRUE | Allows an app to send agent-powered notifications. |
| ohos.permission.ANSWER_CALL | system_basic | user_grant | TRUE | Allows an app to answer incoming calls. |
| ohos.permission.READ_CALENDAR | normal | user_grant | TRUE | Allows an app to read calendar data. |
| ohos.permission.READ_CALL_LOG | system_basic | user_grant | TRUE | Allows an app to read call logs. |
| ohos.permission.READ_CELL_MESSAGES | system_basic | user_grant | TRUE | Allows an app to read cell broadcast messages received by the device. |
| ohos.permission.READ_CONTACTS | system_basic | user_grant | TRUE | Allows an app to read contacts. |
| ohos.permission.READ_MESSAGES | system_basic | user_grant | TRUE | Allows an app to read messages. |
| ohos.permission.RECEIVE_MMS | system_basic | user_grant | TRUE | Allows an app to receive and process MMS messages. |
| ohos.permission.RECEIVE_SMS | system_basic | user_grant | TRUE | Allows an app to receive and process SMS messages. |
| ohos.permission.RECEIVE_WAP_MESSAGES | system_basic | user_grant | TRUE | Allows an app to receive and process WAP messages. |
| ohos.permission.MICROPHONE | normal | user_grant | TRUE | Allows an app to access the microphone. |
| ohos.permission.SEND_MESSAGES | system_basic | user_grant | TRUE | Allows an app to send messages. |
| ohos.permission.WRITE_CALENDAR | normal | user_grant | TRUE | Allows an app to add, remove, and modify calendar events. |
| ohos.permission.WRITE_CALL_LOG | system_basic | user_grant | TRUE | Allows an app to add, remove, and modify call logs. |
| ohos.permission.WRITE_CONTACTS | system_basic | user_grant | TRUE | Allows an app to add, remove, and modify contacts. |
| ohos.permission.DISTRIBUTED_DATASYNC | normal | user_grant | TRUE | Allows an app to exchange data with other devices. |
| ohos.permission.MANAGE_VOICEMAIL | system_basic | user_grant | TRUE | Allows an app to leave messages in the voice mailbox. |
| ohos.permission.LOCATION_IN_BACKGROUND | normal | user_grant | FALSE | Allows an app running in the background to obtain the device location. |
| ohos.permission.LOCATION | normal | user_grant | TRUE | Allows an app to obtain the device location. |
| ohos.permission.MEDIA_LOCATION | normal | user_grant | TRUE | Allows an app to access geographical locations in the user's media file. |
| ohos.permission.CAMERA | normal | user_grant | TRUE | Allows an app to use the camera to take photos and record videos. |
| ohos.permission.READ_MEDIA | normal | user_grant | TRUE | Allows an app to read media files from the user's external storage. |
| ohos.permission.WRITE_MEDIA | normal | user_grant | TRUE | Allows an app to read media files from and write media files into the user's external storage. |
| ohos.permission.ACTIVITY_MOTION | normal | user_grant | TRUE | Allows an app to read the current workout status of the user. |
| ohos.permission.READ_HEALTH_DATA | normal | user_grant | TRUE | Allows an app to read the health data of the user. |
| ohos.permission.GET_DEFAULT_APPLICATION | system_core | system_grant | TRUE | Allows an app to query default apps. |
| ohos.permission.SET_DEFAULT_APPLICATION | system_core | system_grant | TRUE | Allows an app to set and reset default apps. |
| ohos.permission.MANAGE_DISPOSED_APP_STATUS | system_core | system_grant | TRUE | Allows an app to set and query the app handling state. |
| ohos.permission.ACCESS_IDS | system_core | system_grant | TRUE | Allows an app to query the unique identifier of a device. |
