[Android-tools-devel] Bug#1012451: apksigner: Using PKCS11 keystore fails with NoSuchMethodException
dev at dbrgn.ch
dev at dbrgn.ch
Tue Jun 7 15:05:31 BST 2022
Package: apksigner
Version: 30.0.3-4
Severity: important
When trying to use apksigner on Debian 11 in combination with a
hardware HSM (YubiHSM 2 in my case) through SunPKCS11, signing fails
with an error message:
$ apksigner sign \
--ks NONE --ks-type PKCS11 \
--ks-pass 0001password --ks-key-alias "APK Signing Cert" \
--provider-class sun.security.pkcs11.SunPKCS11 \
--provider-arg /etc/pkcs11/sunpkcs11_yubihsm2.cfg \
--min-sdk-version 21 --max-sdk-version 31 \
--out apk-release-signed.apk app-release-unsigned.apk
Exception in thread "main" java.lang.NoSuchMethodException: sun.security.pkcs11.SunPKCS11.<init>(java.lang.String)
at java.base/java.lang.Class.getConstructor0(Class.java:3585)
at java.base/java.lang.Class.getConstructor(Class.java:2271)
at com.android.apksigner.ApkSignerTool$ProviderInstallSpec.installProvider(ApkSignerTool.java:988)
at com.android.apksigner.ApkSignerTool$ProviderInstallSpec.access$200(ApkSignerTool.java:963)
at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:267)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:83)
On the same system, querying the certificates with keytool works
without problems:
# keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/pkcs11/sunpkcs11_yubihsm2.cfg -storepass 0001password -v
Keystore type: PKCS11
Keystore provider: SunPKCS11-yubihsm2-pkcs11
Your keystore contains 1 entry
Alias name: APK Signing Cert
...
I installed this apksigner version:
# dpkg --list | grep apksigner
ii apksigner 30.0.3-4 all command line tool to sign and verify Android APKs
On the system OpenJDK 11 and 17 are installed:
# dpkg --list | grep openjdk
ii openjdk-11-jre:amd64 11.0.15+10-1~deb11u1 amd64 OpenJDK Java runtime, using Hotspot JIT
ii openjdk-11-jre-headless:amd64 11.0.15+10-1~deb11u1 amd64 OpenJDK Java runtime, using Hotspot JIT (headless)
ii openjdk-17-jdk-headless:amd64 17.0.3+7-1~deb11u1 amd64 OpenJDK Development Kit (JDK) (headless)
ii openjdk-17-jre-headless:amd64 17.0.3+7-1~deb11u1 amd64 OpenJDK Java runtime, using Hotspot JIT (headless)
By default, Java 17 is used:
# java --version
openjdk 17.0.3 2022-04-19
OpenJDK Runtime Environment (build 17.0.3+7-Debian-1deb11u1)
OpenJDK 64-Bit Server VM (build 17.0.3+7-Debian-1deb11u1, mixed mode, sharing)
I tried switching to Java 11 with update-alternatives, but that didn't
resolve the error.
>From the error message, it seems that the SunPKCS11 class is
instantiated incorrectly. I found this bug report in the Tor issue
tracker that describes the same issue:
https://www.mail-archive.com/tor-bugs@lists.torproject.org/msg183412.html
I did not really understand how the issue was resolved in their case,
however that person ended up using Fedora and not Debian. In any case,
it looks like apksigner seems to call a Java 8 API that isn't
compatible with Java 11 or 17, which are the only versions available in
Debian 11?
Here is a potentially related bug report and fix of an unrelated project:
https://github.com/zaproxy/zaproxy/issues/4147
My system:
# cat /etc/os-release | grep VERSION=
VERSION="11 (bullseye)"
# uname -r
5.17.9-arch1-1
Cheers,
Danilo
More information about the Android-tools-devel
mailing list