1# hapsigner Guide 2 3## Build 4 5**Java** 6 71. Check that Maven 3 of the correct version has been installed and configured. 8 9 mvn -version 10 112. Download the code, open **developtools_hapsigner/hapsigntool**, and run the following command to build the package: 12 13 14 mvn package 15 16 You can find the binary file generated in the **./hap_sign_tool/target** directory. 17 18 19**C++** 20 211. Build a signing tool for ohos-sdk. 22 23 - Release version (default): 24 25 Run the **./build.sh --*product-name* ohos-sdk** command to build the signing tool for the release version. 26 27 - Debug version: 28 29 In the **hapsigntool_cpp/BUILD.gn** file, add **defines = [ "SIGNATURE_LOG_DEBUG" ]**, and then run the build command **./build.sh --*product-name* ohos-sdk**. 30 312. Decompress **out/sdk/packages/ohos-sdk/ohos/toolchains-ohos-x64-xxx.zip**. 32 33 You can find the **hap-sign-tool** in the **lib** directory. 34 35## How to Development 36 37### When to Use 38 39The OpenHarmony system has a built-in KeyStore (KS) file named **OpenHarmony.p12**. This file contains the root CA certificate, intermediate CA certificate, and entity certificate information. The hapsigner tool signs OpenHarmony apps based on this file. 40 41The usage of hapsigner varies depending on whether an app signing certificate is available. 42 43- If no signing certificate is available for your app, you can use this tool to generate a key pair for signing, generate an app signing certificate, sign the profile, and sign the app. 44- If a signing certificate is available for your app, you can directly sign the profile, and use the app signing certificate and the local KS file (containing the corresponding key) to sign your app. 45 46### Command Description 47 481. Display command help information. 49 50 ``` 51 -help # If no parameter is specified, the command help information is displayed by default. 52 ``` 53 542. Display version information 55 56 ``` 57 -version # Display the tool version information. 58 ``` 59 603. Generate a key pair. 61 62 ``` 63 generate-keypair: Generate a key pair. 64 ├── -keyAlias # Key alias. It is mandatory. 65 ├── -keyPwd # Key password. It is optional. 66 ├── -keyAlg # Key algorithm, which can be RSA or ECC. It is mandatory. 67 ├── -keySize # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits for an RSA key and is NIST-P-256 or NIST-P-384 for an ECC key. 68 ├── -keystoreFile # Keystore file, which is mandatory. 69 ├── -keystorePwd # KS password. It is optional. 70 ``` 71 724. Generate a CSR. 73 ``` 74 generate-csr: Generate a CSR. 75 ├── -keyAlias # Key alias. It is mandatory. 76 ├── -keyPwd # Key password. It is optional. 77 ├── -subject # Certificate subject. It is mandatory. 78 ├── -signAlg # Signing algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory. 79 ├── -keystoreFile # Keystore file, which is mandatory. 80 ├── -keystorePwd # KS password. It is optional. 81 ├── -outFile # CSR to generate. It is optional. If you do not specify this parameter, the CSR is output to the console. 82 ``` 83 845. Generate a root CA or intermediate CA certificate. 85 86 ``` 87 generate-ca: Generate a root CA or intermediate CA certificate. If there is no key, generate a key together with the certificate. 88 ├── -keyAlias # Key alias. It is mandatory. 89 ├── -keyPwd # Key password. It is optional. 90 ├── -keyAlg # Key algorithm, which can be RSA or ECC. It is mandatory. 91 ├── -keySize # Key length. It is mandatory. The key length is 2048, 3072, or 4096 bits for an RSA key and is NIST-P-256 or NIST-P-384 for an ECC key. 92 ├── -issuer # Issuer of the certificate. It is optional. It indicates a root CA certificate if not specified. 93 ├── -issuerKeyAlias # Key alias of the issuer. It is optional. It indicates a root CA certificate if not specified. 94 ├── -issuerKeyPwd # Key password of the issuer. It is optional. 95 ├── -subject # Certificate subject. It is mandatory. 96 ├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days. 97 ├── -signAlg # Signing algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory. 98 ├── -basicConstraintsPathLen # Path length. It is optional. The default value is 0. 99 ├── -keystoreFile # Keystore file, which is mandatory. 100 ├── -keystorePwd # KS password. It is optional. 101 ├── -issuerKeystoreFile # Issuer keystore file, which is optional. 102 ├── -issuerKeystorePwd # KS password of the issuer. It is optional. 103 ├── -outFile # File to generate. It is optional. The file is output to the console if this parameter is not specified. 104 ``` 105 1066. Generate a debug or release certificate for an app. 107 108 ``` 109 generate-app-cert: Generate a debug or release certificate for an app. 110 ├── -keyAlias # Key alias. It is mandatory. 111 ├── -keyPwd # Key password. It is optional. 112 ├── -issuer # Issuer of the certificate. It is mandatory. 113 ├── -issuerKeyAlias # Key alias of the issuer. It is mandatory. 114 ├── -issuerKeyPwd # Key password of the issuer. It is optional. 115 ├── -subject # Certificate subject. It is mandatory. 116 ├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days. 117 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. 118 ├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional. 119 ├── -issuerKeystorePwd # KS password of the issuer. It is optional. 120 ├── -keystoreFile # Keystore file, which is mandatory. 121 ├── -keystorePwd # KS password. It is optional. 122 ├── -outForm # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain. 123 ├── -rootCaCertFile # Root CA certificate, which is mandatory when outForm is certChain. 124 ├── -subCaCertFile # Intermediate CA certificate file, which is mandatory when outForm is certChain. 125 ├── -outFile # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified. 126 ``` 127 1287. Generate a debug or release certificate for a profile. 129 130 ``` 131 generate-profile-cert: Generate a debug or release certificate for a profile. 132 ├── -keyAlias # Key alias. It is mandatory. 133 ├── -keyPwd # Key password. It is optional. 134 ├── -issuer # Issuer of the certificate. It is mandatory. 135 ├── -issuerKeyAlias # Key alias of the issuer. It is mandatory. 136 ├── -issuerKeyPwd # Key password of the issuer. It is optional. 137 ├── -subject # Certificate subject. It is mandatory. 138 ├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days. 139 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. 140 ├── -issuerKeystoreFile # KS file of the issuer, in JKS or P12 format. It is optional. 141 ├── -issuerKeystorePwd # KS password of the issuer. It is optional. 142 ├── -keystoreFile # Keystore file, which is mandatory. 143 ├── -keystorePwd # KS password. It is optional. 144 ├── -outForm # Format of the certificate to generate. It is optional. The value can be cert or certChain. The default value is certChain. 145 ├── -rootCaCertFile # Root CA certificate, which is mandatory when outForm is certChain. 146 ├── -subCaCertFile # Intermediate CA certificate file, which is mandatory when outForm is certChain. 147 ├── -outFile # Certificate file (certificate or certificate chain) to generate. It is optional. The file is output to the console if this parameter is not specified. 148 ``` 149 1508. Generate a common certificate, which can be used to generate a custom certificate. 151 152 ``` 153 generate-cert: Generate a common certificate, which can be used to generate a custom certificate. 154 ├── -keyAlias # Key alias. It is mandatory. 155 ├── -keyPwd # Key password. It is optional. 156 ├── -issuer # Issuer of the certificate. It is mandatory. 157 ├── -issuerKeyAlias # Key alias of the issuer. It is mandatory. 158 ├── -issuerKeyPwd # Key password of the issuer. It is optional. 159 ├── -subject # Certificate subject. It is mandatory. 160 ├── -validity # Validity period of the certificate. It is optional. The default value is 1095 days. 161 ├── -keyUsage # Usages of the key. It is mandatory. The value can be one or more of digitalSignature, nonRepudiation, keyEncipherment, 162 ├ dataEncipherment, keyAgreement, certificateSignature, crlSignature, 163 ├ encipherOnly, and decipherOnly. Use a comma (,) to separate multiple values. 164 ├── -keyUsageCritical # Whether keyUsage is a critical option. It is optional. The default value is true. 165 ├── -extKeyUsage # Extended key usages. It is optional. The extended key usages include clientAuthentication, serverAuthentication, 166 ├ codeSignature, emailProtection, smartCardLogin, timestamp, and ocspSignature. 167 ├── -extKeyUsageCritical # Whether extKeyUsage is a critical option. It is optional. The default value is false. 168 ├── -signAlg # Signing algorithm, which can be SHA256withRSA, SHA384withRSA, SHA256withECDSA, or SHA384withECDSA. It is mandatory. 169 ├── -basicConstraints # Whether basicConstraints is contained. It is optional. The default value is false. 170 ├── -basicConstraintsCritical # Whether basicConstraints is a critical option. It is optional. The default value is false. 171 ├── -basicConstraintsCa # Whether it is CA. It is optional. The default value is false. 172 ├── -basicConstraintsPathLen # Path length. It is optional. The default value is 0. 173 ├── -issuerKeystoreFile # Issuer keystore file, which is optional. 174 ├── -issuerKeystorePwd # KS password of the issuer. It is optional. 175 ├── -keystoreFile # Keystore file, which is mandatory. 176 ├── -keystorePwd # KS password. It is optional. 177 ├── -outFile # Certificate file to generate. It is optional. The file is output to the console if this parameter is not specified. 178 ``` 179 1809. Sign a profile. 181 182 ``` 183 sign-profile: Sign a profile. 184 ├── -mode # Signing mode, which can be localSign or remoteSign. It is mandatory. 185 ├── -keyAlias # Key alias. It is mandatory. 186 ├── -keyPwd # Key password. It is optional. 187 ├── -profileCertFile # Profile signing certificate (certificate chain, in the entity certificate, intermediate CA certificate, and root certificate order). It is mandatory. 188 ├── -inFile # Profile to be signed, in JSON format (developtools_hapsigner/autosign/UnsgnedReleasedProfileTemplate.json). It is mandatory. 189 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 190 ├── -keystoreFile # Keystore file, which is mandatory when mode is localSign. 191 ├── -keystorePwd # KS password. It is optional. 192 ├── -outFile # Signed profile to generate, in p7b format. This parameter is mandatory. 193 ``` 194 19510. Verify the signature of a profile. 196 197 ``` 198 verify-profile: Verify the profile signature. 199 ├── -inFile # Signed profile in p7b format. This parameter is mandatory. 200 ├── -outFile # Verification result file (containing the verification result and profile content), in JSON format. It is optional. The file is output to the console if this parameter is not specified. 201 ``` 202 20311. Sign an app package or a debug tool. 204 205 ``` 206 sign-app: Sign an app package or a binary tool. 207 ├── -mode # Signing mode, which can be localSign, remoteSign, or remoteResign. It is mandatory. 208 ├── -keyAlias # Key alias. It is mandatory. 209 ├── -keyPwd # Key password. It is optional. 210 ├── -appCertFile # App signing certificate (certificate chain, in the entity certificate, intermediate CA certificate, and root certificate order). It is mandatory. 211 ├── -profileFile # Name of the signed provisioning profile. When profileSigned is 1, the file is in p7b format. When profileSigned is 0, the file is in JSON format. This parameter is mandatory if an app package is to be signed, and optional if a binary tool is to be signed. 212 ├── -profileSigned # Whether to sign the profile. The value 1 means to sign the profile, and value 0 means the opposite. The default value is 1. This parameter is optional. 213 ├── -inForm # Format of the file to be signed. The value is zip for an app package in ZIP format, elf for a binary tool, and bin for an app package in BIN format. The default value is zip. This parameter is optional. 214 ├── -inFile # File to be signed, which can be an app package, an elf file, or a bin file. This parameter is mandatory. 215 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 216 ├── -keystoreFile # Keystore file, which is mandatory when mode is localSign. 217 ├── -keystorePwd # KS password. It is optional. 218 ├── -outFile # Signed app package to generate. It is mandatory. 219 ├── -signCode # Whether to enable code signing. The value 1 means to enable code signing, and the value 0 means the opposite. This parameter is optional. By default, code signing is enabled for .hap, .hsp, .hqf, and .elf files. To disable code signing, set this parameter to 0. 220 221 ``` 222 22312. Verify the signature of an app package or a debug tool. 224 225 ``` 226 verify-app: Verify the signature of an app package or a binary tool. 227 ├── -inFile # Signed file, which can be an app package, an elf file, or a bin file. This parameter is mandatory. 228 ├── -outCertchain # Signed certificate chain file. It is mandatory. 229 ├── -outProfile # Profile of the app. It is mandatory. 230 ├── -inForm # Format of the file to be verified. The value is zip for an app package in ZIP format, elf for a binary tool, and bin for an app package in BIN format. The default value is zip. This parameter is optional. 231 ``` 232 233### Signing Procedure 234The process of signing an app package is as follows: 235 2361. Generate a key pair for an app signing certificate. 2372. Generate an app signing certificate. 2383. Sign the profile. 2394. Sign the app package. 240 241 242> **NOTE**<br> 243> 244> - For security purposes, use ECC to generate the key pair in step 1. Avoid using RSA. 245> - You are advised to place the app package to be signed, profile, **OpenHarmony.p12**, root CA certificate, intermediate CA certificate, and hapsigner in the same directory for easy operation. The following files are stored in [**developtools_hapsigner/autosign/result**](https://gitee.com/openharmony/developtools_hapsigner/tree/master/autosign/result):<br>- OpenHarmony keystore file **OpenHarmony.p12**<br>- Root CA certificate **rootCA.cer**<br>- intermediate CA certificate **subCA.cer**<br>- Profile signing certificate **OpenHarmonyProfileRelease.pem** 246 2471. **Generate a key pair for the app signing certificate.** 248 249 Generate a key pair for signing and save it to the KS. 250 251 Example (Java): 252 253 ```shell 254 java -jar hap-sign-tool.jar generate-keypair -keyAlias "oh-app1-key-v1" -keyAlg "ECC" -keySize "NIST-P-256" -keystoreFile "OpenHarmony.p12" -keyPwd "123456" -keystorePwd "123456" 255 ``` 256 257 Example (C++): 258 259 ```shell 260 hap-sign-tool generate-keypair -keyAlias "oh-app1-key-v1" -keyAlg "ECC" -keySize "NIST-P-256" -keystoreFile "OpenHarmony.p12" -keyPwd "123456" -keystorePwd "123456" 261 ``` 262 263 > **NOTE** 264 > 265 > Record the **keyAlias**, **keyStorePwd**, and **keyPwd** values, which will be used when the app signing certificate is generated and the app package is signed. 266 267 The command parameters are described as follows: 268 269 ``` 270 generate-keypair: Generate a key pair for the app signing certificate. 271 ├── -keyAlias # Alias of the key used to generate the app signing certificate. It is stored in the OpenHarmony.p12 file. This parameter is mandatory. 272 ├── -keyAlg # Key algorithm. It is mandatory. ECC is recommended. 273 ├── -keySize # Key length. It is NIST-P-256 or NIST-P-384 for an ECC key. This parameter is mandatory. 274 ├── -keyStoreFile # Keystore file, which is mandatory. You are advised to use OpenHarmony.p12. The Java version supports two formats: PKCS#12 and JKS. The C++ version supports PKCS#12 only. 275 ├── -keyStorePwd # KS password. It is mandatory. The default password is 123456 for OpenHarmony.p12. 276 ├── -keyPwd # Key password. It is optional. If this parameter is not specified, the generated key pair has no password. 277 ``` 278 2792. **Generate an app signing certificate.** 280 281 Use the local intermediate CA certificate to issue an app signing certificate. 282 283 Example (Java): 284 285 ```shell 286 java -jar hap-sign-tool.jar generate-app-cert -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA" -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Team,CN= OpenHarmony Application CA" -issuerKeyAlias "openharmony application ca" -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Team,CN=OpenHarmony Application Release" -keystoreFile "OpenHarmony.p12" -subCaCertFile "subCA.cer" -rootCaCertFile "rootCA.cer" -outForm "certChain" -outFile "app1.pem" -keyPwd "123456" -keystorePwd "123456" -issuerKeyPwd "123456" -validity "365" 287 ``` 288 289 Example (C++): 290 291 ```shell 292 hap-sign-tool generate-app-cert -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA" -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Team,CN= OpenHarmony Application CA" -issuerKeyAlias "openharmony application ca" -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Team,CN=OpenHarmony Application Release" -keystoreFile "OpenHarmony.p12" -subCaCertFile "subCA.cer" -rootCaCertFile "rootCA.cer" -outForm "certChain" -outFile "app1.pem" -keyPwd "123456" -keystorePwd "123456" -issuerKeyPwd "123456" -validity "365" 293 ``` 294 295 The command parameters are described as follows: 296 297 ``` 298 generate-app-cert: Generate an app signing certificate. 299 ├── -keyAlias # Key alias, which must be the same as that in the previous step. 300 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 301 ├── -issuer # Issuer of the certificate. Enter the issuer of the intermediate CA certificate. It is mandatory and cannot be changed. 302 ├── -issuerKeyAlias #Alias of the issuer key. Enter the alias of the intermediate CA certificate key. This parameter is mandatory and cannot be changed. 303 ├── -subject # Subject of the certificate. Enter the subject in the same sequence specified in the command. This parameter is mandatory. 304 ├── -issuerKeyPwd # Key password of the issuer. Enter the key password of the intermediate CA certificate. It is mandatory and cannot be changed. In this example, it is 123456. 305 ├── -keystoreFile # Keystore file, which is mandatory and cannot be changed. You are advised to use OpenHarmony.p12. The Java version supports two formats: PKCS#12 and JKS. The C++ version supports PKCS#12 only. 306 ├── -rootCaCertFile # Root CA certificate. It is mandatory and cannot be changed. 307 ├── -subCaCertFile # Intermediate CA certificate provided. This parameter is mandatory and cannot be modified. 308 ├── -outForm # Format of the certificate file to generate. certChain is recommended. 309 ├── -outFile # File to generate. It is optional. The file is output to the console if this parameter is not specified. 310 ├── -keyPwd # Key password. It is optional. It is the key password set when the key pair is generated. 311 ├── -keystorePwd # KS password. The default value is 123456. 312 ├── -validity # Validity period of the certificate. It is optional. The default value is 3650 days. 313 ``` 314 3153. **Sign the profile.** 316 317 Call the profile signing API to sign the profile using the profile signing key. 318 319 Example (Java): 320 321 ```shell 322 java -jar hap-sign-tool.jar sign-profile -keyAlias "openharmony application profile release" -signAlg "SHA256withECDSA" -mode "localSign" -profileCertFile "OpenHarmonyProfileRelease.pem" -inFile "UnsgnedReleasedProfileTemplate.json" -keystoreFile "OpenHarmony.p12" -outFile "app1-profile.p7b" -keyPwd "123456" -keystorePwd "123456" 323 ``` 324 325 Example (C++): 326 327 ```shell 328 hap-sign-tool sign-profile -keyAlias "openharmony application profile release" -signAlg "SHA256withECDSA" -mode "localSign" -profileCertFile "OpenHarmonyProfileRelease.pem" -inFile "UnsgnedReleasedProfileTemplate.json" -keystoreFile "OpenHarmony.p12" -outFile "app1-profile.p7b" -keyPwd "123456" -keystorePwd "123456" 329 ``` 330 331 The command parameters are described as follows: 332 333 ``` 334 sign-profile: Sign a profile. 335 ├── -keyAlias # Alias of the key for generating the profile certificate. It is mandatory and cannot be changed. 336 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 337 ├── -mode # Signing mode, which must be localSign. It is mandatory. 338 ├── -profileCertFile # Profile signing certificate. Use the certificate provided. It is mandatory and cannot be changed. 339 ├── -inFile # Profile to be signed, in JSON format (developtools_hapsigner/autosign/UnsgnedReleasedProfileTemplate.json). It is mandatory. 340 ├── -keystoreFile # Keystore file, which is mandatory and cannot be changed. You are advised to use OpenHarmony.p12. The Java version supports two formats: PKCS#12 and JKS. The C++ version supports PKCS#12 only. 341 ├── -outFile # Signed profile to generate, in p7b format. This parameter is mandatory. 342 ├── -keyPwd # Key password. The default key password in OpenHarmony.p12 is 123456. 343 ├── -keystorePwd # KS password. The default key password in OpenHarmony.p12 is 123456. 344 ``` 345 3464. **Sign the app package.** 347 348 Sign the app package with the app signing key. 349 350 Example (Java): 351 352 ```shell 353 java -jar hap-sign-tool.jar sign-app -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA" -mode "localSign" -appCertFile "app1.pem" -profileFile "app1-profile.p7b" -inFile "app1-unsigned.zip" -keystoreFile "OpenHarmony.p12" -outFile "app1-signed.hap" -keyPwd "123456" -keystorePwd "123456" 354 ``` 355 356 Example (C++): 357 358 ```shell 359 hap-sign-tool sign-app -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA" -mode "localSign" -appCertFile "app1.pem" -profileFile "app1-profile.p7b" -inFile "app1-unsigned.zip" -keystoreFile "OpenHarmony.p12" -outFile "app1-signed.hap" -keyPwd "123456" -keystorePwd "123456" 360 ``` 361 362 > **NOTE** 363 > 364 > The following parameters are used when there is no app signing certificate available. If the app signing certificate is available, the following parameters must be modified: 365 > -**keyAlias**: Enter the key alias of the app signing certificate. This parameter is mandatory. <br/> 366 > -**appCertFile**: Enter the app signing certificate. This parameter is mandatory.<br/> 367 > -**keystoreFile**: Enter the KS file of the app signing certificate. This parameter is mandatory. <br/> 368 > -**keyPwd**: Enter the key password in the KS file. <br/> 369 > -**keystorePwd**: Enter the KS password in the KS file. 370 371 The command parameters are described as follows: 372 373 ``` 374 sign-app: Sign an app package. 375 ├──-keyAlias # Key alias, which must be the same as the alias of the key pair generated. This parameter is mandatory. 376 ├── -signAlg # Signing algorithm, which can be SHA256withECDSA or SHA384withECDSA. It is mandatory. 377 ├── -mode # Signing mode, which must be localSign. It is mandatory. 378 ├── -appCertFile # App signing certificate (certificate chain, in the entity certificate, intermediate CA certificate, and root certificate order). Enter the app signing certificate generated in step 2. This parameter is mandatory. 379 ├── -profileFile # Signed profile in p7b format. Enter the profile generated. This parameter is mandatory. 380 ├── -inFile # App package to be signed. This parameter is mandatory. 381 ├── -keystoreFile # Keystore file, which is mandatory and cannot be changed. The value must be the same as that in step 1. The Java version supports two formats: PKCS#12 and JKS. The C++ version supports PKCS#12 only. 382 ├── -outFile # Signed file to generate. It is mandatory. 383 ├── -keyPwd # Key password, which must be the actual key password. 384 ├── -keystorePwd # KS password, which must be the actual KS password. 385 ``` 386 387## FAQs (Java) 388 3891. The console displays the app signing certificate generated but no file is output. 390 391 - **Symptom** 392 393 When the tool is used to generate an app signing certificate, the certificate content is displayed on the console but no certificate is generated. 394 395 - **Possible Causes** 396 397 The path specified by **outFile** is incorrect, or the hyphen (-) in **-outFile** is not an English character. 398 399 - **Solution** 400 401 Check and correct the value of **outFile**, and ensure the hyphen (-) in **-outFile** is an English character. 402 4032. Failed to sign a profile. 404 405 - **Symptom** 406 407 When the tool is used to sign a profile, any of the following information is displayed: 408 409 (1) SIGN_ERROR, code: 107. Details: Failed to verify signature: Wrong key usage 410 411 (2) NOT_SUPPORT_ERROR, code: 105. Details: Profile cert 'result\profile1.pem' must a cert chain 412 413 (3) VERIFY_ERROR, code: 108. Details: Failed to verify signature: unable to find valid certification path to requested target 414 415 - **Possible Causes** 416 417 (1) The certificate chain of the profile signing certificate is in incorrect order. 418 419 (2) The profile signing certificate is not a certificate chain. 420 421 (3) The certificate subject is in incorrect sequence, or the **-issuerKeyAlias** parameter set to generate the app signing certificate is incorrect. 422 423 - **Solution** 424 425 (1) Check that the certificates in the certificate chain are in ascending or descending order of seniority. 426 427 (2) Check that the certificate is a certificate chain. 428 429 (3) Check that the certificate subject is in the C, O, OU, and CN order. 430 4313. Incorrect SignAlg is displayed when an app package is signed. 432 433 - **Symptom** 434 435 The following information is displayed after the command is executed:<br>NOT_SUPPORT_ERROR, code: 105. Details: SignAlg params is incorrect, signature algorithms include SHA256withECDSA,SHA384withECDSA 436 437 - **Possible Causes** 438 439 The signing algorithm is not supported. Check the value of **signAlg**. 440 441 - **Solution** 442 443 Use ECC to generate the key pair for an app or profile signing certificate. Use SHA256withECDSA or SHA384withECDSA as the app signing algorithm. 444 4454. Failed to sign an app package because CN of the certificate is empty. 446 447 - **Symptom** 448 449 The message "error: Common name of certificate is empty!" is displayed. 450 451 - **Possible Causes** 452 453 The app signing certificate used does not contain the CN field. 454 455 - **Solution** 456 457 The CN field of the app signing certificate cannot be empty. Generate a certificate in correct format. 458 459 460## FAQs (C++) 461 462> **NOTE** 463> 464> The numbers in **Symptom**, **Possible Causes**, and **Solution** are in one-to-one correspondence. 465 4661. Command parameter errors 467 468 + **Symptom** 469 470 (1) Error message: ERROR - COMMAND_PARAM_ERROR, code: -107.Details: 'generate-cert' Parameters error, Param key - value must in pairs 471 472 (2) Error message: ERROR - KEY_PASSWORD_ERROR, code: -114.Details: 'oh-app1-key-v1' keypair password error 473 474 (3) Error message: ERROR - NOT_SUPPORT_ERROR, code: -104.Details: Not support file: ./OpenHarmony.p1 475 476 (4) Error message: ERROR - KEY_ALIAS_ERROR, code: -109.Details: 'XXX' key alias already exists and cannot be generated repeatedly 477 478 + **Possible Causes** 479 480 (1) Extra command parameter is pasted, or the last parameter of the command is not specified. 481 482 (2) The the password of the key pair entered is incorrect. 483 484 (3) The keystore file type specified is incorrect. 485 486 (4) The key pair with the same alias already exists in the keystore. 487 488 + **Solution** 489 490 (1) Check for redundant or incorrect parameters and correct them. 491 492 (2) Enter the correct password. 493 494 (3) Check that the keystore file name extension is .p12 or .jks. 495 496 (4) Rename the alias of the key pair. 497 4982. Errors reported after the command for generating an app signing certificate is executed 499 500 - **Symptom** 501 502 (1) Error message: ERROR - KEY_ALIAS_ERROR, code: -109.Details: keyAlias: 'oh-app1-key-v2' is not exist in/mnt/d/file/Test_0528/OpenHarmony.p12 503 504 (2) Error message: ERROR - KEYSTORE_PASSWORD_ERROR, code: -115.Details: keyStore password error 505 506 (3) Error message: ERROR - KEY_PASSWORD_ERROR, code: -114.Details: 'oh-app-sign-srv-ca-key-v1' keypair password error 507 508 - **Possible Causes** 509 510 (1) The specified key alias cannot be found in the keystore. 511 512 (2) The keystore password is incorrect. 513 514 (3) The password of the key pair is specified when the intermediate CA certificate of the app is generated, but the **-issuerKeyPwd** parameter is not entered when the debug certificate of the app is generated. 515 516 - **Solution** 517 518 (1) Check that the key alias is the same as that entered when the key pair is generated. 519 520 (2) Check that the keystore password is the same as that entered when the key pair is generated. 521 522 (3) Check that **-issuerKeyPwd** is specified when the profile is generated, and that the value is the same as the password of the key pair when the intermediate CA certificate of the profile is generated. 523 5243. Errors reported when the profile is executed for signing 525 526 - **Symptom** 527 528 (1) Error message: ERROR - PROVISION_INVALID, code: 0.Details: Tag app-distribution-type is empty 529 530 (2) Error message: VERIFY_ERROR, code: -106.Details: Failed to verify signature: unable to find valid certification path to requested target 531 532 - **Possible Causes** 533 534 (1) The certificate subject is in incorrect sequence, or the **-issuerKeyAlias** parameter set to generate the app signing certificate is incorrect. 535 536 (2) The value of **type** in **profile.json** does not match the value of **key** in **bundle_info**. The typ **debug** corresponds to **development-certificate**, and **release** to **distribution-certificate**. 537 538 - **Solution** 539 540 (1) Check that the certificate subject is in the C, O, OU, and CN order. 541 542 (2) Check that the configuration in the **bundle.json** file is correct. 543 5444. Errors reported when an app is signed 545 546 - **Symptom** 547 548 (1) Error message: ERROR - PROVISION_INVALID, code: 0.Details: Require build type must be debug or release 549 550 (2) Error message: ERROR - ZIP_ERROR, code: -111. Details: zip init failed 551 552 (3) Error message: ERROR - SIGN_ERROR, code: -105.Details: No certificates configured for sign 553 554 - **Possible Causes** 555 556 (1) The profile is not signed (no .p7b file is generated). Before the HAP is signed, the profile does not contain the **type** parameter. 557 558 (2) The size of the .zip package exceeds 4 GB. The change in the format of the compressed file causes a decompression failure. 559 560 (3) The key used for signing does not match the entity certificate. 561 562 - **Solution** 563 564 (1) Before using an unsigned profile file to sign the HAP, add **type** with the value of **debug** or **release** in the **profile.json** file. 565 566 (2) If the HAP to be signed exceeds 4 GB, split it into smaller ones. 567 568 (3) Check **keyAlias** and **appCertFile** and ensure the key used for signing matches the certificate. 569 5705. HAP installation failure 571 572 - **Symptom** 573 574 (1) When a .json file of the release or debug type is used to sign and install a HAP, the following information is displayed: device type is not supports 575 576 (2) When a .json file of the debug type is used to install a HAP, the following information is displayed: verify pkcs7 info failed 577 578 (3) When a HAP is installed on an OpenHarmony system of an earlier version, the following information is displayed: install sign info inconsistent 579 580 (4) When a signed HAP is installed, the following information is displayed: "signature verification failed due to not trusted app source." 581 582 - **Possible Causes** 583 584 (1) The OpenHarmony system configuration file does not support the device type of the HAP. 585 586 (2) The **device-ids** field in the .json file of the debug type does not contain your device **udid**. 587 588 (3) The HAP with the same name has been installed. 589 590 (4) The certificate in the .json file of the debug or release type is not a trusted certificate. 591 592 - **Solution** 593 594 (1) Run the **hdc shell param get const.product.devicetype** command to check the device types supported by the system and replace the HAP based on the device type. 595 596 (2) Run the **hdc shell bm get --udid** command to obtain the UDID of the device and add it to **device-ids** in the .json file of the debug type. 597 598 (3) Run the **bm uninstall -n *Bundle_name*** command to uninstall the HAP with the same name. 599 600 (4) Check whether an incorrect .json file is used. 601