opensslx509-informDER-inburp_cacert.der-outburp_cacert.pemCERTHASHNAME="`opensslx509-informPEM-subject_hash_old-inburp_cacert.pem|head-1`.0"mvburp_cacert.pem $CERTHASHNAME #Correct nameadbroot&&sleep2&&adbremount#Allow to write on /systeadbpush $CERTHASHNAME /sdcard/#Upload certificateadbshellmv/sdcard/$CERTHASHNAME /system/etc/security/cacerts/#Move to correct locationadbshellchmod644/system/etc/security/cacerts/$CERTHASHNAME #Assign privilegesadbreboot#Now, reboot the machine
然而,对于需要修改**/apex** 目录内系统信任的 CA 证书的人来说,存在一种解决方法。这涉及手动重新挂载**/apex** 以去除私有传播,从而使其可写。该过程包括将**/apex/com.android.conscrypt** 的内容复制到另一个位置,卸载**/apex/com.android.conscrypt** 目录以消除只读约束,然后将内容恢复到**/apex** 的原始位置。这种方法需要迅速行动以避免系统崩溃。为了确保这些更改在整个系统范围内应用,建议重新启动system_server,这将有效地重新启动所有应用程序并使系统处于一致状态。
# Create a separate temp directory, to hold the current certificates# Otherwise, when we add the mount we can't read the current certs anymore.mkdir-p-m700/data/local/tmp/tmp-ca-copy# Copy out the existing certificatescp/apex/com.android.conscrypt/cacerts/*/data/local/tmp/tmp-ca-copy/# Create the in-memory mount on top of the system certs foldermount-ttmpfstmpfs/system/etc/security/cacerts# Copy the existing certs back into the tmpfs, so we keep trusting themmv/data/local/tmp/tmp-ca-copy/*/system/etc/security/cacerts/# Copy our new cert in, so we trust that toomv $CERTIFICATE_PATH /system/etc/security/cacerts/# Update the perms & selinux context labelschownroot:root/system/etc/security/cacerts/*chmod644/system/etc/security/cacerts/*chconu:object_r:system_file:s0/system/etc/security/cacerts/*# Deal with the APEX overrides, which need injecting into each namespace:# First we get the Zygote process(es), which launch each appZYGOTE_PID=$(pidofzygote||true)ZYGOTE64_PID=$(pidofzygote64||true)# N.b. some devices appear to have both!# Apps inherit the Zygote's mounts at startup, so we inject here to ensure# all newly started apps will see these certs straight away:for Z_PID in"$ZYGOTE_PID""$ZYGOTE64_PID"; doif [ -n"$Z_PID" ]; thennsenter--mount=/proc/$Z_PID/ns/mnt-- \/bin/mount --bind/system/etc/security/cacerts/apex/com.android.conscrypt/cacertsfidone# Then we inject the mount into all already running apps, so they# too see these CA certs immediately:# Get the PID of every process whose parent is one of the Zygotes:APP_PIDS=$(echo"$ZYGOTE_PID $ZYGOTE64_PID"| \xargs-n1ps-o'PID'-P| \grep-vPID)# Inject into the mount namespace of each of those apps:for PID in $APP_PIDS; donsenter--mount=/proc/$PID/ns/mnt-- \/bin/mount --bind/system/etc/security/cacerts/apex/com.android.conscrypt/cacerts&donewait# Launched in parallel - wait for completion hereecho"System certificate injected"
