36

I've made a .bat file to get the SHA1 of my Android app so I don't need to type the command each time

keytool -list -v -keystore "Path/To/My/Key.jks"

When I run the bat file I get asked for the password. Is it possible to either put the password in the command e.g. something like --password MyPassword, or in the .bat file wait for the Enter your password line, and then send the password? I don't have any experience really with .bat files so I don't know if that's possible to do or not.

I looked at the --help for keytool and the only password flags I could see were for changing the password, not specifying it.

TMH
  • 6,096
  • 7
  • 51
  • 88

4 Answers4

51

The keytool that ships with the Oracle JDK allows you to specify it on the command line with -storepass, you were doing keytool -help instead of keytool -list -help. (I suppose the Android version is the same.)

C:\>keytool.exe -list -help
keytool -list [OPTION]...

Lists entries in a keystore

Options:

 -rfc                            output in RFC style
 -alias <alias>                  alias name of the entry to process
 -keystore <keystore>            keystore name
 -storepass <arg>                keystore password
 -storetype <storetype>          keystore type
 -providername <providername>    provider name
 -providerclass <providerclass>  provider class name
 -providerarg <arg>              provider argument
 -providerpath <pathlist>        provider classpath
 -v                              verbose output
 -protected                      password through protected mechanism

Use "keytool -help" for all available commands
rxg
  • 3,777
  • 22
  • 42
17

Specify the keystore password using the -storepass option:

keytool <commands and options> -storepass changeit

changeit being the default keystore password, but use whatever.

For example, to add a certificate using the default password:

keytool -importcert -trustcacerts -alias mycert -file mycert.cer -keystore .../lib/security/cacerts -storepass changeit
Bohemian
  • 412,405
  • 93
  • 575
  • 722
4

As @sastorsl said, if you are worried about putting your password in clear text in your command or script (and you should), you should put your password in a secure file (with 0400 permissions, in Linux) or in an environment variable.

Now keytool does have a similar construct to openssl's file:<filename>, if your password is in a file:

keytool <commands and options> -storepass:file <pass_file>

If your password is in an environment variable:

keytool <commands and options> -storepass:env <pass_var>

Disclaimer: I have tested the -storepass:file option in Bash (not in Windows), but the documentation does not seem to have any difference according to the OS.

From the Oracle keytool doc:

-storepass [:env | :file ] argument

The password that is used to protect the integrity of the keystore.

If the modifier env or file isn’t specified, then the password has the value argument, which must contain at least six characters. Otherwise, the password is retrieved as follows:

env: Retrieve the password from the environment variable named argument.

file: Retrieve the password from the file named argument.

Note: All other options that require passwords, such as -keypass, -srckeypass, -destkeypass, -srcstorepass, and -deststorepass, accept the env and file modifiers. Remember to separate the password option and the modifier with a colon (:).

fabio
  • 247
  • 2
  • 8
0

If you are worried about storing your password in a script, and for it to turn up in your command line history - which you should be, store the password in a separate file instead, secure it, and reference it.

NB! This is Linux / bash specific, and OP seems to be on windows, but I hope this can help somebody else.

keytool -list -v -keystore "Path/To/My/Key.jks" -storepass $(cat < <(cat bin/.pw))

If only keytool would have the file:<filename> construct which the openssl client has.

sastorsl
  • 2,015
  • 1
  • 16
  • 17