diff --git a/interfaces/innerkits/code_sign_utils/BUILD.gn b/interfaces/innerkits/code_sign_utils/BUILD.gn
index 5f99c6c2837bbba06180e80fef54fadadd939736..fc3bdd7e6deed8fd2350cf687727d0e74e4cf7f4 100644
--- a/interfaces/innerkits/code_sign_utils/BUILD.gn
+++ b/interfaces/innerkits/code_sign_utils/BUILD.gn
@@ -26,16 +26,21 @@ ohos_shared_library("libcode_sign_utils") {
   ]
   public_configs = [
     "${code_signature_root_dir}:common_public_config",
-    ":public_code_sign_utils_configs"
+    ":public_code_sign_utils_configs",
   ]
   configs = [ "${code_signature_root_dir}:common_utils_config" ]
 
+  deps = [
+    "${code_signature_root_dir}/utils:fsverity_sign_src_set",
+    "${openssl_dir}:libcrypto_shared",
+  ]
+
   external_deps = [
     "ability_base:extractortool",
     "c_utils:utils",
+    "hilog:libhilog",
     "hisysevent:libhisysevent",
     "hitrace:hitrace_meter",
-    "hilog:libhilog",
   ]
   install_enable = true
 
diff --git a/interfaces/innerkits/code_sign_utils/include/code_sign_utils.h b/interfaces/innerkits/code_sign_utils/include/code_sign_utils.h
index 11f8d41d52d7cc675665fb3775b410ecf99d267a..edce4d7ac3d3ef46daf0b6dbf931b6fc2a84ec43 100644
--- a/interfaces/innerkits/code_sign_utils/include/code_sign_utils.h
+++ b/interfaces/innerkits/code_sign_utils/include/code_sign_utils.h
@@ -21,7 +21,6 @@
 #include <sys/ioctl.h>
 #include <sys/types.h>
 #include <unordered_map>
-
 #include "byte_buffer.h"
 #include "errcode.h"
 
@@ -54,6 +53,13 @@ public:
      * @return err code, see err_code.h
      */
     static int32_t EnforceCodeSignForFile(const std::string &path, const ByteBuffer &signature);
+    /**
+     * @brief Get owner ID from signature file
+     * @param sigbuffer buffer of the signature file
+     * @param ownerID string to abtain owner ID from the signature file
+     * @return err code, see err_code.h
+     */
+    static int ParseOwnerIdFromSignature(const ByteBuffer &sigbuffer, std::string &ownerID);
 private:
     static int32_t IsSupportFsVerity(const std::string &path);
     static int32_t IsFsVerityEnabled(int fd);
diff --git a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp
index 8fa22ec887eb42ef52ae005fbe6f37cf8467d4ff..4afe366845c484929c2c27517dba1e87a09b3163 100644
--- a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp
+++ b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp
@@ -36,6 +36,7 @@
 #include "file_helper.h"
 #include "log.h"
 #include "stat_utils.h"
+#include "signer_info.h"
 
 namespace OHOS {
 namespace Security {
@@ -192,6 +193,11 @@ int32_t CodeSignUtils::EnforceCodeSignForFile(const std::string &path, const uin
     LOG_INFO(LABEL, "Enforcing file complete");
     return ret;
 }
+
+int CodeSignUtils::ParseOwnerIdFromSignature(const ByteBuffer &sigbuffer, std::string &ownerID)
+{
+    return SignerInfo::ParseOwnerIdFromSignature(sigbuffer, ownerID);
+}
 }
 }
 }
diff --git a/interfaces/innerkits/common/include/errcode.h b/interfaces/innerkits/common/include/errcode.h
index 8e43a9d2acb972c6b7369784a2f3415baef16c3b..023a5abb8a810da2f1380c4422f9e0a43e7788c1 100644
--- a/interfaces/innerkits/common/include/errcode.h
+++ b/interfaces/innerkits/common/include/errcode.h
@@ -40,13 +40,16 @@ enum SignErrCode {
     CS_ERR_HUKS_OBTAIN_CERT = -0x201,
     CS_ERR_HUKS_SIGN = -0x202,
     CS_ERR_HUKS_INIT_KEY = -0x203,
-    CS_ERR_COMPUTE_DIGEST = -0x204
+    CS_ERR_COMPUTE_DIGEST = -0x204,
+    CS_ERR_NO_OWNER_ID = -0x205
 };
 
 enum OpenSSLErrCode {
     CS_ERR_OPENSSL_LOAD_CERT = -0x210,
     CS_ERR_OPENSSL_CREATE_PKCS7_DATA = -0x211,
-    CS_ERR_OPENSSL_PKCS7 = -0x212
+    CS_ERR_OPENSSL_PKCS7 = -0x212,
+    CS_ERR_OPENSSL_OID = -0x213,
+    CS_ERR_OPENSSL_BIO = -0x214,
 };
 
 enum FsverityErrCode {
diff --git a/interfaces/innerkits/local_code_sign/include/local_code_sign_client.h b/interfaces/innerkits/local_code_sign/include/local_code_sign_client.h
index 2400ced1c15dca5dc46115f2a63df5ed440c2998..a20e60915f240a934d53668276394acd8ae8a4d5 100644
--- a/interfaces/innerkits/local_code_sign/include/local_code_sign_client.h
+++ b/interfaces/innerkits/local_code_sign/include/local_code_sign_client.h
@@ -37,7 +37,7 @@ class LocalCodeSignClient {
 public:
     static LocalCodeSignClient &GetInstance();
     int32_t InitLocalCertificate(ByteBuffer &cert);
-    int32_t SignLocalCode(const std::string &path, ByteBuffer &signature);
+    int32_t SignLocalCode(const std::string &ownerID, const std::string &path, ByteBuffer &signature);
     void OnRemoteLocalCodeSignSvrDied(const wptr<IRemoteObject> &remote);
     void FinishStartSA(const sptr<IRemoteObject> &remoteObject);
     void FailStartSA();
diff --git a/interfaces/innerkits/local_code_sign/include/local_code_sign_interface.h b/interfaces/innerkits/local_code_sign/include/local_code_sign_interface.h
index c78b0b28cea71819094227ea6dc50a71d3507d51..2deb5845b270866c9c856086056638a13729944d 100644
--- a/interfaces/innerkits/local_code_sign/include/local_code_sign_interface.h
+++ b/interfaces/innerkits/local_code_sign/include/local_code_sign_interface.h
@@ -30,7 +30,7 @@ class LocalCodeSignInterface : public OHOS::IRemoteBroker {
 public:
     DECLARE_INTERFACE_DESCRIPTOR(u"OHOS.Security.LocalCodeSignInterface");
     virtual int32_t InitLocalCertificate(ByteBuffer &cert) = 0;
-    virtual int32_t SignLocalCode(const std::string &filePath, ByteBuffer &signature) = 0;
+    virtual int32_t SignLocalCode(const std::string &ownerID, const std::string &filePath, ByteBuffer &signature) = 0;
 };
 }
 }
diff --git a/interfaces/innerkits/local_code_sign/include/local_code_sign_kit.h b/interfaces/innerkits/local_code_sign/include/local_code_sign_kit.h
index 8981b8f986521c3d1a36286784bd758dc049faa6..c19181d15157d393abb6d1dea5269019af7d825f 100644
--- a/interfaces/innerkits/local_code_sign/include/local_code_sign_kit.h
+++ b/interfaces/innerkits/local_code_sign/include/local_code_sign_kit.h
@@ -42,6 +42,14 @@ public:
      * @return err code, see err_code.h
      */
     static int32_t SignLocalCode(const std::string &filePath, ByteBuffer &signature);
+    /**
+     * @brief sign local code with owner ID to the signature, so we can identify signature files using owner ID
+     * @param ownerID owner ID written to the signature
+     * @param filePath file path to sign
+     * @param signature signature from local code sign SA
+     * @return err code, see err_code.h
+     */
+    static int32_t SignLocalCode(const std::string &ownerID, const std::string &filePath, ByteBuffer &signature);
 };
 }
 }
diff --git a/interfaces/innerkits/local_code_sign/include/local_code_sign_proxy.h b/interfaces/innerkits/local_code_sign/include/local_code_sign_proxy.h
index 5845328f04cea067e77e16e10ba6e7f845e87c75..12b56c5674f50afad248638eae14924ee8e6bcd3 100644
--- a/interfaces/innerkits/local_code_sign/include/local_code_sign_proxy.h
+++ b/interfaces/innerkits/local_code_sign/include/local_code_sign_proxy.h
@@ -29,7 +29,7 @@ public:
         : IRemoteProxy<LocalCodeSignInterface>(impl) {}
     ~LocalCodeSignProxy() {}
     int32_t InitLocalCertificate(ByteBuffer &cert) override;
-    int32_t SignLocalCode(const std::string &filePath, ByteBuffer &signature) override;
+    int32_t SignLocalCode(const std::string &ownerID, const std::string &filePath, ByteBuffer &signature) override;
 private:
     static inline BrokerDelegator<LocalCodeSignProxy> delegator_;
     int32_t ReadResultFromReply(MessageParcel &reply, ByteBuffer &buffer);
diff --git a/interfaces/innerkits/local_code_sign/src/local_code_sign_client.cpp b/interfaces/innerkits/local_code_sign/src/local_code_sign_client.cpp
index 974981f8b96671eed60dbcaf0f8bec9caffcae98..a1043edf1b3df86879211d19184b588be1b2c208 100644
--- a/interfaces/innerkits/local_code_sign/src/local_code_sign_client.cpp
+++ b/interfaces/innerkits/local_code_sign/src/local_code_sign_client.cpp
@@ -139,7 +139,7 @@ int32_t LocalCodeSignClient::InitLocalCertificate(ByteBuffer &cert)
     return CS_SUCCESS;
 }
 
-int32_t LocalCodeSignClient::SignLocalCode(const std::string &path, ByteBuffer &signature)
+int32_t LocalCodeSignClient::SignLocalCode(const std::string &ownerID, const std::string &path, ByteBuffer &signature)
 {
     LOG_DEBUG(LABEL, "SignLocalCode called");
     CheckLocalCodeSignProxy();
@@ -147,7 +147,7 @@ int32_t LocalCodeSignClient::SignLocalCode(const std::string &path, ByteBuffer &
     if (localCodeSignProxy_ == nullptr) {
         return CS_ERR_SA_GET_PROXY;
     }
-    int32_t ret = localCodeSignProxy_->SignLocalCode(path, signature);
+    int32_t ret = localCodeSignProxy_->SignLocalCode(ownerID, path, signature);
     if (ret != CS_SUCCESS) {
         LOG_ERROR(LABEL, "SignLocalCode err, error code = %{public}d", ret);
         return ret;
diff --git a/interfaces/innerkits/local_code_sign/src/local_code_sign_kit.cpp b/interfaces/innerkits/local_code_sign/src/local_code_sign_kit.cpp
index dfe0632e188e88ae5f7b8c99c06cc34df928c1c9..51074fa2476fe3f9db6987de667f9e6546f10392 100644
--- a/interfaces/innerkits/local_code_sign/src/local_code_sign_kit.cpp
+++ b/interfaces/innerkits/local_code_sign/src/local_code_sign_kit.cpp
@@ -27,7 +27,12 @@ int32_t LocalCodeSignKit::InitLocalCertificate(ByteBuffer &cert)
 
 int32_t LocalCodeSignKit::SignLocalCode(const std::string &filePath, ByteBuffer &signature)
 {
-    return LocalCodeSignClient::GetInstance().SignLocalCode(filePath, signature);
+    return LocalCodeSignClient::GetInstance().SignLocalCode("", filePath, signature);
+}
+
+int32_t LocalCodeSignKit::SignLocalCode(const std::string &ownerID, const std::string &filePath, ByteBuffer &signature)
+{
+    return LocalCodeSignClient::GetInstance().SignLocalCode(ownerID, filePath, signature);
 }
 }
 }
diff --git a/interfaces/innerkits/local_code_sign/src/local_code_sign_proxy.cpp b/interfaces/innerkits/local_code_sign/src/local_code_sign_proxy.cpp
index c4808eea8e9809a3b8954fbe3bd29be82c938ca3..70886810250945e9344c74820dc02ac5986bbcc9 100644
--- a/interfaces/innerkits/local_code_sign/src/local_code_sign_proxy.cpp
+++ b/interfaces/innerkits/local_code_sign/src/local_code_sign_proxy.cpp
@@ -43,7 +43,8 @@ int32_t LocalCodeSignProxy::InitLocalCertificate(ByteBuffer &cert)
     return ReadResultFromReply(reply, cert);
 }
 
-int32_t LocalCodeSignProxy::SignLocalCode(const std::string &filePath, ByteBuffer &signature)
+int32_t LocalCodeSignProxy::SignLocalCode(const std::string &ownerID, const std::string &filePath,
+                                          ByteBuffer &signature)
 {
     MessageParcel data;
     MessageParcel reply;
@@ -60,6 +61,13 @@ int32_t LocalCodeSignProxy::SignLocalCode(const std::string &filePath, ByteBuffe
         LOG_ERROR(LABEL, "Write string failed.");
         return CS_ERR_IPC_WRITE_DATA;
     }
+    
+    if (!ownerID.empty()) {
+        if (!data.WriteString(ownerID)) {
+            LOG_ERROR(LABEL, "Write ownerID string failed.");
+            return CS_ERR_IPC_WRITE_DATA;
+        }
+    }
     if (remote->SendRequest(static_cast<uint32_t>(LocalCodeSignInterfaceCode::SIGN_LOCAL_CODE),
         data, reply, option) != NO_ERROR) {
         return CS_ERR_IPC_MSG_INVALID;
diff --git a/services/local_code_sign/include/local_code_sign_service.h b/services/local_code_sign/include/local_code_sign_service.h
index fd89d7f917f917a3203674616450e09a279a06fc..f665f67895420b47cbf5c8b0a24df4ad62be89be 100644
--- a/services/local_code_sign/include/local_code_sign_service.h
+++ b/services/local_code_sign/include/local_code_sign_service.h
@@ -34,7 +34,7 @@ public:
     void OnStop() override;
 
     int32_t InitLocalCertificate(ByteBuffer &cert) override;
-    int32_t SignLocalCode(const std::string &filePath, ByteBuffer &signature) override;
+    int32_t SignLocalCode(const std::string &ownerID, const std::string &filePath, ByteBuffer &signature) override;
     void DelayUnloadTask() override;
 private:
     bool Init();
diff --git a/services/local_code_sign/src/local_code_sign_service.cpp b/services/local_code_sign/src/local_code_sign_service.cpp
index cafbe336811b8038475d943d64ff121a4567f133..b67df95e6638a3e173e6205bfee8c8cb15a510bd 100644
--- a/services/local_code_sign/src/local_code_sign_service.cpp
+++ b/services/local_code_sign/src/local_code_sign_service.cpp
@@ -113,7 +113,8 @@ int32_t LocalCodeSignService::InitLocalCertificate(ByteBuffer &cert)
     return CS_SUCCESS;
 }
 
-int32_t LocalCodeSignService::SignLocalCode(const std::string &filePath, ByteBuffer &signature)
+int32_t LocalCodeSignService::SignLocalCode(const std::string &ownerID, const std::string &filePath,
+                                            ByteBuffer &signature)
 {
     ByteBuffer digest;
     std::string realPath;
@@ -125,7 +126,7 @@ int32_t LocalCodeSignService::SignLocalCode(const std::string &filePath, ByteBuf
         LOG_ERROR(LABEL, "Generate formatted fsverity digest failed.");
         return CS_ERR_COMPUTE_DIGEST;
     }
-    return PKCS7Generator::GenerateSignature(LocalSignKey::GetInstance(), DEFAULT_HASH_ALGORITHM.c_str(),
+    return PKCS7Generator::GenerateSignature(ownerID, LocalSignKey::GetInstance(), DEFAULT_HASH_ALGORITHM.c_str(),
         digest, signature);
 }
 }
diff --git a/services/local_code_sign/src/local_code_sign_stub.cpp b/services/local_code_sign/src/local_code_sign_stub.cpp
index f2b9dda1b3716cc99a3157f52dd37f34cf6a9996..7b723d01bbaa1ee13e8eaf7839620c96bde44944 100644
--- a/services/local_code_sign/src/local_code_sign_stub.cpp
+++ b/services/local_code_sign/src/local_code_sign_stub.cpp
@@ -85,9 +85,13 @@ int32_t LocalCodeSignStub::SignLocalCodeInner(MessageParcel &data, MessageParcel
         return CS_ERR_NO_PERMISSION;
     }
     std::string filePath = data.ReadString();
+    std::string ownerID;
+    if (data.GetReadableBytes() > 0) {
+        ownerID = data.ReadString();
+    }
     StartTrace(HITRACE_TAG_ACCESS_CONTROL, CODE_SIGN_ENABLE_START);
     ByteBuffer signature;
-    int32_t result = SignLocalCode(filePath, signature);
+    int32_t result = SignLocalCode(ownerID, filePath, signature);
     FinishTrace(HITRACE_TAG_ACCESS_CONTROL);
     if (!reply.WriteInt32(result)) {
         return CS_ERR_IPC_WRITE_DATA;
diff --git a/services/local_code_sign/src/local_sign_key.cpp b/services/local_code_sign/src/local_sign_key.cpp
index 85d94ad3fc372d1bc8f656f1734c1d30e4c5ed57..7bbf54e94ba49988f7a6a9d34968f17c17a8110f 100644
--- a/services/local_code_sign/src/local_sign_key.cpp
+++ b/services/local_code_sign/src/local_sign_key.cpp
@@ -36,7 +36,7 @@ static const uint32_t CHALLENGE_LEN = 32;
 static const uint32_t SIGNATURE_COMMON_SIZE = 512;
 
 static const std::string SUPPORTED_SIGN_ALGORITHM = "ECDSA256";
-static constexpr uint32_t MAX_SIGN_SIZE = 128;
+static constexpr uint32_t MAX_SIGN_SIZE = 65535;
 
 static const struct HksParam ECC_KEY_PRARAM[] = {
     { .tag = HKS_TAG_KEY_STORAGE_FLAG, .uint32Param = HKS_STORAGE_PERSISTENT },
diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn
index 86f8e1b6ee90bffedeb58e40ca9a8131634a6568..b3d62cdafbcd138ab86748f3771ff77323d16e05 100644
--- a/test/unittest/BUILD.gn
+++ b/test/unittest/BUILD.gn
@@ -28,7 +28,10 @@ ohos_unittest("code_sign_utils_unittest") {
     "${code_signature_root_dir}/interfaces/innerkits/code_sign_utils/include",
   ]
 
-  external_deps = [ "hilog:libhilog" ]
+  external_deps = [
+    "c_utils:utils",
+    "hilog:libhilog",
+  ]
 }
 
 ohos_unittest("local_code_sign_unittest") {
diff --git a/test/unittest/code_sign_utils_test.cpp b/test/unittest/code_sign_utils_test.cpp
index fd4c39bb13e5b9bf3626737f041119e7499437dc..884cf8844b5135d3e5b181a2664904d4701ede25 100644
--- a/test/unittest/code_sign_utils_test.cpp
+++ b/test/unittest/code_sign_utils_test.cpp
@@ -321,6 +321,22 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0012, TestSize.Level0)
     ret = CodeSignUtils::EnforceCodeSignForApp(g_hapWithMultiLibRetSuc, g_sigWithMultiLibRetSucPath);
     EXPECT_EQ(ret, CS_SUCCESS);
 }
+
+/**
+ * @tc.name: CodeSignUtilsTest_0013
+ * @tc.desc: parse owner ID from signature failed, reason = invalid signature
+ * @tc.type: Func
+ * @tc.require: issueI88PPA
+ */
+HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0013, TestSize.Level0)
+{
+    ByteBuffer buffer;
+    std::string ownerID;
+    std::string invalid = "invalid msg";
+    buffer.CopyFrom((const uint8_t *)invalid.c_str(), invalid.length());
+    int ret = CodeSignUtils::ParseOwnerIdFromSignature(buffer, ownerID);
+    EXPECT_EQ(ret, CS_ERR_OPENSSL_PKCS7);
+}
 }  // namespace CodeSign
 }  // namespace Security
 }  // namespace OHOS
\ No newline at end of file
diff --git a/test/unittest/local_code_sign_test.cpp b/test/unittest/local_code_sign_test.cpp
index b1542dd0959f6391ac4d7183efd8f80cca097049..e0fe1ebbc748ec2e3a1742f90e1f956af99ae080 100644
--- a/test/unittest/local_code_sign_test.cpp
+++ b/test/unittest/local_code_sign_test.cpp
@@ -23,6 +23,7 @@
 #include "local_code_sign_client.h"
 #include "local_code_sign_kit.h"
 #include "local_code_sign_load_callback.h"
+#include "signer_info.h"
 #include "log.h"
 
 using namespace OHOS::Security::CodeSign;
@@ -34,6 +35,7 @@ namespace Security {
 namespace CodeSign {
 static const std::string AN_BASE_PATH = "/data/local/ark-cache/tmp/";
 static const std::string DEMO_AN_PATH = AN_BASE_PATH + "demo.an";
+static const std::string DEMO_AN_PATH2 = AN_BASE_PATH + "demo2.an";
 
 class LocalCodeSignTest : public testing::Test {
 public:
@@ -75,7 +77,7 @@ HWTEST_F(LocalCodeSignTest, LocalCodeSignTest_0002, TestSize.Level0)
 
 /**
  * @tc.name: LocalCodeSignTest_0003
- * @tc.desc: sign local code successfully
+ * @tc.desc: sign local code successfully, owner ID is empty
  * @tc.type: Func
  * @tc.require:
  */
@@ -86,6 +88,10 @@ HWTEST_F(LocalCodeSignTest, LocalCodeSignTest_0003, TestSize.Level0)
     int ret = LocalCodeSignKit::SignLocalCode(DEMO_AN_PATH, sig);
     NativeTokenReset(selfTokenId);
     EXPECT_EQ(ret, CS_SUCCESS);
+    std::string retOwnerID;
+    ret = CodeSignUtils::ParseOwnerIdFromSignature(sig, retOwnerID);
+    EXPECT_EQ(ret, CS_ERR_NO_OWNER_ID);
+    EXPECT_EQ(retOwnerID, "");
     ret = CodeSignUtils::EnforceCodeSignForFile(DEMO_AN_PATH, sig);
     EXPECT_EQ(ret, CS_SUCCESS);
 }
@@ -171,6 +177,78 @@ HWTEST_F(LocalCodeSignTest, LocalCodeSignTest_0009, TestSize.Level0)
     LocalCodeSignLoadCallback cb;
     cb.OnLoadSystemAbilitySuccess(LOCAL_CODE_SIGN_SA_ID, nullptr);
 }
+
+/**
+ * @tc.name: LocalCodeSignTest_0010
+ * @tc.desc: sign local code with owner ID successfully, parse owner ID from signature success
+ * @tc.type: Func
+ * @tc.require: issueI88PPA
+ */
+HWTEST_F(LocalCodeSignTest, LocalCodeSignTest_0010, TestSize.Level0)
+{
+    ByteBuffer sig;
+    uint64_t selfTokenId = NativeTokenSet("installs");
+    std::string ownerID = "AppName123";
+    int ret = LocalCodeSignKit::SignLocalCode(ownerID, DEMO_AN_PATH2, sig);
+    NativeTokenReset(selfTokenId);
+    EXPECT_EQ(ret, CS_SUCCESS);
+    
+    std::string retOwnerID;
+    ret = CodeSignUtils::ParseOwnerIdFromSignature(sig, retOwnerID);
+    EXPECT_EQ(ownerID, retOwnerID);
+    ret = CodeSignUtils::EnforceCodeSignForFile(DEMO_AN_PATH2, sig);
+    EXPECT_EQ(ret, CS_SUCCESS);
+}
+
+/**
+ * @tc.name: LocalCodeSignTest_0011
+ * @tc.desc: sign local code with empty owner ID successfully
+ * @tc.type: Func
+ * @tc.require: issueI88PPA
+ */
+HWTEST_F(LocalCodeSignTest, LocalCodeSignTest_0011, TestSize.Level0)
+{
+    ByteBuffer sig;
+    uint64_t selfTokenId = NativeTokenSet("installs");
+    std::string ownerID = "";
+    int ret = LocalCodeSignKit::SignLocalCode(ownerID, DEMO_AN_PATH2, sig);
+    NativeTokenReset(selfTokenId);
+    EXPECT_EQ(ret, CS_SUCCESS);
+    std::string retOwnerID;
+    ret = CodeSignUtils::ParseOwnerIdFromSignature(sig, retOwnerID);
+    EXPECT_EQ(ret, CS_ERR_NO_OWNER_ID);
+    EXPECT_EQ(retOwnerID, "");
+}
+
+/**
+ * @tc.name: LocalCodeSignTest_0012
+ * @tc.desc: sign local code with owner ID failed, reason = invalid path
+ * @tc.type: Func
+ * @tc.require: issueI88PPA
+ */
+HWTEST_F(LocalCodeSignTest, LocalCodeSignTest_0012, TestSize.Level0)
+{
+    ByteBuffer sig;
+    uint64_t selfTokenId = NativeTokenSet("installs");
+    std::string ownerID = "AppName123";
+    int ret = LocalCodeSignKit::SignLocalCode(ownerID, DEMO_AN_PATH2 + "invalid", sig);
+    NativeTokenReset(selfTokenId);
+    EXPECT_EQ(ret, CS_ERR_FILE_PATH);
+}
+
+/**
+ * @tc.name: LocalCodeSignTest_0013
+ * @tc.desc: sign local code failed with invalid caller
+ * @tc.type: Func
+ * @tc.require: issueI88PPA
+ */
+HWTEST_F(LocalCodeSignTest, LocalCodeSignTest_0013, TestSize.Level0)
+{
+    ByteBuffer sig;
+    std::string ownerID = "AppName123";
+    int ret = LocalCodeSignKit::SignLocalCode(ownerID, DEMO_AN_PATH2, sig);
+    EXPECT_EQ(ret, CS_ERR_NO_PERMISSION);
+}
 } // namespace CodeSign
 } // namespace Security
 } // namespace OHOS
diff --git a/test/unittest/multi_thread_local_sign_test.cpp b/test/unittest/multi_thread_local_sign_test.cpp
index d00be680343e55514595425072cfa85f39a28a80..bc30c6bd290fa56a3a4175b05e96e96e11ce5fcd 100644
--- a/test/unittest/multi_thread_local_sign_test.cpp
+++ b/test/unittest/multi_thread_local_sign_test.cpp
@@ -37,6 +37,8 @@ static constexpr uint32_t MULTI_THREAD_NUM = 10;
 static constexpr int64_t BUFFER_SIZE = 1024;
 static const std::string AN_BASE_PATH = "/data/local/ark-cache/tmp/multi_thread/";
 static const std::string ORIGIN_AN_FILE = AN_BASE_PATH + "demo.an";
+static const std::string DemoWithownerID = AN_BASE_PATH + "demoWithownerID.an";
+
 static const char *g_validCaller = "installs";
 
 uint64_t GetFileSize(int32_t fd)
@@ -95,6 +97,24 @@ void LocalCodeSignAndEnforce()
     EXPECT_EQ(ret, CS_SUCCESS);
 }
 
+void LocalCodeSignAndEnforceWithOwnerID()
+{
+    ByteBuffer sig;
+    uint64_t selfTokenId = NativeTokenSet(g_validCaller);
+    std::string ownerID = "AppName123";
+    int ret = LocalCodeSignKit::SignLocalCode(ownerID, DemoWithownerID, sig);
+    std::thread::id thisId = std::this_thread::get_id();
+    std::ostringstream oss;
+    oss << thisId;
+    std::string thisIdStr = oss.str();
+    std::string tmpFileName = AN_BASE_PATH + thisIdStr + "demoWithownerID.an";
+    EXPECT_EQ(DupFile(tmpFileName), true);
+    NativeTokenReset(selfTokenId);
+    EXPECT_EQ(ret, CS_SUCCESS);
+    ret = CodeSignUtils::EnforceCodeSignForFile(tmpFileName, sig);
+    EXPECT_EQ(ret, CS_SUCCESS);
+}
+
 class MultiThreadLocalSignTest : public testing::Test {
 public:
     MultiThreadLocalSignTest() {};
@@ -115,6 +135,17 @@ HWMTEST_F(MultiThreadLocalSignTest, MultiThreadLocalSignTest_0001, TestSize.Leve
 {
     LocalCodeSignAndEnforce();
 }
+
+/**
+ * @tc.name: MultiThreadLocalSignTest_0002
+ * @tc.desc: sign AN files with owner ID and enforce using multi threads
+ * @tc.type: Func
+ * @tc.require:
+ */
+HWMTEST_F(MultiThreadLocalSignTest, MultiThreadLocalSignTest_0002, TestSize.Level1, MULTI_THREAD_NUM)
+{
+    LocalCodeSignAndEnforceWithOwnerID();
+}
 } // namespace CodeSign
 } // namespace Security
 } // namespace OHOS
\ No newline at end of file
diff --git a/test/unittest/resources/ohos_test.xml b/test/unittest/resources/ohos_test.xml
index cbbd037e73ca062e79469f952735f9e8885511aa..692251417a37a86a60eca1f31aa2bbe043e373ba 100644
--- a/test/unittest/resources/ohos_test.xml
+++ b/test/unittest/resources/ohos_test.xml
@@ -67,6 +67,7 @@
             <option name="shell" value="mkdir -p /data/test/tmp"/>
             <option name="shell" value="mkdir -p /data/local/ark-cache/tmp"/>
             <option name="push" value="demo_an/demo.an -> /data/test/tmp" src="res"/>
+            <option name="shell" value="cp /data/test/tmp/demo.an /data/test/tmp/demo2.an"/>
             <option name="shell" value="cp /data/test/tmp/* /data/local/ark-cache/tmp"/>
         </preparer>
         <cleaner>
@@ -92,6 +93,7 @@
             <option name="shell" value="mkdir -p /data/test/tmp"/>
             <option name="shell" value="mkdir -p /data/local/ark-cache/tmp/multi_thread"/>
             <option name="push" value="demo_an/demo.an -> /data/test/tmp" src="res"/>
+            <option name="shell" value="cp /data/test/tmp/demo.an /data/test/tmp/demoWithownerID.an"/>
             <option name="shell" value="cp /data/test/tmp/* /data/local/ark-cache/tmp/multi_thread"/>
         </preparer>
         <cleaner>
diff --git a/utils/include/openssl_utils.h b/utils/include/openssl_utils.h
index 19e96f2de155b21a5152cadeb9e298999358b0b8..5932e3c1a4b14b94680e6b399012964d4982b452 100644
--- a/utils/include/openssl_utils.h
+++ b/utils/include/openssl_utils.h
@@ -20,12 +20,21 @@
 
 #include "byte_buffer.h"
 #include "openssl/x509.h"
+#include "openssl/err.h"
+#include "log.h"
 
 namespace OHOS {
 namespace Security {
 namespace CodeSign {
-void ErrLogWithOpenSSLMsg(const char *msg);
+constexpr int OPENSSL_ERR_MESSAGE_MAX_LEN = 1024;
+
 void GetOpensslErrorMessage();
+
+#define ErrLogWithOpenSSLMsg(msg) do { \
+    LOG_ERROR(LABEL, "%{public}s", msg); \
+    GetOpensslErrorMessage(); \
+} while (0)
+
 X509 *LoadCertFromBuffer(const uint8_t *buffer, const uint32_t size);
 STACK_OF(X509) *MakeStackOfCerts(const std::vector<ByteBuffer> &certChain);
 }
diff --git a/utils/include/pkcs7_generator.h b/utils/include/pkcs7_generator.h
index 9d65b3f9310c1ee9ba077acd0885fc932c5561ec..0e91bd9cbdd87dfddd005696abfcfa1a61416e53 100644
--- a/utils/include/pkcs7_generator.h
+++ b/utils/include/pkcs7_generator.h
@@ -27,7 +27,7 @@ namespace Security {
 namespace CodeSign {
 class PKCS7Generator {
 public:
-    static int32_t GenerateSignature(SignKey &key, const char *hashAlg,
+    static int32_t GenerateSignature(const std::string& ownerID, SignKey &key, const char *hashAlg,
         const ByteBuffer &contentData, ByteBuffer &out);
 private:
     static int32_t SignData(SignKey &key, SignerInfo &signerInfo);
diff --git a/utils/include/signer_info.h b/utils/include/signer_info.h
index 077d0e0c071a72c58a6647afa2e4d767bf74cde4..3a218f5ff9b253dc463eeb3cd105c419cbaad764 100644
--- a/utils/include/signer_info.h
+++ b/utils/include/signer_info.h
@@ -17,23 +17,32 @@
 #define CODE_SIGN_SIGNER_INFO_H
 
 #include <vector>
-
+#include <string>
 #include "byte_buffer.h"
 #include "openssl/evp.h"
 #include "openssl/pkcs7.h"
 #include "openssl/x509.h"
 
+
 namespace OHOS {
 namespace Security {
 namespace CodeSign {
 class SignerInfo {
 public:
-    bool InitSignerInfo(X509 *cert, const EVP_MD *md, const ByteBuffer &contentData, bool carrySigningTime = false);
+    static const std::string SIGNER_OID;
+    static const std::string SIGNER_OID_SHORT_NAME;
+    static const std::string SIGNER_OID_LONG_NAME;
+    
+    static int ParseOwnerIdFromSignature(const ByteBuffer &sigbuffer, std::string &ownerID);
+    bool InitSignerInfo(const std::string &ownerID, X509 *cert, const EVP_MD *md, const ByteBuffer &contentData,
+                        bool carrySigningTime = false);
     bool AddSignatureInSignerInfo(const ByteBuffer &signature);
     uint8_t *GetDataToSign(uint32_t &len);
     PKCS7_SIGNER_INFO *GetSignerInfo();
+    int AddOwnerID(const std::string &ownerID);
+     
 private:
-    bool AddAttrsToSignerInfo(const ByteBuffer &contentData);
+    bool AddAttrsToSignerInfo(const std::string &ownerID, const ByteBuffer &contentData);
     bool ComputeDigest(const ByteBuffer &data, ByteBuffer &digest);
     int GetSignAlgorithmID(const X509 *cert);
 
diff --git a/utils/src/openssl_utils.cpp b/utils/src/openssl_utils.cpp
index a2b48aa4a7dca0afd277859aa3dd8336791f183b..a3304aa8909f84681938c98435022b7b3ee0ad08 100644
--- a/utils/src/openssl_utils.cpp
+++ b/utils/src/openssl_utils.cpp
@@ -14,20 +14,12 @@
  */
 
 #include "openssl_utils.h"
-#include "openssl/err.h"
+
 #include "log.h"
 
 namespace OHOS {
 namespace Security {
 namespace CodeSign {
-constexpr int OPENSSL_ERR_MESSAGE_MAX_LEN = 1024;
-
-void ErrLogWithOpenSSLMsg(const char *msg)
-{
-    LOG_ERROR(LABEL, "%{public}s", msg);
-    GetOpensslErrorMessage();
-}
-
 void GetOpensslErrorMessage()
 {
     unsigned long retOpenssl;
diff --git a/utils/src/pkcs7_generator.cpp b/utils/src/pkcs7_generator.cpp
index 87660059f63ccd6361ec86c1884b3f96445f29b6..8f8ff4eb9d9335f268eaf5398a2bab7837f636b3 100644
--- a/utils/src/pkcs7_generator.cpp
+++ b/utils/src/pkcs7_generator.cpp
@@ -28,8 +28,8 @@
 namespace OHOS {
 namespace Security {
 namespace CodeSign {
-int32_t PKCS7Generator::GenerateSignature(SignKey &key, const char *hashAlg,
-    const ByteBuffer &contentData, ByteBuffer &out)
+int32_t PKCS7Generator::GenerateSignature(const std::string &ownerID, SignKey &key, const char *hashAlg,
+                                          const ByteBuffer &contentData, ByteBuffer &out)
 {
     LOG_INFO(LABEL, "GenerateSignature called.");
     int32_t ret = CS_ERR_OPENSSL_PKCS7;
@@ -54,7 +54,7 @@ int32_t PKCS7Generator::GenerateSignature(SignKey &key, const char *hashAlg,
             break;
         }
         SignerInfo signerInfo;
-        if (!signerInfo.InitSignerInfo(cert, md, contentData)) {
+        if (!signerInfo.InitSignerInfo(ownerID, cert, md, contentData)) {
             break;
         }
         if (!pkcs7.AddSignerInfo(signerInfo.GetSignerInfo())) {
@@ -82,6 +82,7 @@ int32_t PKCS7Generator::SignData(SignKey &key, SignerInfo &signerInfo)
     uint32_t dataSize = 0;
     uint8_t *data = signerInfo.GetDataToSign(dataSize);
     if (data == nullptr) {
+        LOG_ERROR(LABEL, "GetDataToSign fail");
         return CS_ERR_OPENSSL_PKCS7;
     }
     ByteBuffer unsignedData;
@@ -93,6 +94,7 @@ int32_t PKCS7Generator::SignData(SignKey &key, SignerInfo &signerInfo)
         return CS_ERR_HUKS_SIGN;
     }
     if (!signerInfo.AddSignatureInSignerInfo(rawSignature)) {
+        LOG_ERROR(LABEL, "AddSignatureInSignerInfo fail");
         return CS_ERR_OPENSSL_PKCS7;
     }
     return CS_SUCCESS;
diff --git a/utils/src/signer_info.cpp b/utils/src/signer_info.cpp
index 869d16f0c2d9b2c7637485488e4f33d12a4dcd44..ab121348dbdc7bea2fd68f1306718ffaa0240845 100644
--- a/utils/src/signer_info.cpp
+++ b/utils/src/signer_info.cpp
@@ -14,11 +14,17 @@
  */
 
 #include "signer_info.h"
-#include "log.h"
-#include "openssl/asn1.h"
-#include "openssl/pem.h"
-#include "openssl_utils.h"
+
+#include <openssl/asn1.h>
+#include <openssl/pem.h>
+#include <openssl_utils.h>
+#include <openssl/obj_mac.h>
+#include <openssl/pkcs7.h>
+#include <openssl/x509.h>
+#include <openssl/objects.h>
 #include "securec.h"
+#include "errcode.h"
+#include "log.h"
 
 namespace OHOS {
 namespace Security {
@@ -26,7 +32,11 @@ namespace CodeSign {
 static constexpr int INVALID_SIGN_ALGORITHM_NID = -1;
 static constexpr int MAX_SIGNATURE_SIZE = 1024; // 1024: max signature length
 
-bool SignerInfo::InitSignerInfo(X509 *cert, const EVP_MD *md,
+const std::string SignerInfo::SIGNER_OID = "1.3.6.1.4.1.2011.2.376.1.4.1"; // OID used for code signing to mark owner ID
+const std::string SignerInfo::SIGNER_OID_SHORT_NAME = "ownerID";
+const std::string SignerInfo::SIGNER_OID_LONG_NAME = "Code Signature Owner ID";
+
+bool SignerInfo::InitSignerInfo(const std::string &ownerID, X509 *cert, const EVP_MD *md,
     const ByteBuffer &contentData, bool carrySigningTime)
 {
     if ((cert == nullptr) || (md == nullptr)) {
@@ -70,7 +80,8 @@ bool SignerInfo::InitSignerInfo(X509 *cert, const EVP_MD *md,
             V_ASN1_NULL, nullptr)) {
             break;
         }
-        if (!AddAttrsToSignerInfo(contentData)) {
+
+        if (!AddAttrsToSignerInfo(ownerID, contentData)) {
             ErrLogWithOpenSSLMsg("Add attributes to signer info failed");
             break;
         }
@@ -83,9 +94,9 @@ bool SignerInfo::InitSignerInfo(X509 *cert, const EVP_MD *md,
     return ret;
 }
 
-bool SignerInfo::AddAttrsToSignerInfo(const ByteBuffer &contentData)
+bool SignerInfo::AddAttrsToSignerInfo(const std::string &ownerID, const ByteBuffer &contentData)
 {
-    if (!carrySigningTime_) {
+    if (!carrySigningTime_ && ownerID.empty()) {
         unsignedData_ = std::make_unique<ByteBuffer>();
         if (!unsignedData_->CopyFrom(contentData.GetBuffer(), contentData.GetSize())) {
             unsignedData_.reset(nullptr);
@@ -93,17 +104,27 @@ bool SignerInfo::AddAttrsToSignerInfo(const ByteBuffer &contentData)
         }
         return true;
     }
+
+    if (!ownerID.empty()) {
+        AddOwnerID(ownerID);
+    }
+
     if (!PKCS7_add_attrib_content_type(p7info_, nullptr)) {
         return false;
     }
-    if (!PKCS7_add0_attrib_signing_time(p7info_, nullptr)) {
-        return false;
+    
+    if (carrySigningTime_) {
+        if (!PKCS7_add0_attrib_signing_time(p7info_, nullptr)) {
+            return false;
+        }
     }
+
     ByteBuffer digest;
     if (!ComputeDigest(contentData, digest)) {
         return false;
     }
     if (!PKCS7_add1_attrib_digest(p7info_, digest.GetBuffer(), digest.GetSize())) {
+        ErrLogWithOpenSSLMsg("PKCS7_add1_attrib_digest fail");
         return false;
     }
     return true;
@@ -116,7 +137,7 @@ uint8_t *SignerInfo::GetDataToSign(uint32_t &len)
     }
 
     uint8_t *data = nullptr;
-    if (carrySigningTime_) {
+    if (p7info_->auth_attr != nullptr) {
         int itemLen = ASN1_item_i2d(reinterpret_cast<ASN1_VALUE *>(p7info_->auth_attr), &data,
             ASN1_ITEM_rptr(PKCS7_ATTR_SIGN));
         if (itemLen < 0) {
@@ -201,6 +222,70 @@ PKCS7_SIGNER_INFO *SignerInfo::GetSignerInfo()
 {
     return p7info_;
 }
+
+int SignerInfo::AddOwnerID(const std::string &ownerID)
+{
+    int nid = OBJ_txt2nid(SIGNER_OID.c_str());
+    if (nid == NID_undef) {
+        OBJ_create(SIGNER_OID.c_str(), SIGNER_OID_SHORT_NAME.c_str(), SIGNER_OID_LONG_NAME.c_str());
+        nid = OBJ_txt2nid(SIGNER_OID.c_str());
+    }
+
+    ASN1_STRING *ownerIDAsn1 = ASN1_STRING_new();
+    ASN1_STRING_set(ownerIDAsn1, ownerID.c_str(), ownerID.length());
+    int ret = PKCS7_add_signed_attribute(p7info_, nid, V_ASN1_OCTET_STRING, ownerIDAsn1);
+    if (ret == 0) {
+        ASN1_STRING_free(ownerIDAsn1);
+        ErrLogWithOpenSSLMsg("PKCS7_add_signed_attribute failed");
+        return CS_ERR_OPENSSL_PKCS7;
+    }
+
+    return CS_SUCCESS;
+}
+
+int SignerInfo::ParseOwnerIdFromSignature(const ByteBuffer &sigbuffer, std::string &ownerID)
+{
+    int nid = OBJ_txt2nid(SIGNER_OID.c_str());
+    if (nid == NID_undef) {
+        OBJ_create(SIGNER_OID.c_str(), SIGNER_OID_SHORT_NAME.c_str(), SIGNER_OID_LONG_NAME.c_str());
+        nid = OBJ_txt2nid(SIGNER_OID.c_str());
+    }
+
+    BIO *bio = BIO_new_mem_buf(sigbuffer.GetBuffer(), sigbuffer.GetSize());
+    if (bio == nullptr) {
+        ErrLogWithOpenSSLMsg("BIO_new_mem_buf failed");
+        return CS_ERR_OPENSSL_BIO;
+    }
+    PKCS7 *p7 = d2i_PKCS7_bio(bio, nullptr);
+    if (p7 == nullptr) {
+        BIO_free(bio);
+        ErrLogWithOpenSSLMsg("d2i_PKCS7_bio failed");
+        return CS_ERR_OPENSSL_PKCS7;
+    }
+
+    STACK_OF(PKCS7_SIGNER_INFO) *signerInfosk = PKCS7_get_signer_info(p7);
+    if (signerInfosk == nullptr) {
+        BIO_free(bio);
+        PKCS7_free(p7);
+        ErrLogWithOpenSSLMsg("PKCS7_get_signer_info failed");
+        return CS_ERR_OPENSSL_PKCS7;
+    }
+    for (int i = 0; i < sk_PKCS7_SIGNER_INFO_num(signerInfosk); i++) {
+        PKCS7_SIGNER_INFO *signerInfo = sk_PKCS7_SIGNER_INFO_value(signerInfosk, i);
+        ASN1_TYPE *asn1Type = PKCS7_get_signed_attribute(signerInfo, nid);
+        if (asn1Type != nullptr && asn1Type->type == V_ASN1_OCTET_STRING) {
+            ASN1_STRING *result = asn1Type->value.asn1_string;
+            ownerID.assign((const char *)ASN1_STRING_get0_data(result), ASN1_STRING_length(result));
+            break;
+        }
+    }
+    BIO_free(bio);
+    PKCS7_free(p7);
+    if (ownerID.empty()) {
+        return CS_ERR_NO_OWNER_ID;
+    }
+    return CS_SUCCESS;
+}
+}
 }
 }
-}
\ No newline at end of file