发表新帖
发表新帖

How to verify that app was signed by my certificate?

后端 未结
关注
4 1797
一整个雨季
一整个雨季 2021-02-03 16:11

How do I check if the signature of my app matches the signature of the certificate that I used to sign it?

This is how I should be able to get the certificates fingerpri

相关标签:
4条回答
  • 夕颜
    2021-02-03 16:33

    You can open the apk as a zip file and filter the ascii text from the binary content of META-INF/CERT.RSA and check there is it you who singed it.

    try:

    final void  initVerify(Certificate certificate)

    from: http://developer.android.com/reference/java/security/Signature.html

    0 讨论(0)
  • 孤街浪徒
    2021-02-03 16:38

    Use your code for collecting the fingerprint on the device in "test" mode -- meaning you have temporary code to emit that fingerprint to the log (or elsewhere). Be sure to test this using your production signing key, not the debug key!

    Once you know from the device's perspective, you can remove the temporary code and elsewhere you can compare to what you've previously determined to be the key.

    Be aware though that you're probably doing this to prevent someone from modifying your app and re-signing it with another key, but someone with the ability to do that also has the ability to modify your key checking. This is a problem that can be addressed with additional obfuscation but you'll need to come up with your own solution to minimize the chance of an attacker knowing what to look for.

    0 讨论(0)
  • 情书的邮戳
    2021-02-03 16:44

    the code below:

     c.getPublicKey().getEncoded()

    it should be like this

     c.getEncoded()

    i think md5 check by keytool is check the certfile,not the publickey

    0 讨论(0)
  • 一整个雨季
    2021-02-03 16:51

    You are computing the MD5 hash of the wrong data. The fingerprint of a certificate is a hash (MD5, SHA1, SHA256, etc.) of the raw certificate. I.e., you should be computing the hash of these bytes:

    byte[] cert = signatures[0].toByteArray();

    E.g., the following computes a SHA1 fingerprint, just change SHA1 to MD5 if you prefer.

        public String computeFingerPrint(final byte[] certRaw) {

    String strResult = "";

    MessageDigest md;
    try {
        md = MessageDigest.getInstance("SHA1");
        md.update(certRaw);
        for (byte b : md.digest()) {
            strAppend = Integer.toString(b & 0xff, 16);
            if (strAppend.length() == 1)
                strResult += "0";
            strResult += strAppend;
        }
        strResult = strResult.toUpperCase(DATA_LOCALE);
    }
    catch (NoSuchAlgorithmException ex) {
        ex.printStackTrace();
    }

    return strResult;
}
    0 讨论(0)
 看不清?
提交回复
热议问题