问题
I am currently developing RPC services for developers to use, but would like to make sure that I can distinguish between another app's debug key and their public key. Is there a way to check another app's key and tell whether it is a debug key and NOT a published app key?
The purpose of this is to be able to tell when their app is in development or release status, as I need to be able to tell whether they should be accessing my dev server or my production server.
回答1:
By default the androiddebugkey used by Eclipse (for instance) has a notAfter date & time that is at most 1 year in the future - such a short value is not accepted by the Android Market - you could use that to differentiate between developer signed builds? Or .. you could just check the publickey that the app uses - have them sign the RPC requests with the android.content.pm.Signature of their app?
PackageInfo pkgInfo = getPackageManager().getPackageInfo(getPackageName(), PackageManager.GET_SIGNATURES);
for (Signature appSignature : pkgInfo.signatures) {
// javax.security - NOT java.security!
X509Certificate appCertificate = X509Certificate.getInstance(appSignature.toByteArray());
// appCertificate.getNotAfter() can give you the date & time the cert expires
// appCertificate.getPublicKey() can give you the public key you sign the RPC requests with.
// appCertificate.getSubjectDN() will give you a Principal named "CN=Android Debug,O=Android,C=US" for any debug certificate that hasn't been handcrafted by the developer.
}
回答2:
static final String DEBUGKEY =
" key ";
public static boolean signedWithDebugKey(Context context, Class<?> cls)
{
boolean result = false;
try {
PackageInfo pinfo = context.getPackageManager().getPackageInfo("your package name",PackageManager.GET_SIGNATURES);
Signature sigs[] = pinfo.signatures;
Log.d(TAG,sigs[0].toCharsString());
if (DEBUGKEY.equals(sigs[0].toCharsString())) {
result = true;
Log.d(TAG,"package has been signed with the debug key");
} else {
Log.d(TAG,"package signed with a key other than the debug key");
}
} catch (android.content.pm.PackageManager.NameNotFoundException e) {
return false;
}
return result;
}
Run this code first time with debugkey, this will alway return false, but you'll get the encoded key in the Logcat. Copy that encoded key, and replace value " key " of DEBUGKEY, and it will work fine.
来源:https://stackoverflow.com/questions/4134197/is-there-a-way-to-check-if-an-app-signature-is-debug-or-published