Can I specify digest algorithm apksigner uses?

二次信任 提交于 2019-12-01 08:46:29

Not directly. apksigner attempts to use only secure digests and signing algorithms, but it does that within the constraints imposed by your signing key (size, algorithm) and Android platform versions supported by the APK being signed. In particular, for JAR signatures, apksigner uses SHA-256 or stronger by default, but only for APKs which support only API Level 18 or newer (as declared in minSdkVersion in their AndroidManifest.xml). APKs which run on earlier platforms must use SHA-1 because these earlier platforms don't support verifying APKs using SHA-256 or stronger. For APK Signature Scheme v2 signature, only SHA-256 or stronger is used, because this signature scheme does not even support SHA-1.

If you want apksigner to sign your APK with SHA-256, you can:

  • Set the APK's minSdkVersion to 18 or higher, but this will make Android platforms with API Level 17 and lower reject the APK at install time.
  • Pass in --min-sdk-version=18 to apksigner, but this will make Android platforms with API Level 17 and lower reject the APK at install time.
  • Sign the APK only with APK Signature Scheme v2, by passing in --v1-signing-enabled=false to apksigner, but this will make Android platforms with API Level 23 and lower reject the APK at install time.

P. S. Even if you switched to signing your APKs using only SHA-256, Android will still accept APKs with your package name and signing cert, signed with SHA-1 or MD5. So, depending on your threat model, you may need to switch to new signing keys which have never been used with SHA-1 or weaker digest algorithms. And this is not only for the digest algorithm used in the actual cryptographic signature, but also for the digest algorithms used in .SF and MANIFEST.MF files.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!