Verifying an APK programmatically using JarSigner

2019-04-15 04:13发布

问题:

I want to use verify an APK from Java code using JarSigner. I am writing an app that programatically installs APKs (much like Google Play) and before installing it checks for the following:

  • Verify the signature of the .SF file itself.Verify the digest listed in each entry in the .SF file with each corresponding section in the manifest.
    Verify the digest listed in each entry in the .SF file with each corresponding section in the manifest.
    Read each file in the JAR file that has an entry in the .SF file. While reading, compute the file's digest, and then compare the result with the digest for this file in the manifest section.

This is much like running jarsigner with -verify option on command line

I looked up Java documentation, I think I could use JarSigner.verifyJar() API for this.But this is not public method. Has anyone tried to verify APK from Java code? Will appreciate any pointers.

回答1:

You can get your signature like this:

PackageInfo packageInfo = context.getPackageManager().getPackageInfo(
    context.getPackageName(), PackageManager.GET_SIGNATURES);

List<String> list = new ArrayList<>();

for (Signature signature : packageInfo.signatures) {
    MessageDigest md = MessageDigest.getInstance("SHA");
    md.update(signature.toByteArray());
    final String currentSignature = Base64.encodeToString(md.digest(), Base64.DEFAULT);
    list.add(currentSignature);
}

Check out this article for full details.