如何验证该应用是否由我的证书签名？ [英] How to verify that app was signed by my certificate?

问题描述

如何检查我的应用程式签名是否符合我用来签署的签章？

How do I check if the signature of my app matches the signature of the certificate that I used to sign it?

这是我应该如何取得证书指纹：

This is how I should be able to get the certificates fingerprint:

public String getCertificateFingerprint() throws NameNotFoundException, CertificateException, NoSuchAlgorithmException {
        PackageManager pm = context.getPackageManager();
        String packageName =context.getPackageName();

        int flags = PackageManager.GET_SIGNATURES;

        PackageInfo packageInfo = null;

        packageInfo = pm.getPackageInfo(packageName, flags);
        Signature[] signatures = packageInfo.signatures;

        byte[] cert = signatures[0].toByteArray();

        InputStream input = new ByteArrayInputStream(cert);

        CertificateFactory cf = null;
        cf = CertificateFactory.getInstance("X509");

        X509Certificate c = null;
        c = (X509Certificate) cf.generateCertificate(input);

        MessageDigest md = MessageDigest.getInstance("MD5");
        byte[] publicKey = md.digest(c.getPublicKey().getEncoded());

        StringBuffer hexString = new StringBuffer();
        for (int i = 0; i < publicKey.length; i++) {
            String appendString = Integer.toHexString(0xFF & publicKey[i]);
            if (appendString.length() == 1)
                hexString.append("0");
            hexString.append(appendString);
        }

        return hexString.toString();
    }

这是我应该能够获得我的证书的指纹： / p>

This is how I should be able to get the fingerprint of my certificate:

keytool -v -list -keystore filenameandpath

我的问题是，这两个给出不同的结果。

My problem is, that these two give back different results. Could someone point out what I'm screwing up?

推荐答案

您正在计算错误数据的MD5哈希值。证书的指纹是原始证书的散列（MD5，SHA1，SHA256等）。也就是说，你应该计算这些字节的哈希值：

You are computing the MD5 hash of the wrong data. The fingerprint of a certificate is a hash (MD5, SHA1, SHA256, etc.) of the raw certificate. I.e., you should be computing the hash of these bytes:

byte[] cert = signatures[0].toByteArray();

例如，以下计算SHA1指纹，只要将SHA1更改为MD5即可。

E.g., the following computes a SHA1 fingerprint, just change SHA1 to MD5 if you prefer.

    public String computeFingerPrint(final byte[] certRaw) {

    String strResult = "";

    MessageDigest md;
    try {
        md = MessageDigest.getInstance("SHA1");
        md.update(certRaw);
        for (byte b : md.digest()) {
            strAppend = Integer.toString(b & 0xff, 16);
            if (strAppend.length() == 1)
                strResult += "0";
            strResult += strAppend;
        }
        strResult = strResult.toUpperCase(DATA_LOCALE);
    }
    catch (NoSuchAlgorithmException ex) {
        ex.printStackTrace();
    }

    return strResult;
}

这篇关于如何验证该应用是否由我的证书签名？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！