使用JarSigner以编程方式验证APK [英] Verifying an APK programmatically using JarSigner

问题描述

我想使用JarSigner从Java代码验证APK.我正在编写以编程方式安装APK(类似于Google Play)的应用，并且在安装前请检查以下内容:

I want to use verify an APK from Java code using JarSigner. I am writing an app that programatically installs APKs (much like Google Play) and before installing it checks for the following:

• 验证.SF文件本身的签名.验证列出的摘要 在.SF文件的每个条目中，以及 清单.
  验证.SF文件中每个条目中列出的摘要 清单中的每个相应部分.
  读入每个文件 在.SF文件中具有条目的JAR文件.在读的时候， 计算文件的摘要，然后将结果与 清单部分中此文件的摘要.

• Verify the signature of the .SF file itself.Verify the digest listed in each entry in the .SF file with each corresponding section in the manifest.
  Verify the digest listed in each entry in the .SF file with each corresponding section in the manifest.
  Read each file in the JAR file that has an entry in the .SF file. While reading, compute the file's digest, and then compare the result with the digest for this file in the manifest section.

这很像在命令行上使用-verify选项运行jarsigner

This is much like running jarsigner with -verify option on command line

我查阅了Java文档，我认为我可以使用

I looked up Java documentation, I think I could use JarSigner.verifyJar() API for this.But this is not public method. Has anyone tried to verify APK from Java code? Will appreciate any pointers.

推荐答案

您可以这样获得签名:

PackageInfo packageInfo = context.getPackageManager().getPackageInfo(
    context.getPackageName(), PackageManager.GET_SIGNATURES);

List<String> list = new ArrayList<>();

for (Signature signature : packageInfo.signatures) {
    MessageDigest md = MessageDigest.getInstance("SHA");
    md.update(signature.toByteArray());
    final String currentSignature = Base64.encodeToString(md.digest(), Base64.DEFAULT);
    list.add(currentSignature);
}

查看这篇文章以获得详细信息.

这篇关于使用JarSigner以编程方式验证APK的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！