Apksigner 不验证签名 [英] Apksigner does not verify signature

查看:85
本文介绍了Apksigner 不验证签名的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我试图用 apksigner 验证最新的 Gmail 应用程序(版本 8.11.25.224)的签名,但失败了.

我用过:

apksigner verifiy --verbose --print-certs

结果是:

不验证错误:APK 签名方案 v2 签名者 #1 格式错误的附加属性 #1

我正在寻找为什么会发生这种情况的解释,但我找不到任何解决此问题的方法.我进行了一些实验,如果您将 --min-sdk-version 28 添加到 apksigner 命令的选项中,那么结果是:

使用 v1 方案验证(JAR 签名):false使用 v2 方案(APK 签名方案 v2)验证:false签名人数:1签名者 #1 证书 DN:CN=Android,OU=Android,O=Google Inc.,L=Mountain View,ST=California,C=US签名者 #1 证书 SHA-256 摘要:f0fd...签名者 #1 证书 SHA-1 摘要:3891...签名者 #1 证书 MD5 摘要:cde9...签名者 #1 密钥算法:RSA签名者 #1 密钥大小(位):2048签名者 #1 公钥 SHA-256 摘要:2b06...签名者 #1 公钥 SHA-1 摘要:b2da...签名者 #1 公钥 MD5 摘要:a90c...

如果你使用 jarsigner 工具,结果是:

<预><代码>警告:此 jar 包含证书链无效的条目.原因:PKIX 路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径此 jar 包含不包含时间戳的签名.如果没有时间戳,用户可能无法在签名者证书到期日期 (2036-01-08) 或任何未来撤销日期之后验证此 jar.

使用 -verbose-certs 选项重新运行以获取更多详细信息.我上传了 Gmail APK 文件.

解决方案

如果 APK 使用 v3 签名方案签名,但 apksigner 版本已过时且不支持此方案,则会发生这种情况.阅读警告:

apksigner 版本0.8apksigner verify --verbose "Signal-website-universal-release-4.50.5.apk"不验证错误:APK 签名方案 v2 签名者 #1:格式错误的附加属性 #1警告:APK 签名方案 v2 签名者 #1:未知签名算法:0x421

因此,apksigner 0.8 版不知道签名算法.我不会称其为错误(如 Pierre 所做的那样),但错误消息可能会更清楚,并且会是如果旧版本能够至少检查 v2 签名,那就更好了.最烦人的一点(由 Freedo 提到)是 Ubuntu 仍然提供旧的适用于所有版本的 0.8 apksigner 包(packages.ubuntu.com)甚至是最新的 Ubuntu 19.10(eoan) 并且没有更新版本的 ppa.您至少需要 0.9 版本,它目前只是 Android SDK 构建工具的一部分.

对我来说最简单的方法是安装 Android Studio 并至少打开一次以自动下载最新的 Android SDK.Ubuntu 19.10 App Center 确实将其安装为 snap,然后 SDK 位于我的主目录中:

./Android/Sdk/build-tools/29.0.2/apksigner 版本0.9./Android/Sdk/build-tools/29.0.2/apksigner 验证 --verbose --print-certs "Signal-website-universal-release-4.50.5.apk"验证使用 v1 方案验证(JAR 签名):true使用 v2 方案验证(APK 签名方案 v2):true使用 v3 方案验证(APK 签名方案 v3):true签名人数:1签名者 #1 证书 DN:CN=Whisper Systems,OU=Research and Development,O=Whisper Systems,L=匹兹堡,ST=PA,C=US签名者 #1 证书 SHA-256 摘要:29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26签名者 #1 证书 SHA-1 摘要:45989dc9ad8728c2aa9a82fa55503e34a8879374签名者 #1 证书 MD5 摘要:d90db364e32fa3a7bda4c290fb65e310签名者 #1 密钥算法:RSA签名者 #1 密钥大小(位):1024签名者 #1 公钥 SHA-256 摘要:75336a3cc9edb64202cd77cd4caa6396a9b5fc3c78c58660313c7098ea248a55签名者 #1 公钥 SHA-1 摘要:b46cbed18d6fbbe42045fdb93f5032c943d80266签名者 #1 公钥 MD5 摘要:0f9c33bbd45db0218c86ac378067538d警告:META-INF/* 不受签名保护.

META-INF 文件夹中有很多关于文件的警告,因为该文件夹被排除在签名之外,包含很多版本文件和证书.这也是仅仅从 APK 读取证书是不够的原因,比如一些 页面推荐.

另请参阅如何验证 APK 的 SHA256 指纹"

i was trying to verify the signature of the latest Gmail App (Version 8.11.25.224) with apksigner and it failed.

I used:

apksigner verifiy --verbose --print-certs <apk.file>

The result was:

DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1 Malformed additional attribute #1

I was searching for an explanation why this happend but I couldn't find any solution to this problem. I have experimented a little and if you add --min-sdk-version 28 to the options of apksigner command then the results are:

Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): false
Number of signers: 1
Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: f0fd...
Signer #1 certificate SHA-1 digest: 3891...
Signer #1 certificate MD5 digest: cde9...
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 2b06...
Signer #1 public key SHA-1 digest: b2da...
Signer #1 public key MD5 digest: a90c...

And if you use the jarsigner tool the results are:


WARNING:
This jar contains entries whoes certificate chain is invalid.
Reason: PKIX path bulding failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signers certificate's expiration date (2036-01-08) or after any future revocation date.

Re-run with the -verbose and -certs options for more details. I uploaded my Gmail APK file.

解决方案

This happens if an APK is signed with v3 signing scheme but the version of apksigner is outdated and not supporting this scheme. Read the warning:

apksigner version
    0.8    
apksigner verify --verbose "Signal-website-universal-release-4.50.5.apk"
    DOES NOT VERIFY
    ERROR: APK Signature Scheme v2 signer #1: Malformed additional attribute #1
    WARNING: APK Signature Scheme v2 signer #1: Unknown signature algorithm: 0x421

So, the signature algorithm is unknown to apksigner version 0.8. I wouldn't call it a bug (as Pierre does), but the error message could be more clear and it would be better if the old version is able to check at least the v2 signature. The most annoying point (mentioned by Freedo) is that Ubuntu still ships an old 0.8 apksigner package for all releases (packages.ubuntu.com) even the most recent Ubuntu 19.10 (eoan) and there is no ppa with a newer version. You need at least version 0.9 which is currently only part of the Android SDK build tools.

The easiest way for me was to install Android Studio and open it at least once to automatically download the latest Android SDK. Ubuntu 19.10 App Center did install it as snap and the SDK was then located in my home directory:

./Android/Sdk/build-tools/29.0.2/apksigner version
    0.9
./Android/Sdk/build-tools/29.0.2/apksigner verify --verbose --print-certs "Signal-website-universal-release-4.50.5.apk" 
    Verifies
    Verified using v1 scheme (JAR signing): true
    Verified using v2 scheme (APK Signature Scheme v2): true
    Verified using v3 scheme (APK Signature Scheme v3): true
    Number of signers: 1
    Signer #1 certificate DN: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
    Signer #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26
    Signer #1 certificate SHA-1 digest: 45989dc9ad8728c2aa9a82fa55503e34a8879374
    Signer #1 certificate MD5 digest: d90db364e32fa3a7bda4c290fb65e310
    Signer #1 key algorithm: RSA
    Signer #1 key size (bits): 1024
    Signer #1 public key SHA-256 digest: 75336a3cc9edb64202cd77cd4caa6396a9b5fc3c78c58660313c7098ea248a55
    Signer #1 public key SHA-1 digest: b46cbed18d6fbbe42045fdb93f5032c943d80266
    Signer #1 public key MD5 digest: 0f9c33bbd45db0218c86ac378067538d
    WARNING: META-INF/* not protected by signature.

There are a lot of warning about files in the META-INF folder, because the folder is excluded from the signature, contains a lot of version files and the certs. That's also the reason why it is not sufficient to just read the cert from the APK, like some some pages recommend.

Edit: See also "How to verify SHA256 fingerprint of APK"

这篇关于Apksigner 不验证签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆