如何Android的应用程序/签名验证的工作? [英] How does Android's app/signature verification work?
问题描述
我想preface这个问题有两件事情,所以我可以缩小在我的实际问题是:
I want to preface this question with two things so I can narrow down where my actual question is:
一)我做软件开发之前,虽然从来没有为Android
a) I've done software dev before, though never for android
二)我熟悉PKI和加密和散列和数字签名等等等等
b) I'm familiar with PKI and encryptions and hashing and digital signatures and blah blah blah
话虽这么说我无法追踪在何处和Android如何验证应用程序创建者的更多信息。我听到了很多不同的信息,所以我试图合成,以获得更好的主意了工作流程。
That being said I'm having trouble tracking down more information about where and how Android verifies app creators. I've heard a lot of different information so I'm trying to synthesize to get a better idea of the workflow.
我知道,每一个应用程序开发者得到他们自己的私有/公共密钥对,他们签上自己的应用程序通过散列APK(使用SHA-1的大部分时间,如果我没有记错),而且你去。您上传和(我相信)公钥进去的APK里面META INF。这一点我明白了。
I know that every app developer gets their own private/public key pair and they sign their apps by hashing the APK (with SHA-1 most of the time if I'm not mistaken) and there you go. You upload it and (I believe) the public key goes in META INF inside the APK. This much I understand.
我的问题是如何与当用户下载应用程序本身。我知道手机检查,以确保该应用程序进行了有效签名,而且签名也有作者简介等信息包括在内。但是,我也看到了应用程序的自签名和谷歌播放(或任何他们正在调用的市场现在)没有实现CA,并没有身份认证?但我的问题是什么,然后停止,人们上传应用程序在另一开发商名称(众包放在一边)?
My question is how this relates to when a user downloads the app itself. I know the phone checks to make sure that the app is validly signed, and that the signature also has information about author and etc included. But I've also read that apps are self signed and that Google Play (or whatever they're calling the Market now) doesn't implement a CA, and that there's no identity authentication? But my question is what, then, stops people from uploading an app under another developers name (crowdsourcing aside)?
如果该手机只检查有效签名这是否意味着认证的唯一手段,当应用程序被上传完成?如果是这样的话如何应用程序市场检查呢?它是通常的 - 使用私钥的文件,并验证签名?抑或是开发商必须为市场提供自己的私钥进行身份验证?
If the phone only checks for valid signatures does that imply that the only means of authentication is done when the app is uploaded? And if that's the case how does the app market check it? Is it the usual - use the private key on file and verify the signature? Or does the developer have to provide the market with their private key to authenticate?
推荐答案
总之,Android和谷歌播放基本上不关心什么实际证书。谷歌播放将验证它确实是,并检查是否是有效期为30年或更长时间,但他们真的不使用(至少在目前,据我所知)在证书的实际信息。你可以在CN使用自己的名字/公司的名字,但没有人会验证这一点,用户不会看到这个信息的。什么安卓做的是:
In short, Android and Google Play essentially don't care about what's in actual certificate. Google Play will validate it indeed, and check if it is valid for 30 years or more, but they don't really use (at least currently, AFAIK) the actual info in the cert. You could use your own name/company name in the CN, but no one will validate this, and users won't see this info at all. What Android does is:
- 检查签名,以确保APK还没有被篡改
- 那么,这两个版本已经使用相同的密钥/证书(例如,通过签订比较歌声证书的作为二进制数据应用于当前安装的应用程序的版本,以确保一个同一个人/公司)
- 它做同样的事情,以强制执行的权限,如果你使用的是sharedUid或签名的权限有两个或两个以上的应用程序使用。
- check the signature to make sure the APK hasn't been tampered with
- then compare the singing certificate as a binary blob to the one of the currently installed version of the app to make sure that the two versions have been signed with the same key/certificate (e.g., by the same person/company)
- it does the same thing to enforce permission if you are using using sharedUid or signature permissions with two or more apps.
因此,要回答你的问题,一个人可以很容易地在其上创建有您名字的证书,但Android和谷歌播放不在乎。只要他们没有你的私钥,他们将不能够产生一个应用程序签名,它是和你的一样,因此,他们将无法覆盖/与他们的更新您的应用程序,或得到任何特殊权限。
So, to answer your question, someone can easily create a certificate with your name on it, but Android and Google Play don't really care. As long as they don't have your private key, they won't be able produce an app signature that is the same as yours and thus they wouldn't be able to overwrite/update your app with theirs, or get any special permissions.
这篇关于如何Android的应用程序/签名验证的工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
