Get the SHA1 key for the signature
First step in verification of the signature is to retrieve the SHA1 key for the keystore.
This can be done using keytool.
The command to run on the debug keystore is given below,
The command to run on the debug keystore is given below,
keytool -list -v -keystore debug.keystore -alias androiddebugkey -storepass android -keypass android
The keys will be listed under the Certificate fingerprints section.
Certificate fingerprints:
MD5:
SHA1:
Signature algorithm name: SHA1withRSA
Version: 3
Verification for the signature
Verification of the signature can be done in the main Activity class or Application class.
The verification is done by retrieving SHA1 for the application and comparing it against the one that we obtained by running the keytool command.
static final byte signatureSha1[] = { /* SHA1 key obtained from keytool */}; @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); boolean validSignature = false; try { // Retrieve the sha1 algorithm MessageDigest sha1Alg = MessageDigest.getInstance("SHA1"); try { // Retrieve the package info, package info contains the signatures PackageInfo packageInfo = getPackageManager().getPackageInfo(getPackageName(), PackageManager.GET_SIGNATURES); // For all the signed signature check for the signature obtained using key tool for (Signature signature : packageInfo.signatures) { // Retrieve the hash for the signature byte[] hash = sha1Alg.digest(signature.toByteArray()); // Compare it against the one obtained using keytool if (Arrays.equals(hash, signatureSha1)) { validSignature = true; break; } } } catch (NameNotFoundException e) { throw new RuntimeException(e); } } catch (NoSuchAlgorithmException e) { throw new RuntimeException(e); } if (!validSignature) { throw new RuntimeException("Invalid Signature"); } // Complete the activity initialization here }
No comments:
Post a Comment