10

I would like to verify that two APK files have been signed with the same certificate.

I have the whole Java SDK available but would like to it from Java code to make for cross-platform reasons.

Any ideas?

yorkw
  • 40,156
  • 10
  • 112
  • 130
jonasmaturana
  • 275
  • 3
  • 10
  • Does the check have to be performed at runtime? Or can it be checked using one of the tools bundled with the JDK? – Dioxin Dec 30 '14 at 17:37

3 Answers3

6

all about is to Comparing your app's signatures

a) get signature of both aps 
b) check if sig.hashCode() == releaseSig.hashCode

1) by run-time check using android api: 

Signature[] sigs = context.getPackageManager()
           .getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES)
           .signatures;

from file:

 Signature releaseSig = context.getPackageManager()
          .getPackageAchiveInfo("/path2apk/app.apk",PackageManager.GET_SIGNATURES)
          .signatures[0];

2) getting signature outside android see:

http://androidcracking.blogspot.com/2010/12/getting-apk-signature-outside-of.html

you can use: 

 openssl pkcs7 -inform DER -in CERT.RSA -noout -print_certs -text
 unzip -p application.apk META-INF/CERT.RSA | keytool -printcert

on-the-fly usage of openssl:

(unzip & pipe the cert instead of defining an -infile option):

unzip -p application.apk META-INF/CERT.RSA 
             | openssl pkcs7 -inform DER -noout -print_certs -text

additional resources:

How do I find out which keystore was used to sign an app?

How to get APK signing signature?

I can recommend you a good article in this thema by Scott Alexander-Bown (scottyab)

https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app

Community
  • 1
  • 1
ceph3us
  • 6,591
  • 2
  • 34
  • 39
5

Try this link here developer guide

And you can know if they are signed using same signatures or not using the validation of the certificate with creation date.

First navigate to the .apk containing folder in terminal

  $ jarsigner -verify -verbose -certs my_application.apk
sheetal
  • 2,934
  • 1
  • 27
  • 44
1

Android Application

Use the built-in API PackageManager.checkSignatures().

Java Application

The solution is a bit mess but still doable, just dig into PackageManager.checkSignatures() source code and port the implementation to Java. In PackageManager, the part for loading and checking signature is mainly base on Java API:

  • java.util.jar.JarEntry;
  • java.util.jar.JarFile;
  • java.security.PublicKey;
  • java.security.cert.Certificate;
  • java.security.cert.CertificateException;
  • java.security.cert.CertificateFactory;

General idea:

  1. Borrow android.content.pm.Signature source code and port it into Java (need strip off Parcelable)
  2. How to collect/load Signature from apk, check out collectCertificates() and loadCertificates() methods in android.content.pm.PackageParser.
  3. How to check/compare 'Signature', check out checkSignatures() and compareSignatures() methods in android.server.pm.PackageManagerService.

Hope this make sense.

Community
  • 1
  • 1
yorkw
  • 40,156
  • 10
  • 112
  • 130