I would like to verify that two APK files have been signed with the same certificate.
I have the whole Java SDK available but would like to it from Java code to make for cross-platform reasons.
Any ideas?
I would like to verify that two APK files have been signed with the same certificate.
I have the whole Java SDK available but would like to it from Java code to make for cross-platform reasons.
Any ideas?
all about is to Comparing your app's signatures
a) get signature of both aps
b) check if sig.hashCode() == releaseSig.hashCode
1) by run-time check using android api:
Signature[] sigs = context.getPackageManager()
.getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES)
.signatures;
from file:
Signature releaseSig = context.getPackageManager()
.getPackageAchiveInfo("/path2apk/app.apk",PackageManager.GET_SIGNATURES)
.signatures[0];
2) getting signature outside android see:
http://androidcracking.blogspot.com/2010/12/getting-apk-signature-outside-of.html
you can use:
openssl pkcs7 -inform DER -in CERT.RSA -noout -print_certs -text
unzip -p application.apk META-INF/CERT.RSA | keytool -printcert
on-the-fly usage of openssl:
(unzip & pipe the cert instead of defining an -infile option):
unzip -p application.apk META-INF/CERT.RSA
| openssl pkcs7 -inform DER -noout -print_certs -text
additional resources:
How do I find out which keystore was used to sign an app?
How to get APK signing signature?
I can recommend you a good article in this thema by Scott Alexander-Bown (scottyab)
https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app
Try this link here developer guide
And you can know if they are signed using same signatures or not using the validation of the certificate with creation date.
First navigate to the .apk containing folder in terminal
$ jarsigner -verify -verbose -certs my_application.apk
Use the built-in API PackageManager.checkSignatures().
The solution is a bit mess but still doable, just dig into PackageManager.checkSignatures()
source code and port the implementation to Java. In PackageManager, the part for loading and checking signature is mainly base on Java API:
General idea:
Signature
from apk, check out collectCertificates()
and loadCertificates()
methods in android.content.pm.PackageParser.checkSignatures()
and compareSignatures()
methods in android.server.pm.PackageManagerService.Hope this make sense.