1, Android signature mechanism
The APK file signature is to ensure the authenticity of the APK source and that the APK file has not been modified;
APK signature is based on Hash hash algorithm;
Hash hash algorithm features:
- Uniqueness
- Fixed length
- Irreversible
Common Hash three column algorithms:
- SHA-1 algorithm: secure hash algorithm 1 1 1. Length 160 160 160 bits;
- MD5 algorithm: 128 128 128 bits;
Signature process:
- ① Calculation data summary: calculate the original data through Hash algorithm;
- ② Private key encryption: use the private key to encrypt the original data again; During verification, the public key is used to decrypt the original data;
- ③ Write signature: write the signature into the signature block;
When signing, after entering the password of the signature file keystore, you should also enter the alias and alias password; One keystore can store multiple keys;
A signature is equivalent to a fingerprint. Any modification to the APK, even if a space is added to any resource file, will lead to the destruction of the signature and failure to pass the verification;
When signing, use the private key to encrypt APK; When installing APK package, the system will decrypt with public key;
2, Generate Android signature file
Generate signature key:
In Android Studio, select "menu bar / Build / Generate Signed Bundle/APK...",
Select the APK option,
Select to create a new signature file,
In "Key store path", select the generation path of the signature file,
In the pop-up dialog box, click the green Android icon to generate in the project root directory,
Enter the password and alias password, both set to 123456, and click "OK" to generate the signature file;
The signature file is generated in the project root directory;
3, Analyze signature file
use
keytool -list -v -keystore keystore.jks
Command to view the details of the signature key;
In the expansion below, there are 1 1 1 key #1: ObjectId: 2.5.29.14 Criticality=false;
1 1 In one jks file, there can be multiple keys, and in this extension, there can be multiple keys;
The above signatures include those responsible for Java program signature and those responsible for Android APK signature;
Y:\002_WorkSpace\001_AS\AppStart>keytool -list -v -keystore keystore.jks
Enter the keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
alias: key0
Creation date: 2021-9-14
entry type : PrivateKeyEntry
Certificate chain length: 1
certificate[1]:
owner: CN=Han Shuliang
Publisher: CN=Han Shuliang
serial number: 3f8f6290
Valid for Tue Sep 14 22:31:41 GMT+08:00 2021 to Sat Sep 08 22:31:41 GMT+08:00 2046
Certificate fingerprint:
MD5: C1:02:69:22:1F:DB:62:A2:75:B4:C3:B8:6A:55:0C:23
SHA1: 52:00:F8:BB:3B:3E:5B:DC:CF:BD:94:5A:30:A4:DF:C4:9D:33:54:EE
SHA256: 02:42:F3:F2:5B:9A:04:9A:28:FD:16:06:25:66:BF:28:F0:DE:14:42:69:04:60:DF:2C:AD:42:C0:51:6D:9B:57
Signature algorithm name: SHA256withRSA
Principal public key algorithm: 2048 position RSA secret key
edition: 3
extend:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 26 9F 73 C0 B7 BC 03 F2 6A 15 0A E1 B7 8C 0B 78 &.s.....j......x
0010: 1A 92 C4 8E ....
]
]
*******************************************
*******************************************
4, The role of two passwords in signing files
The password in the red rectangle is the password of the signature file;
The alias and password in the blue rectangle are the password for APK signature;
5, Three signature methods
Android has 3 3 3 sets of signature methods,
V1 signature is Jar file signature; The signature has certain insecurity;
V2 signature is the signature of the whole APK document; This is on Android 7.0 7.0 After 7.0;
V3 signature needs to upgrade the signature key; On Android 9.0 9.0 After 9.0;
