Concepts and commands related to apk signature and apk Signature
1. Concepts
1. Message Digest-Message Digest
Message Digest: execute a one-way hash function on the message data to generate a fixed-length hash value, which is also a message digest and a digital fingerprint.
Message Digest features:
(1) No matter how long the input message is, the length of the calculated message digest is always fixed;
(2) the message itself cannot be deduced through the summary;
(3) If the message is modified, the Digest will change (the Hash of the short digest generated in the long Ming text will inevitably collide );
Purpose:Only the message integrity can be guaranteed, and the anti-tampering of messages cannot be guaranteed. Application Scenario: MD5 verification of file downloads.
Message Digest algorithm:MD5, SHA-0, SHA-1
2. Digital Signature-Signature
Digital Signature: a message sender uses its own private key to encrypt the message digest. the encryption algorithm ensures that the string cannot be forged by others. This digital string is also a valid proof of the authenticity of the message sent by the message sender. It is called a digital signature.
Digital signature is a combination of non-symmetric encryption algorithms and digital Summarization Technology.
Function: Ensures message integrity and prevents tampering.
Digital signature principle:The message sender encrypts the Information summary with the private key and sends it together with the original text to the receiver. The message receiver can use the public key to decrypt the information digest, and then use the same Hash function to generate an information digest for the received original text. Then, compare whether the two are consistent. The Digital Signature Based on asymmetric encryption algorithm ensures tamper-proofing and message digest integrity.
Thinking: Why do I only digitally sign a message digest?
Encryption algorithms generally have a long computing time bottleneck. message digest algorithms such as MD5 and SHA do not have this problem. They only sign message digests, which can greatly reduce the encryption content, improve the efficiency of the entire digital signature process.
3. Digital Certificate-Certificate
A digital certificate is a file digitally signed by the certificate authority that contains information about the public key owner and the public key.
Digital certificate content:
Issuer
Certificate Validity period Validity
Public Key of the message sender
Certificate owner Subject
Algorithm used for Digital Signature
Note: CERT. RSA in Android APK is self-Signed and does not need to be published or authenticated by a third-party authority. You can generate this self-signed certificate on a local machine.
2. Two signature methods for Android APK
1. jarsign and apksign tools
Jarsign -- is a Java tool that can sign the jar.
Signapk -- a tool used to sign the Android Application apk.
There is no difference between the two signature algorithms, mainly because the files used for signature are inconsistent.
2. Differences between keystore, pk8, and x509.pem
The jarsian tool uses the keystore file for signing. Eclipse's Debug package uses the jarsign tool to sign by default.
Pk8 and x509.pem files used for apksign signing
3. In Android, multiple keystores are allowed to sign the apk.
Jarsign signature file: The file suffix is the signature algorithm, and the file name is the keystone alias.
The META-INF In the apk after the apksign signature is written to the CERT name.
4. apksign
Eg: apksign publickey. x509.pem privatekey. pk8 input.apk output.apk
Publickey. x509.pem -- includes the certificate and certificate chain, including the public key and encryption algorithm;
Privatekey. pk8 -- Private Key
Signature file in apk:
MANIFEST. MF -- contains the summary value of all input. jar files.
CERT. SF -- save the digest value of MANIFEST. MF and The SHA1 of each Digest item in MANIFEST. MF and record it after base64.
CERT. RSA -- saves the signature and Public Key Certificate. The digest information used by the signature is the content of CERT. SF.
Stored in CERT. in RSA, CERT is used. the digital signature of SF is generated using privateKey. The signature algorithm is defined in publicKey and the publicKey is saved in CERT. in RSA, that is, CERT. RSA includes the certificates used for signature and signature, and the certificates must be self-signed.
5. default debug. keystore
(1) The default debug. keystore information is as follows:
Keystore name: "debug. keystore"
Keystore password: "android"
Key alias: "androiddebugkey"
Key password: "android"
CN: "CN = Android Debug, O = Android, C = US"
(2) use debug. keystore to re-sign the APK file.
Jarsigner-digestalg SHA1-sigalg MD5withRSA-keystore debug. keystore-storepass android-keypass android xxx.apk androiddebugkey
JDK 1.7, added:-digestalg SHA1-sigalg MD5withRSA
6. view signature information
View the keystore information: keytool-list-keystore xxx. keystore-alias xxx-v
View the keystore Public Key Certificate Information: keytool-list-keystore xxx. keystore-alias xxx-rfc
View the apk signature information: jarsigner-verify-verbose-certs xxx.apk