I have been struggling to verify my own application signature for some time but couldn't make it. I have following code
public static X509Certificate createCert (byte [] bytes) {
X509Certificate certret = null;
CertificateFactory cf = null;
try {
cf = CertificateFactory.getInstance("X.509");
InputStream certStream = new ByteArrayInputStream(bytes);
certret = (X509Certificate) cf.generateCertificate(certStream);
} catch (CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return certret;
}
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
android.content.pm.Signature[] sigs;
try {
sigs = this.getPackageManager().getPackageInfo(this.getPackageName(),PackageManager.GET_SIGNATURES).signatures;
for (android.content.pm.Signature sig : sigs)
{
Log.i("App", "Signature String : " + sig.toString());
Log.i("App", "Signature : " + sig.hashCode());
X509Certificate cert = createCert(sig.toByteArray());
java.security.Signature signat;
try {
signat = java.security.Signature.getInstance("SHA1withRSA");
signat.initVerify(cert.getPublicKey());
boolean ret;
ret = signat.verify(sig.toByteArray());
Log.e(TAG, "verify result = " + ret);
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (SignatureException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (InvalidKeyException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
} catch (NameNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
I refer some of the stackoverflow tricks e.g. android verify signature of file with .der public key How to get APK signing signature?
But my verify always returns false.
I don't want to use openssl in my application. How can I verify my own application certificate by programmatic way.
