13

I get the message Couldn't use the admin app due to a checksum error. Contact your IT department when using the code below. Basically you have two Android Lollipop devices. One device is unprovisioned (Factory reset) and the other has this programming app on it. The programming app sends an NFC command to the unprovisioned device to tell it to start provisioning using the data you pass to it. There are three fields required (APK Location, APK file checksum, and package name) as per DevicePolicyManager.MIME_TYPE_PROVISIONING_NFC.

The APK is getting downloaded. I'm checking my server logs and it's clearly coming from the device (AndroidDownloadManager is in the user agent).

According to DevicePolicyManager.EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM it is a SHA-1 checksum of the file. The checksum is not matching. I've tried many different formats of this checksum (hex, hex with spaces, uppercase/lowercase, base64, text) and I guess it's possible I missed a test.

Unfortunately, the Android Lollipop source is not yet available otherwise I would be checking there.

How do I fix this? Any thoughts?

public class ProvisionerActivity extends Activity implements CreateNdefMessageCallback {

    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        NfcAdapter mNfcAdapter = NfcAdapter.getDefaultAdapter(this);
        mNfcAdapter.setNdefPushMessageCallback(this, this);
    }

    @Override
    public NdefMessage createNdefMessage(NfcEvent event) {
        try {
            Properties p = new Properties();
            p.setProperty(DevicePolicyManager.EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME, "com.example.deviceownertest");
            p.setProperty(DevicePolicyManager.EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION, "http://example.com/DeviceOwnerTest.apk");
            p.setProperty(DevicePolicyManager.EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM, "19138948d8a607617971af724ffd08dd7eab771b");

            ByteArrayOutputStream bos = new ByteArrayOutputStream();
            OutputStream out = new ObjectOutputStream(bos);
            p.store(out, "");
            byte[] bytes = bos.toByteArray();

            NdefMessage msg = new NdefMessage(NdefRecord.createMime(DevicePolicyManager.MIME_TYPE_PROVISIONING_NFC, bytes));
            return msg;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}

Note: This is using the latest Android L Developer Preview. I guess it is entirely possible that this feature isn't finished yet. Update: Actual release acts this way too.

APK: https://storage.googleapis.com/randy/DeviceOwnerCheck.apk
Checksum: FRaAsqdPSjp9nC5hKIU/ElPv+e4
Result: Using this URL and this checksum gives an error and doesn't even get to the encrypt device screen.

I also posted two applications to GitHub. One sends the NFC data to provision. The other is just an app to check if the app is device admin or device owner. Hopefully someone finds this useful. You'll need to modify the URL and the checksum if you want to build DeviceOwnerCheck yourself.

Randy
  • 4,351
  • 2
  • 25
  • 46
  • Did you get it to work with these 2 Github apps? I'm stuck with the same error message and I have tried different download urls, and both a release and debug version. My checksum looks okay, no trailing whitespace, no special characters. Could you tell me what you changed to get it working please? – Inneke De Clippel Dec 08 '14 at 08:54
  • @InnekeDeClippel I am able to get any APK to work correctly now. See @Rob's answer. His solution turns the checksum into a URL safe string. It replaces `+` with `-` and `/` with `_` and completely removes the padding (`=`). Also note @DeeV's comment saying if the URL is bad or the download just simply fails you'll get the same error message so check your apache or IIS logs. Good luck! – Randy Dec 08 '14 at 13:56
  • Thank you very much. After a lot of trial and error I made it work. Seems like I was using the wrong checksum. – Inneke De Clippel Dec 09 '14 at 13:23
  • 1
    @Inneke Could you let me know exact command to create checksum, because i am using same command as suggested by Rob but did not get success yet. – sunil jain Jan 23 '15 at 06:57
  • 3
    @suniljain The command I use (mind, this is on Windows) is: type "C:\Users\Inneke\Documents\Projects\KioskTest\app\app-debug.apk" | "C:\Program Files (x86)\GnuWin32\bin\openssl" dgst -binary -sha1 | "C:\Program Files (x86)\GnuWin32\bin\openssl" base64. This outputs something like this: ABC9AbcABcabcaB0ABC+ABca1bc=. I remove the '=' and replace '+' by '-', '/' by '_'. So what I use in the app is: p.setProperty(DevicePolicyManager.EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM, "ABC9AbcABcabcaB0ABC-ABca1bc"); Note that you had to write the path to your .apk file, not to the keystore. – Inneke De Clippel Jan 23 '15 at 07:47
  • Thanks @InnekeDeClippel, it's worked now, actually i was doing mistake with APK url. – sunil jain Jan 23 '15 at 14:48

3 Answers3

18

The hash code must be url safe. This converts and removes trailing padding

$ cat Something.apk | openssl dgst -binary -sha1 | openssl base64 | tr '+/' '-_' | tr -d '='
Rob
  • 256
  • 1
  • 3
  • It should also be noted that the same error will occur if the URL is bad or if the download just simply fails. – DeeV Nov 18 '14 at 04:16
  • Hi Rob i have same problem checksum error while install Device Owner app using NFC and i have tries above command to create Checksum but it still giving same problem, please let me where i am doing wrong below is my command : cat /home/user/Downloads/adt-bundle-linux-x86_64-20140702/sdk/platform-tools/DevicePolicyDemo_2.1.apk | openssl dgst -binary -sha1 | openssl base64 | tr '+/' '-_' | tr -d '=' – sunil jain Jan 22 '15 at 07:46
  • I am facing the same problem I have used this command "C:\Program Files\Java\jdk-11.0.1\bin>keytool -printcert -jarfile "C:\\Projects\\MyEG\MyLogistics\app\build\outputs\apk\dev\debug\TestDPC_5001.apk" | "C:\Program Files\Git\usr\bin\openssl.exe" dgst -binary -sha1 | "C:\Program Files\Git\usr\bin\openssl.exe" base64 | tr '+/' '-_' | tr -d '='" and it give me error "tr" is not an external or internal command. so where i can find tr command – Mudassir Khan Feb 22 '19 at 02:53
  • And when i used this command C:\Program Files\Java\jdk-11.0.1\bin>keytool -printcert -jarfile "C:\\Projects\\MyEG\MyLogistics\app\build\outputs\apk\dev\debug\TestDPC_5001.apk" | "C:\Program Files\Git\usr\bin\openssl.exe" dgst -binary -sha1 | "C:\Program Files\Git\usr\bin\openssl.exe" base64 Rk7aTikXRwU2KrAsqvCABbaLX+g= without tr command so it give different value than in the sample given. so what is missing here – Mudassir Khan Feb 22 '19 at 02:56
6

It appears that it doesn't like the special characters in the checksum. I was able to get it to work with my apk file, but the checksum didn't have any special characters. When I tried using your apk file I got the same error. Try recreating the apk until it doesn't have special characters, and then it should work.

I'm guessing there is some sort of escaping of special characters that is missing.

Rob
  • 256
  • 1
  • 3
  • I had the same problem as you originally had, until I implemented Yuichi's soution. – Rob Oct 24 '14 at 19:20
  • It's the special characters! I just recompiled several times until it created an APK who's checksum didn't include any special characters. How odd. But, I'm curious what is the right way to make any APK work. – Randy Oct 24 '14 at 19:32
  • Yes it odd, I'm guessing there is some way to properly escape the special characters. – Rob Oct 24 '14 at 20:21
2

Here is the command to get the hash code.

$ cat Something.apk | openssl dgst -binary -sha1 | openssl base64

Also, remove any trailing paddings (=).

Yuichi Araki
  • 3,438
  • 1
  • 19
  • 24
  • 2
    Unfortunately, this gives me the same result as before. Checksum doesn't match. – Randy Oct 24 '14 at 13:09
  • I updated my question with a link to the APK I am using. Also added a github link to the two apps I'm using (one to push the NFC data, the other is the actual app). – Randy Oct 24 '14 at 14:59