I have the following implementation:
Signature[] sigs = getPackageManager().getPackageInfo(getPackageName(), PackageManager.GET_SIGNATURES).signatures;
for (Signature sig : sigs)
{
Log.i(TAG, "Signature: " + SignatureUtil.getSHA1(sig.toByteArray()));
}
and...
public class SignatureUtil
{
public static String getSHA1(byte[] sig)
{
MessageDigest digest = null;
try
{
digest = MessageDigest.getInstance("SHA1", "BC");
}
catch (Exception e)
{
try
{
return new String(sig, "UTF-8");
}
catch (UnsupportedEncodingException e1)
{
return new String(sig);
}
}
digest.update(sig);
byte[] hashtext = digest.digest();
return bytesToHex(hashtext);
}
//util method to convert byte array to hex string
private static String bytesToHex(byte[] bytes)
{
final char[] hexArray = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'};
char[] hexChars = new char[bytes.length * 2];
int v;
for (int j = 0; j < bytes.length; j++)
{
v = bytes[j] & 0xFF;
hexChars[j * 2] = hexArray[v >>> 4];
hexChars[j * 2 + 1] = hexArray[v & 0x0F];
}
return new String(hexChars);
}
}
Currently I have one outcome of this method which could look like this fake example: 174AC857QTVSLK87ACQW3547KHOPP8787QASHI88
I read in this question that this value is unable to spoof or readable by anyone.
My questions: When I sign with my release key, do I get a different code then or do I get multiple codes? What happens if anybody hacks my app due to byte manipulation or something else by using some piracy patcher apps? Will this value change then? I guess not. In this case, can I somehow create some 'checksum' of my app (which would surely change from build to build)? (because that's actually what I want to achieve)
