需求:僅允許安裝特定簽名apk拷肌,其它簽名apk禁止安裝。
一旨巷、移植下面代碼
shenhb@dqrd01:~/code/rk3288$ git show 814c25ddd422f8f44a3de9451ef25e296a298ea0
commit 814c25ddd422f8f44a3de9451ef25e296a298ea0
Author: shenhb <shenhb@topband.com.cn>
Date: Thu Feb 20 11:31:19 2020 +0800
僅允許安裝指定簽名apk巨缘,通過(guò)屬性ro.signature配置簽名sha1值
diff --git a/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java b/frameworks/base
index b7171ba..414a064 100755
--- a/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -355,6 +355,7 @@ import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.zip.GZIPInputStream;
+import java.util.Locale;
/**
* Keep track of all those APKs everywhere.
@@ -18605,6 +18606,37 @@ public class PackageManagerService extends IPackageManager.Stub
Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
}
+ // Add by shenhb@topband.com.cn, for only allow the specified signature apk.
+ private static String getFingerprint(Signature signature, String hashAlgorithm) {
+ if (signature == null) {
+ return null;
+ }
+ try {
+ MessageDigest digest = MessageDigest.getInstance(hashAlgorithm);
+ return toHexadecimalString(digest.digest(signature.toByteArray()));
+ } catch (NoSuchAlgorithmException e) {
+ // ignore
+ }
+ return null;
+ }
+
+ private static String toHexadecimalString(byte[] value) {
+ StringBuffer sb = new StringBuffer();
+ int len = value.length;
+ for (int i = 0; i < len; i++) {
+ int num = ((int) value[i]) & 0xff;
+ if (num < 0x10) {
+ sb.append('0');
+ }
+ sb.append(Integer.toHexString(num));
+ if (i < len - 1) {
+ sb.append(':');
+ }
+ }
+ return sb.toString().toUpperCase(Locale.US);
+ }
+ // Add end
+
private void installPackageTracedLI(InstallArgs args, PackageInstalledInfo res) {
try {
Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "installPackage");
@@ -18771,6 +18803,20 @@ public class PackageManagerService extends IPackageManager.Stub
return;
}
+ // Add by shenhb@topband.com.cn, for only allow the specified signature apk.
+ String customSignature = SystemProperties.get("ro.signature", "");
+ if (!TextUtils.isEmpty(customSignature)) {
+ final Signature[] signatures = pkg.mSignatures;
+ Slog.d(TAG, "installPackageLI, Signature fingerprint "
+ + getFingerprint(signatures[0], "SHA-1"));
+ if (!getFingerprint(signatures[0], "SHA-1").equals(customSignature)) {
+ res.setError(PackageManager.INSTALL_FAILED_VERIFICATION_FAILURE,
+ "Signature verification failed");
+ return;
+ }
+ }
+ // Add end
+
// Get rid of all references to package scan path via parser.
pp = null;
String oldCodePath = null;
二、屬性配置簽名sha1
考慮到方案的通用性采呐,因此通過(guò)屬性來(lái)配置簽名若锁。屬性不配置的情況下,走Android默認(rèn)邏輯斧吐,允許安裝所有apk又固。屬性配置后,只允許跟此簽名匹配的apk安裝煤率。
2.1 獲取簽名sha1
- 解壓apk文件仰冠,提到META-INF/CERT.RSA(既簽名文件公鑰)。
- 執(zhí)行下面命令得到公鑰sha1值蝶糯。
F:\download
λ keytool -printcert -file CERT.RSA
所有者: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=china
發(fā)布者: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=china
序列號(hào): xxxxxxx
有效期開(kāi)始日期: Sun Feb 11 14:38:48 CST 2018, 截止日期: Thu Feb 05 14:38:48 CST 2043
證書(shū)指紋:
MD5: 13:8A:22:DC:6E:6C:BA:27:42:8D:9F:C5:0D:D2:4E:14
SHA1: 31:4E:FC:8C:68:FA:7E:F4:14:E7:27:C3:A9:C4:9C:F1:AB:1C:64:C2
SHA256: 63:E0:0A:FF:45:7C:03:97:F5:27:64:C5:D4:DA:BD:8A:2E:63:40:E7:31:A3:C8:3D:FB:03:00:2A:9F:BE:71:EF
簽名算法名稱: SHA256withRSA
版本: 3
擴(kuò)展:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C9 41 D4 8D F0 58 FF E2 EE EF 7E 5E 3B 9D DA 44 .A...X.....^;..D
0010: 40 E5 DF FC @...
]
]
2.2 配置屬性
ro.signature=31:4E:FC:8C:68:FA:7E:F4:14:E7:27:C3:A9:C4:9C:F1:AB:1C:64:C2
三洋只、驗(yàn)證
驗(yàn)證結(jié)果如下,非指定簽名的apk安裝失敗裳涛,提示“Signature verification failed”木张,指定簽名的apk安裝成功。
λ adb install 001.apk
adb: failed to install 001.apk: Failure [INSTALL_FAILED_VERIFICATION_FAILURE: Signature verification failed]
λ adb install 002.apk
Success
