Android签名机制之---签名验证过程详解

分享一下我老师大神的人工智能教程！零基础，通俗易懂！http://blog.csdn.net/jiangjunshow

也欢迎大家转载本篇文章。分享知识，造福人民，实现我们中华民族伟大复兴！

               

一、前言

今天是元旦，也是Single Dog的嚎叫之日，只能写博客来祛除寂寞了，今天我们继续来看一下Android中的签名机制的姊妹篇：Android中是如何验证一个Apk的签名。在前一篇文章中我们介绍了，Android中是如何对程序进行签名的，不了解的同学可以转战：

http://blog.csdn.net/jiangwei0910410003/article/details/50402000

当然在了解我们今天说到的知识点，这篇文章也是需要了解的，不然会有些知识点有些困惑的。

二、知识摘要

在我们没有开始这篇文章之前，我们回顾一下之前说到的签名机制流程：

1、对Apk中的每个文件做一次算法(数据摘要+Base64编码)，保存到MANIFEST.MF文件中

2、对MANIFEST.MF整个文件做一次算法(数据摘要+Base64编码)，存放到CERT.SF文件的头属性中，在对MANIFEST.MF文件中各个属性块做一次算法(数据摘要+Base64编码)，存到到一个属性块中。

3、对CERT.SF文件做签名，内容存档到CERT.RSA中

所以通过上面的流程可以知道，我们今天来验证签名流程也是这三个步骤

三、代码分析

我们既然要了解Android中的应用程序的签名验证过程的话，那么我们肯定需要从一个类来开始看起，那就是PackageManagerService.java，因为这个类是Apk在安装的过程中核心类：frameworks\base\services\core\java\com\android\server\pm\PackageManagerService.java

private void installPackageLI(InstallArgs args, PackageInstalledInfo res) {    ……    PackageParser pp = new PackageParser();    ……    try {        pp.collectCertificates(pkg, parseFlags);        pp.collectManifestDigest(pkg);    } catch (PackageParserException e) {        res.setError("Failed collect during installPackageLI", e);        return;    }    ……

我们可以看到，有一个核心类：PackageParser

frameworks\base\core\java\android\content\pm\PackageParser.java

这个类也是见名知意，就是需要解析Apk包，那么就会涉及到签名信息了，下面我们就从这个类开始入手：

import static android.content.pm.PackageManager.INSTALL_PARSE_FAILED_BAD_MANIFEST;import static android.content.pm.PackageManager.INSTALL_PARSE_FAILED_BAD_PACKAGE_NAME;import static android.content.pm.PackageManager.INSTALL_PARSE_FAILED_CERTIFICATE_ENCODING;import static android.content.pm.PackageManager.INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES;import static android.content.pm.PackageManager.INSTALL_PARSE_FAILED_MANIFEST_MALFORMED;import static android.content.pm.PackageManager.INSTALL_PARSE_FAILED_NOT_APK;import static android.content.pm.PackageManager.INSTALL_PARSE_FAILED_NO_CERTIFICATES;import static android.content.pm.PackageManager.INSTALL_PARSE_FAILED_UNEXPECTED_EXCEPTION;

我们看到了几个我们很熟悉的信息：

import static android.content.pm.PackageManager.INSTALL_PARSE_FAILED_NO_CERTIFICATES;

这个是在安装apk包的时候出现的错误，没有证书：

那么我们就先来查找一下这个字段：

private static void collectCertificates(Package pkg, File apkFile, int flags)  throws PackageParserException { final String apkPath = apkFile.getAbsolutePath(); StrictJarFile jarFile = null; try {  jarFile = new StrictJarFile(apkPath);  // Always verify manifest, regardless of source  final ZipEntry manifestEntry = jarFile.findEntry(ANDROID_MANIFEST_FILENAME);  if (manifestEntry == null) {   throw new PackageParserException(INSTALL_PARSE_FAILED_BAD_MANIFEST,     "Package " + apkPath + " has no manifest");  }  final List<ZipEntry> toVerify = new ArrayList<>();  toVerify.add(manifestEntry);  // If we're parsing an untrusted package, verify all contents  if ((flags & PARSE_IS_SYSTEM) == 0) {   final Iterator<ZipEntry> i = jarFile.iterator();   while (i.hasNext()) {    final ZipEntry entry = i.next();    if (entry.isDirectory()) continue;    if (entry.getName().startsWith("META-INF/")) continue;    if (entry.getName().equals(ANDROID_MANIFEST_FILENAME)) continue;    toVerify.add(entry);   }  }  // Verify that entries are signed consistently with the first entry  // we encountered. Note that for splits, certificates may have  // already been populated during an earlier parse of a base APK.  for (ZipEntry entry : toVerify) {   final Certificate[][] entryCerts = loadCertificates(jarFile, entry);   if (ArrayUtils.isEmpty(entryCerts)) {    throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,      "Package " + apkPath + " has no certificates at entry "        + entry.getName());   }   final Signature[] entrySignatures = convertToSignatures(entryCerts);   if (pkg.mCertificates == null) {    pkg.mCertificates = entryCerts;    pkg.mSignatures = entrySignatures;    pkg.mSigningKeys = new ArraySet<PublicKey>();    for (int i=0; i < entryCerts.length; i++) {     pkg.mSigningKeys.add(entryCerts[i][0].getPublicKey());    }   } else {    if (!Signature.areExactMatch(pkg.mSignatures, entrySignatures)) {     throw new PackageParserException(       INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES, "Package " + apkPath       + " has mismatched certificates at entry "       + entry.getName());    }   }  } } catch (GeneralSecurityException e) {  throw new PackageParserException(INSTALL_PARSE_FAILED_CERTIFICATE_ENCODING,    "Failed to collect certificates from " + apkPath, e); } catch (IOException | RuntimeException e) {  throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,    "Failed to collect certificates from " + apkPath, e); } finally {  closeQuietly(jarFile); }}

这里看到了，当有异常的时候就会提示这个信息，我们在跟进去看看：

// Verify that entries are signed consistently with the first entry// we encountered. Note that for splits, certificates may have// already been populated during an earlier parse of a base APK.for (ZipEntry entry : toVerify) { final Certificate[][] entryCerts = loadCertificates(jarFile, entry); if (ArrayUtils.isEmpty(entryCerts)) {  throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,    "Package " + apkPath + " has no certificates at entry "      + entry.getName()); } final Signature[] entrySignatures = convertToSignatures(entryCerts); if (pkg.mCertificates == null) {  pkg.mCertificates = entryCerts;  pkg.mSignatures = entrySignatures;  pkg.mSigningKeys = new ArraySet<PublicKey>();  for (int i=0; i < entryCerts.length; i++) {   pkg.mSigningKeys.add(entryCerts[i][0].getPublicKey());  } } else {  if (!Signature.areExactMatch(pkg.mSignatures, entrySignatures)) {   throw new PackageParserException(     INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES, "Package " + apkPath     + " has mismatched certificates at entry "     + entry.getName());  } }}

这里有一个重要的方法：loadCertificates

private static Certificate[][] loadCertificates(StrictJarFile jarFile, ZipEntry entry)