Android中的签名机制
??? echo "Create a test certificate key."
??? echo "Usage: $0 NAME"
??? echo "Will generate NAME.pk8 and NAME.x509.pem"
??? echo "? /C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com"
??? return
fi
?
openssl genrsa -3 -out $1.pem 2048
?
openssl req -new -x509 -key $1.pem -out $1.x509.pem -days 10000 /
??? -subj '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
?
openssl pkcs8 -in $1.pem -topk8 -outform DER -out $1.pk8 -nocrypt
签名
Android提供了为jar/zip文件签名的程序signapk.jar 。
它的用法如下:
Usage: signapk publickey.x509[.pem] privatekey.pk8 input.jar output.jar
第一个参数是公钥,即前面第二步产生的testkey.x509.pem。
第二个参数是私钥,即前面第三步产生的testkey.pk8。
第三个参数是要签名的文件。
第四个参数是输出的文件(即签名后的文件)。
如:java -jar signapk.jar testkey.x509.pem testkey.pk8 update.zip update-signed.zip
现在我们来看看签名到底做了些什么:
o 先为输入的jar/zip文件中的所有文件生成SHA1数字签名(除了CERT.RSA,CERT.SF和MANIFEST.MF)
??????? for (JarEntry entry: byName.values()) {
??????????? String name = entry.getName();
??????????? if (!entry.isDirectory() && !name.equals(JarFile.MANIFEST_NAME) &&
??????????????? !name.equals(CERT_SF_NAME) && !name.equals(CERT_RSA_NAME) &&
??????????????? (stripPattern == null ||
???????????????? !stripPattern.matcher(name).matches())) {
??????????????? InputStream data = jar.getInputStream(entry);
??????????????? while ((num = data.read(buffer)) > 0) {
??????????????????? md.update(buffer, 0, num);
??????????????? }
?
??????????????? Attributes attr = null;
??????????????? if (input != null) attr = input.getAttributes(name);
??????????????? attr = attr != null ? new Attributes(attr) : new Attributes();
??????????????? attr.putValue("SHA1-Digest", base64.encode(md.digest()));
??????????????? output.getEntries().put(name, attr);
??????????? }
??????? }
并把数字签名信息写入MANIFEST.MF
??????????? je = new JarEntry(JarFile.MANIFEST_NAME);
??????????? je.setTime(timestamp);
??????????? outputJar.putNextEntry(je);
??????????? manifest.write(outputJar);
o 对manifest签名并写入CERT.SF
??????????? // CERT.SF
??????????? Signature signature = Signature.getInstance("SHA1withRSA");
??????????? signature.initSign(privateKey);
??????????? je = new JarEntry(CERT_SF_NAME);
??????????? je.setTime(timestamp);
??????????? outputJar.putNextEntry(je);
??????????? writeSignatureFile(manifest,
??????????????????? new SignatureOutputStream(outputJar, signature));
o 把对输出文件的签名和公钥写入CERT.RSA。
??????????? // CERT.RSA
??????????? je = new JarEntry(CERT_RSA_NAME);
??????????? je.setTime(timestamp);
??????????? outputJar.putNextEntry(je);
??????????? writeSignatureBlock(signature, publicKey, outputJar);
签名的作用
签名的主要目的为了检测文件是否被别人修改了。但它并不能禁止别人修改,因为你完全重新生成签名,但是你生成的签名和原来是不一样的。
