Reputation: 771
How to verify an apk's signature with openssl
I write a python application to analyze apk files. To check the signature of the apk I run the following command:
jarsigner -verify <path to apk>
via subprocess. For performance reasons, I want to use openssl instead of jarsigner.
Is there a way to do this like:
openssl verify <path to apk>
?
Upvotes: 1
Views: 1368
Answers (1)
Reputation: 5752
To fully verify an APK's signature and integrity, for each signer:
Check that the signature block file META-INF/<signer>.[RSA|EC|DSA] is a valid PKCS #7 CMS signature of the corresponding META-INF/<signer>.SF file. This can be achieved using: $ openssl cms -verify -content META-INF/CERT.SF -in META-INF/CERT.RSA -inform DER -noverify
Check that the digest of META-INF/MANIFEST.MF is the same as specified in the META-INF/<signer>.SF <digest alg>-Digest-Manifest attribute (base64-encoded). Python/shell trickery and/or OpenSSL's "openssl dgst -binary -sha1 META-INF/MANIFEST.MF | base64" could help here.
For each file listed in META-INF/MANIFEST.MF, check that the digest of that file matches the digest listed in META-INF/MANIFEST.MF. Again, Python/shell/OpenSSL trickery...
Check that there are no files in the APK which aren't listed in MANIFEST.MF (except for signing-related files from META-INF).
If you only need to extract each signer's cert, and don't care whether the APK has been tampered with after signing, you can limit yourself to step 1.
Upvotes: 4
Related Questions
- Verify signature of PE file
- Verify signature with pyopenssl
- How to verify certificate signature in pyOpenSSL?
- Why can't openssl verify signature created by Python cryptography library?
- How to verify a signed file in python
- How to use openssl to verify without creating files in python?
- Pyopenssl to verify the file signature
- Verify signature on X509 certificate in Python
- pyOpenSSL signature verification using Python 3
- How to verify in pycrypto signature created by openssl?