ApkSignatureVerifier.java

/*
 * Copyright (C) 2016 Dominik Schürmann <dominik@dominikschuermann.de>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 3
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 * MA 02110-1301, USA.
 */

package org.fdroid.fdroid.installer;

import android.annotation.SuppressLint;
import android.content.Context;
import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.content.pm.Signature;

import org.fdroid.fdroid.Utils;
import org.spongycastle.util.encoders.Hex;

import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.util.Arrays;

/**
 * NOTE: Silly Android API naming: APK signatures are actually certificates!
 * Thus, we are comparing certificates (including the public key) used to sign an APK,
 * not the actual APK signature.
 */
class ApkSignatureVerifier {

    private static final String TAG = "ApkSignatureVerifier";

    private final Context context;
    private final PackageManager pm;

    ApkSignatureVerifier(Context context) {
        this.context = context;
        pm = context.getPackageManager();
    }

    public boolean hasFDroidSignature(File apkFile) {
        byte[] apkSig = getApkSignature(apkFile);
        byte[] fdroidSig = getFDroidSignature();

        if (Arrays.equals(apkSig, fdroidSig)) {
            return true;
        }

        Utils.debugLog(TAG, "Signature mismatch!");
        Utils.debugLog(TAG, "APK sig: " + Hex.toHexString(getApkSignature(apkFile)));
        Utils.debugLog(TAG, "F-Droid sig: " + Hex.toHexString(getFDroidSignature()));
        return false;
    }

    private byte[] getApkSignature(File apkFile) {
        final String pkgPath = apkFile.getAbsolutePath();
        PackageInfo pkgInfo = pm.getPackageArchiveInfo(pkgPath, PackageManager.GET_SIGNATURES);
        return signatureToBytes(pkgInfo.signatures);
    }

    private byte[] getFDroidSignature() {
        try {
            // we do check the byte array of *all* signatures
            @SuppressLint("PackageManagerGetSignatures")
            PackageInfo pkgInfo = pm.getPackageInfo(context.getPackageName(),
                    PackageManager.GET_SIGNATURES);
            return signatureToBytes(pkgInfo.signatures);
        } catch (PackageManager.NameNotFoundException e) {
            throw new RuntimeException("Should not happen! F-Droid package not found!");
        }
    }

    private byte[] signatureToBytes(Signature[] signatures) {
        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
        for (Signature sig : signatures) {
            try {
                outputStream.write(sig.toByteArray());
            } catch (IOException e) {
                throw new RuntimeException("Should not happen! Concatenating signatures failed");
            }
        }

        return outputStream.toByteArray();
    }

}