问题描述
我正尝试使用apksigner验证最新的Gmail应用(版本8.11.25.224)的签名,但失败.
i was trying to verify the signature of the latest Gmail App (Version 8.11.25.224) with apksigner and it failed.
我用过:
apksigner验证--verbose --print-certs< apk.file>
结果是:
DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1 Malformed additional attribute #1
我正在寻找导致这种情况发生的原因,但找不到任何解决方案.我做了一些实验,如果将-min-sdk-version 28
添加到apksigner命令的选项中,则结果为:
I was searching for an explanation why this happend but I couldn't find any solution to this problem. I have experimented a little and if you add --min-sdk-version 28
to the options of apksigner command then the results are:
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): false
Number of signers: 1
Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: f0fd...
Signer #1 certificate SHA-1 digest: 3891...
Signer #1 certificate MD5 digest: cde9...
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 2b06...
Signer #1 public key SHA-1 digest: b2da...
Signer #1 public key MD5 digest: a90c...
如果您使用jarsigner工具,则结果为:
And if you use the jarsigner tool the results are:
WARNING:
This jar contains entries whoes certificate chain is invalid.
Reason: PKIX path bulding failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signers certificate's expiration date (2036-01-08) or after any future revocation date.
使用 -verbose
和 -certs
选项重新运行以获取更多详细信息.我上传了我的Gmail APK文件.
Re-run with the -verbose
and -certs
options for more details. I uploaded my Gmail APK file.
推荐答案
如果使用v3签名方案对APK进行了签名,但apksigner的版本已过时且不支持该方案,则会发生这种情况.阅读警告:
This happens if an APK is signed with v3 signing scheme but the version of apksigner is outdated and not supporting this scheme. Read the warning:
apksigner version
0.8
apksigner verify --verbose "Signal-website-universal-release-4.50.5.apk"
DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1: Malformed additional attribute #1
WARNING: APK Signature Scheme v2 signer #1: Unknown signature algorithm: 0x421
因此,apksigner版本0.8不知道签名算法.我不会将其称为错误(如 Pierre 那样),但是错误消息可能会更加清晰,并且会如果旧版本至少可以检查v2签名,则更好.最令人讨厌的一点(由 Freedo 提及)是Ubuntu仍然发布了旧版本适用于所有发行版的 packages.ubuntu.com ),甚至是最新的Ubuntu 19.10.(eoan),并且没有更高版本的ppa.您至少需要版本0.9,该版本目前仅是Android SDK构建工具的一部分.
So, the signature algorithm is unknown to apksigner version 0.8. I wouldn't call it a bug (as Pierre does), but the error message could be more clear and it would be better if the old version is able to check at least the v2 signature.The most annoying point (mentioned by Freedo) is that Ubuntu still ships an old 0.8 apksigner package for all releases (packages.ubuntu.com) even the most recent Ubuntu 19.10 (eoan) and there is no ppa with a newer version.You need at least version 0.9 which is currently only part of the Android SDK build tools.
对我来说,最简单的方法是安装Android Studio并至少打开一次以自动下载最新的Android SDK.Ubuntu 19.10 App Center确实将它作为快照安装,然后将SDK放在我的主目录中:
The easiest way for me was to install Android Studio and open it at least once to automatically download the latest Android SDK. Ubuntu 19.10 App Center did install it as snap and the SDK was then located in my home directory:
./Android/Sdk/build-tools/29.0.2/apksigner version
0.9
./Android/Sdk/build-tools/29.0.2/apksigner verify --verbose --print-certs "Signal-website-universal-release-4.50.5.apk"
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Number of signers: 1
Signer #1 certificate DN: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
Signer #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26
Signer #1 certificate SHA-1 digest: 45989dc9ad8728c2aa9a82fa55503e34a8879374
Signer #1 certificate MD5 digest: d90db364e32fa3a7bda4c290fb65e310
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 1024
Signer #1 public key SHA-256 digest: 75336a3cc9edb64202cd77cd4caa6396a9b5fc3c78c58660313c7098ea248a55
Signer #1 public key SHA-1 digest: b46cbed18d6fbbe42045fdb93f5032c943d80266
Signer #1 public key MD5 digest: 0f9c33bbd45db0218c86ac378067538d
WARNING: META-INF/* not protected by signature.
关于META-INF文件夹中的文件,有很多警告,因为该文件夹未包含在签名中,包含许多版本文件和证书.这也是仅从APK中读取证书不足的原因,例如某些页面推荐.
There are a lot of warning about files in the META-INF folder, because the folder is excluded from the signature, contains a lot of version files and the certs. That's also the reason why it is not sufficient to just read the cert from the APK, like some some pages recommend.
另请参见"如何验证APK的SHA256指纹"
这篇关于Apksigner不验证签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!