我有这段代码(从这里复制:https ://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app )为我的 Android 应用程序添加篡改保护。
是否可以向 Play 商店提交具有多个签名的应用程序?
我是否还应该验证该方法packageInfo.signatures只返回一个签名?或者一个apk可以有多个签名并且所有签名都有效?
private static final int VALID = 0;
private static final int INVALID = 1;
public static int checkAppSignature(Context context) {
try {
PackageInfo packageInfo = context.getPackageManager().getPackageInfo(context.getPackageName(), PackageManager.GET\_SIGNATURES);
for (Signature signature : packageInfo.signatures) {
byte[] signatureBytes = signature.toByteArray();
MessageDigest md = MessageDigest.getInstance("SHA");
md.update(signature.toByteArray());
final String currentSignature = Base64.encodeToString(md.digest(), Base64.DEFAULT);
//compare signatures
if (SIGNATURE.equals(currentSignature)){
return VALID;
};
}
} catch (Exception e) {
//assumes an issue in checking signature., but we let the caller decide on what to do.
}
return INVALID;
}