从 Android 开始,我已经看到有必要对 apk 进行签名。但是考虑一下数字签名是什么以及它的作用(保证信息的真实性和完整性),我读过 Android 确实不会让您签署应用程序来验证真实性和集成,而是因为“Android 使用该签名来识别向系统或其他应用程序发出任何类型请求的应用程序”。
是这样吗?
我读到建议开发人员使用相同的签名对其应用程序进行签名数字签名的概念对于每个文档都是唯一的,那么开发人员的不同应用程序怎么可能具有相同的签名呢?
我想我是通过签署 apk 读到的,我和其他人都不能修改这个应用程序。是这样吗?这怎么样?
谢谢
Both are correct. Signatures are indeed used to detect that the app you're installing has not been modified, but they can also be used to restrict access from other apps on your device. Say a company builds 2 apps, and they want to share data between them. They can use a signature-protected permission to ensure that your data can only be accessed by that company's apps.
It's not the signature that's the same, but the private key used to generate that signature. The signature is unique for every build of your app, as you would expect. See https://developer.android.com/studio/publish/app-signing.html for more info.
It's not that you cannot modify the app; it's that Android will not allow you to upgrade an app from version A to version B if the signatures of A and B were generated from different keys. If someone tampers with the app, the signature will be invalidated so they have to resign it with their own key. You should never give your key to untrusted people, since that would allow them to modify and resign your apps without changing the key.
Of course, signatures don't protect you from malicious modified APKs unless you already have an authentic version of the app installed that Android can compare the new version with. This is why you should refrain from installing APK files from unknown sources.