1

大家好,我正在尝试在xamarin 表单 android应用程序中实施防篡改保护并验证应用程序签名。目前我正在使用这段代码:

var context = Android.App.Application.Context;
Signature sigs = context.PackageManager.GetPackageInfo(context.PackageName, PackageInfoFlags.Signatures).Signatures[0];

DisplayAlert("sigs.ToString()", sigs.ToString(), "ok");   //1331014879
DisplayAlert(" sigs.GetHashCode().ToString()", sigs.GetHashCode().ToString(), "ok");  //  android.content.pm.Signature@4f55acdf

sigs.GetHashCode().ToString()返回1331014879
sigs.ToString()返回android.content.pm.Signature@4f55acdf

但我想我可能做错了。这是在运行时验证 android 应用程序签名的正确方法吗?否则请给我代码和指导。谢谢。

4

2 回答 2

2

如果 API28 或更高版本,您应该像这个线程一样检查多个签名者。 如何在 API 28 中使用 PackageInfo.GET_SIGNING_CERTIFICATES?

这是 xamarin.android 代码。

 public string Sig_Hash()
        {
            var Context = Android.App.Application.Context;

                foreach (Android.Content.PM.Signature signature in Context.PackageManager.GetPackageInfo(Context.PackageName, PackageInfoFlags.Signatures  ).Signatures)
                {
                    using (SHA1Managed sha1 = new SHA1Managed())
                    {
                        var hash = sha1.ComputeHash(signature.ToByteArray());
                        var sb = new StringBuilder(hash.Length * 2);
                        foreach (byte b in hash)
                        {
                            sb.Append(b.ToString("X2"));
                        }
                        return sb.ToString();
                    }

                }
                return "";
        }
于 2020-10-17T10:36:37.310 回答
0

谢谢@Leon Lu对此有一点更新:

        public string GetSha1()
        {
            var Context = Android.App.Application.Context;

            if (Build.VERSION.SdkInt >= BuildVersionCodes.P)
            {
                PackageInfo packageInfo = Context.PackageManager.GetPackageInfo(Context.PackageName, PackageInfoFlags.SigningCertificates);
                if (packageInfo == null || packageInfo.SigningInfo == null)
                    return string.Empty;

                var signature = packageInfo.SigningInfo.GetSigningCertificateHistory().FirstOrDefault();
                if (signature != null)
                {
                    return SignatureDigest(signature);
                }

            }
            else
            {
                PackageInfo packageInfo = Context.PackageManager.GetPackageInfo(Context.PackageName, PackageInfoFlags.Signatures);
                if (packageInfo == null || packageInfo.Signatures == null)
                    return string.Empty;

                var signature = Context.PackageManager.GetPackageInfo(Context.PackageName, PackageInfoFlags.Signatures).Signatures.FirstOrDefault();
                if (signature != null)
                    return SignatureDigest(signature);
            }
            return string.Empty;
        }

        private static string SignatureHexa(Android.Content.PM.Signature signature)
        {
            using (SHA1Managed sha1 = new SHA1Managed())
            {
                var hash = sha1.ComputeHash(signature.ToByteArray());
                var sb = new StringBuilder(hash.Length * 2);
                foreach (byte b in hash)
                {
                    sb.Append(b.ToString("X2"));
                }
                return sb.ToString();
            }
        }

对我来说,我的应用是 GooglePlay 签名,所以我不需要多个签名

但是如果你需要检查多个签名者

if (packageInfo.SigningInfo.HasMultipleSigners)
   {
     foreach (Signature signature in packageInfo.SigningInfo.GetApkContentsSigners())
        {
            //Dostuff
            SignatureDigest(signature);
        }
   }
于 2022-01-04T09:53:48.313 回答