Skip to content

APK Signature verification in Go. Supports scheme v1, v2 and v3 and passes Google apksig's testing suite.

License

Notifications You must be signed in to change notification settings

avast/apkverifier

Repository files navigation

apkverifier

GoDoc Build Status

APK signature verification, should support all algorithms and both scheme v1 and v2, including downgrade attack protection.

Works with Go 1.17 or higher.

Documentation on GoDoc

go get github.com/avast/apkverifier

Vendored stuff

Because Android can handle even broken x509 cerficates and ZIP files, apkverifier is using the ZipReader from apkparser package and vendors crypto/x509 in internal/x509andr and github.com/fullsailor/pkcs7 in the fullsailor/pkcs7 folder. The last two have some changes to handle some not-entirely-according-to-spec certificates.

Example

package main

import (
	"fmt"
	"github.com/avast/apkverifier"
	"os"
)

func main() {
	res, err := apkverifier.Verify(os.Args[1], nil)
	if err != nil {
		fmt.Fprintf(os.Stderr, "Verification failed: %s\n", err.Error())
	}

	fmt.Printf("Verification scheme used: v%d\n", res.SigningSchemeId)
	cert, _ := apkverifier.PickBestApkCert(res.SignerCerts)
	if cert == nil {
		fmt.Printf("No certificate found.\n")
	} else {
		fmt.Println(cert)
	}
}

About

APK Signature verification in Go. Supports scheme v1, v2 and v3 and passes Google apksig's testing suite.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages