avast / apkverifier

APK Signature verification in Go. Supports scheme v1, v2 and v3 and passes Google apksig's testing suite.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

apkverifier

GoDoc Build Status

APK signature verification, should support all algorithms and both scheme v1 and v2, including downgrade attack protection.

Works with Go 1.17 or higher.

Documentation on GoDoc

go get github.com/avast/apkverifier

Vendored stuff

Because Android can handle even broken x509 cerficates and ZIP files, apkverifier is using the ZipReader from apkparser package and vendors crypto/x509 in internal/x509andr and github.com/fullsailor/pkcs7 in the fullsailor/pkcs7 folder. The last two have some changes to handle some not-entirely-according-to-spec certificates.

Example

package main

import (
	"fmt"
	"github.com/avast/apkverifier"
	"os"
)

func main() {
	res, err := apkverifier.Verify(os.Args[1], nil)
	if err != nil {
		fmt.Fprintf(os.Stderr, "Verification failed: %s\n", err.Error())
	}

	fmt.Printf("Verification scheme used: v%d\n", res.SigningSchemeId)
	cert, _ := apkverifier.PickBestApkCert(res.SignerCerts)
	if cert == nil {
		fmt.Printf("No certificate found.\n")
	} else {
		fmt.Println(cert)
	}
}

About

APK Signature verification in Go. Supports scheme v1, v2 and v3 and passes Google apksig's testing suite.

License:GNU Lesser General Public License v3.0


Languages

Language:Go 100.0%Language:Shell 0.0%