Verifying application signatures
In the previous recipes, we walked through how applications are signed and how to generate keys securely to sign them. This recipe will provide details on how application signatures are verified. Being able to do this "by hand" is pretty important because it not only gives you insight into how verification actually works, but also serves as a gateway to deeper introspection of cryptographic application security.
Getting ready
To be able to perform this recipe, you will need the following:
- The JDK
- A sample signed application to verify
That's about all that you need for this one. Let's get going!
How to do it...
To verify application signatures, you will need to perform the following steps:
- The Java JDK has a tool called
jarsignerthat will be able to handle all of the hard labor; all you need to do is execute the following command:jarsigner –verify –verbose [path-to-your-apk] - All you need to do now is look for the jar verified string...
