Created
August 14, 2017 10:25
-
-
Save n1zzo/2b0c5245a0f902b5d231048b8cf0bb4b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# apkdoublecheck.sh Verify an apk signature with a certificate extracted | |
# from a trusted apk | |
# By default the trusted apk must have a valid v1 and v2 signature | |
# while for the target app it is sufficient to have a valid v1 signature | |
if [ $# -eq 0 ] | |
then | |
echo "Usage: apkdoublecheck.sh <trusted_apk> <untrusted_apk>" | |
exit 1 | |
fi | |
APKSIGNER=$ANDROID_HOME/build-tools/25.0.2/apksigner | |
function quit { | |
rm -f *.output.txt | |
rm -f *.signatures.txt | |
exit 1 | |
} | |
# Verify first trusted apk signature | |
$APKSIGNER verify --print-certs -v $1 > $1.output.txt | |
cat $1.output.txt | grep -no \ | |
"Verified using v1 scheme (JAR signing): true" | |
if [ $? -eq 1 ] | |
then | |
echo "Trusted apk has invalid v1 signature!" | |
quit | |
fi | |
cat $1.output.txt | grep -no \ | |
"Verified using v2 scheme (APK Signature Scheme v2): true" | |
if [ $? -eq 1 ] | |
then | |
echo "Trusted apk has invalid v2 signature!" | |
quit | |
fi | |
# Extract public key signature from trusted apk | |
cat $1.output.txt | grep -n "Signer #[0-9]* certificate [A-Z0-9\-]* digest:" \ | |
| cut -d ":" -f3 \ | |
| cut -d " " -f2 \ | |
> $1.signatures.txt | |
# Verify untrusted apk with public key | |
$APKSIGNER verify --print-certs -v $2 > $2.output.txt | |
cat $2.output.txt | grep -no \ | |
"Verified using v1 scheme (JAR signing): true" | |
if [ $? -eq 1 ] | |
then | |
echo "Untrusted apk has invalid v1 signature!" | |
quit | |
fi | |
cat $2.output.txt | grep -no \ | |
"Verified using v2 scheme (APK Signature Scheme v2): true" | |
if [ $? -eq 1 ] | |
then | |
echo "Untrusted apk has invalid v2 signature!" | |
fi | |
# Verify certificates match | |
cat $2.output.txt | grep -n "Signer #[0-9]* certificate [A-Z0-9\-]* digest:" \ | |
| cut -d ":" -f3 \ | |
| cut -d " " -f2 \ | |
> $2.signatures.txt | |
cmp --silent $1.signatures.txt $2.signatures.txt | |
if [ $? -eq 1 ] | |
then | |
echo "Signatures does not match!" | |
quit | |
fi | |
echo "Signature match! This apk can be trusted." | |
quit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment