APK signing/validation in pure python

[reox]

It would be nice to be able to validate signatures of APKs using pure python code.

We would need to create the MANIFEST.MF file and check against the signature.

Then we could return all items that are not signed but in the APK or all items that are signed but create a wrong signature (e.g. wrong hash).

[subho007]

Ref: #332 (comment)

[eighthave]

F-Droid would also love this feature, we're tracking it here: https://gitlab.com/fdroid/fdroidserver/issues/94

These two libraries also look promising:

• https://pypi.python.org/pypi/javatools
• https://pypi.python.org/pypi/javalang

[eighthave]

Also https://penguindreams.org/blog/signature-verification-between-java-and-python/

[reox]

@shuxin maybe we can integrate your https://github.com/shuxin/apk-signature-verify into androguard?

[eighthave]

what would be the advantage of integrating it over having it a standalone project? It would be nice to have a more standardized API across all the androguard bits, so that might be one reason to do it.

[reox]

Yes sure, i meant integrating by the means of using it as a module!

[shuxin]

Yeah, If you like it, I'll port it to python3, and rewrite it with api friendly.

• support rsa(md5/sha1/sha256/sha512)/dsa(sha1/shasha256/sha512)/ecdsa(sha256/sha512),
• without build,
• without openssl/cryptography/M2Crypto,
• without any binary like so/pyd/dll/dylib,

[eighthave]

That would be amazing! fdroid would use it. In case you haven't seen it already, there is a nice collection of APKs for testing signature verification. Its part of the source repo for apksigner:

https://android.googlesource.com/platform/tools/apksig/+/refs/heads/master/src/test/resources/com/android/apksig

[shuxin]

Thanks for the testing information. try my new version. https://github.com/shuxin/apk-signature-verify