From 15ec420db443c6e6bfd895a10d421874305f2c30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20Sch=C3=BCrmann?= <dominik@dominikschuermann.de>
Date: Wed, 13 Apr 2016 11:44:13 +0200
Subject: [PATCH] Check apk signature of privileged extension against F-Droid
 signature before installation

---
 .../installer/ApkSignatureVerifier.java       | 98 +++++++++++++++++++
 .../fdroid/fdroid/installer/Installer.java    |  9 ++
 2 files changed, 107 insertions(+)
 create mode 100644 app/src/main/java/org/fdroid/fdroid/installer/ApkSignatureVerifier.java

diff --git a/app/src/main/java/org/fdroid/fdroid/installer/ApkSignatureVerifier.java b/app/src/main/java/org/fdroid/fdroid/installer/ApkSignatureVerifier.java
new file mode 100644
index 000000000..c13049956
--- /dev/null
+++ b/app/src/main/java/org/fdroid/fdroid/installer/ApkSignatureVerifier.java
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2016 Dominik Schürmann <dominik@dominikschuermann.de>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 3
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ */
+
+package org.fdroid.fdroid.installer;
+
+import android.annotation.SuppressLint;
+import android.content.Context;
+import android.content.pm.PackageInfo;
+import android.content.pm.PackageManager;
+import android.content.pm.Signature;
+import android.util.Log;
+
+import org.spongycastle.util.encoders.Hex;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.IOException;
+import java.util.Arrays;
+
+/**
+ * NOTE: Silly Android API naming: APK signatures are actually certificates!
+ * Thus, we are comparing certificates (including the public key) used to sign an APK,
+ * not the actual APK signature.
+ */
+public class ApkSignatureVerifier {
+
+    private static final String TAG = "ApkSignatureVerifier";
+
+    private final Context mContext;
+    private final PackageManager mPm;
+
+    ApkSignatureVerifier(Context context) {
+        mContext = context;
+        mPm = context.getPackageManager();
+    }
+
+    public boolean hasFDroidSignature(File apkFile) {
+        byte[] apkSig = getApkSignature(apkFile);
+        byte[] fdroidSig = getFDroidSignature();
+
+        if (Arrays.equals(apkSig, fdroidSig)) {
+            return true;
+        }
+
+        Log.d(TAG, "Signature mismatch!");
+        Log.d(TAG, "APK sig: " + Hex.toHexString(getApkSignature(apkFile)));
+        Log.d(TAG, "F-Droid sig: " + Hex.toHexString(getFDroidSignature()));
+        return false;
+    }
+
+    private byte[] getApkSignature(File apkFile) {
+        final String pkgPath = apkFile.getAbsolutePath();
+        PackageInfo pkgInfo = mPm.getPackageArchiveInfo(pkgPath, PackageManager.GET_SIGNATURES);
+        return signatureToBytes(pkgInfo.signatures);
+    }
+
+    private byte[] getFDroidSignature() {
+        try {
+            // we do check the byte array of *all* signatures
+            @SuppressLint("PackageManagerGetSignatures")
+            PackageInfo pkgInfo = mPm.getPackageInfo(mContext.getPackageName(),
+                    PackageManager.GET_SIGNATURES);
+            return signatureToBytes(pkgInfo.signatures);
+        } catch (PackageManager.NameNotFoundException e) {
+            throw new RuntimeException("Should not happen! F-Droid package not found!");
+        }
+    }
+
+    private byte[] signatureToBytes(Signature[] signatures) {
+        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+        for (Signature sig : signatures) {
+            try {
+                outputStream.write(sig.toByteArray());
+            } catch (IOException e) {
+                throw new RuntimeException("Should not happen! Concatenating signatures failed");
+            }
+        }
+
+        return outputStream.toByteArray();
+    }
+
+}
diff --git a/app/src/main/java/org/fdroid/fdroid/installer/Installer.java b/app/src/main/java/org/fdroid/fdroid/installer/Installer.java
index c12bf9667..5eeb5d997 100644
--- a/app/src/main/java/org/fdroid/fdroid/installer/Installer.java
+++ b/app/src/main/java/org/fdroid/fdroid/installer/Installer.java
@@ -25,6 +25,7 @@ import android.content.Intent;
 import android.content.pm.PackageManager;
 import android.util.Log;
 
+import org.fdroid.fdroid.BuildConfig;
 import org.fdroid.fdroid.Preferences;
 import org.fdroid.fdroid.Utils;
 import org.fdroid.fdroid.privileged.install.InstallExtensionDialogActivity;
@@ -145,6 +146,14 @@ public abstract class Installer {
 
         // special case: F-Droid Privileged Extension
         if (packageName != null && packageName.equals(PrivilegedInstaller.PRIVILEGED_EXTENSION_PACKAGE_NAME)) {
+
+            // extension must be signed with the same public key as main F-Droid
+            // NOTE: Disabled for debug builds to be able to use official extension from repo
+            ApkSignatureVerifier signatureVerifier = new ApkSignatureVerifier(mContext);
+            if (!BuildConfig.DEBUG && !signatureVerifier.hasFDroidSignature(apkFile)) {
+                throw new SecurityException("APK signature of extension not correct!");
+            }
+
             Activity activity;
             try {
                 activity = (Activity) mContext;