Merge branch 'check-privileged-certificate' into 'master'

Verify apk signature of privileged extension before installation This implements a check that the signature of the extension apk is the same as the signature of F-Droid before installing the extension apk. Related issue: https://gitlab.com/fdroid/fdroidclient/issues/437 See merge request !256
2016-04-13 11:50:54 +00:00 · 2016-04-13 11:50:54 +00:00 · d98d59a8d3
commit d98d59a8d3
parent f8ef7cda39 15ec420db4
2 changed files with 107 additions and 0 deletions
--- a/app/src/main/java/org/fdroid/fdroid/installer/ApkSignatureVerifier.java
+++ b/app/src/main/java/org/fdroid/fdroid/installer/ApkSignatureVerifier.java
@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2016 Dominik Schürmann <dominik@dominikschuermann.de>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 3
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ */
+
+package org.fdroid.fdroid.installer;
+
+import android.annotation.SuppressLint;
+import android.content.Context;
+import android.content.pm.PackageInfo;
+import android.content.pm.PackageManager;
+import android.content.pm.Signature;
+import android.util.Log;
+
+import org.spongycastle.util.encoders.Hex;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.IOException;
+import java.util.Arrays;
+
+/**
+ * NOTE: Silly Android API naming: APK signatures are actually certificates!
+ * Thus, we are comparing certificates (including the public key) used to sign an APK,
+ * not the actual APK signature.
+ */
+public class ApkSignatureVerifier {
+
+    private static final String TAG = "ApkSignatureVerifier";
+
+    private final Context mContext;
+    private final PackageManager mPm;
+
+    ApkSignatureVerifier(Context context) {
+        mContext = context;
+        mPm = context.getPackageManager();
+    }
+
+    public boolean hasFDroidSignature(File apkFile) {
+        byte[] apkSig = getApkSignature(apkFile);
+        byte[] fdroidSig = getFDroidSignature();
+
+        if (Arrays.equals(apkSig, fdroidSig)) {
+            return true;
+        }
+
+        Log.d(TAG, "Signature mismatch!");
+        Log.d(TAG, "APK sig: " + Hex.toHexString(getApkSignature(apkFile)));
+        Log.d(TAG, "F-Droid sig: " + Hex.toHexString(getFDroidSignature()));
+        return false;
+    }
+
+    private byte[] getApkSignature(File apkFile) {
+        final String pkgPath = apkFile.getAbsolutePath();
+        PackageInfo pkgInfo = mPm.getPackageArchiveInfo(pkgPath, PackageManager.GET_SIGNATURES);
+        return signatureToBytes(pkgInfo.signatures);
+    }
+
+    private byte[] getFDroidSignature() {
+        try {
+            // we do check the byte array of *all* signatures
+            @SuppressLint("PackageManagerGetSignatures")
+            PackageInfo pkgInfo = mPm.getPackageInfo(mContext.getPackageName(),
+                    PackageManager.GET_SIGNATURES);
+            return signatureToBytes(pkgInfo.signatures);
+        } catch (PackageManager.NameNotFoundException e) {
+            throw new RuntimeException("Should not happen! F-Droid package not found!");
+        }
+    }
+
+    private byte[] signatureToBytes(Signature[] signatures) {
+        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+        for (Signature sig : signatures) {
+            try {
+                outputStream.write(sig.toByteArray());
+            } catch (IOException e) {
+                throw new RuntimeException("Should not happen! Concatenating signatures failed");
+            }
+        }
+
+        return outputStream.toByteArray();
+    }
+
+}
--- a/app/src/main/java/org/fdroid/fdroid/installer/Installer.java
+++ b/app/src/main/java/org/fdroid/fdroid/installer/Installer.java
@ -25,6 +25,7 @@ import android.content.Intent;
 import android.content.pm.PackageManager;
 import android.util.Log;

+import org.fdroid.fdroid.BuildConfig;
 import org.fdroid.fdroid.Preferences;
 import org.fdroid.fdroid.Utils;
 import org.fdroid.fdroid.privileged.install.InstallExtensionDialogActivity;
@ -145,6 +146,14 @@ public abstract class Installer {

        // special case: F-Droid Privileged Extension
        if (packageName != null && packageName.equals(PrivilegedInstaller.PRIVILEGED_EXTENSION_PACKAGE_NAME)) {
+
+            // extension must be signed with the same public key as main F-Droid
+            // NOTE: Disabled for debug builds to be able to use official extension from repo
+            ApkSignatureVerifier signatureVerifier = new ApkSignatureVerifier(mContext);
+            if (!BuildConfig.DEBUG && !signatureVerifier.hasFDroidSignature(apkFile)) {
+                throw new SecurityException("APK signature of extension not correct!");
+            }
+
            Activity activity;
            try {
                activity = (Activity) mContext;