I'm working on an Android application with device owner permission. The application listens to a websocket where app updates are pushed from the server. These updates are downloaded and stored in a device location, and then installed. Before installation, the application performs an integrity check of the APK to ensure it is valid. Integrity check involved verifying signed certificate of that downloaded application.
To retrieve the signed certificate of the APK using the PackageManager, I use the following code:
val apkInfo = context.packageManager.getPackageArchiveInfo(
uri.path, // downloaded APK location
PackageManager.GET_SIGNING_CERTIFICATES
)
val apkCertificates = apkInfo.signingInfo
print(apkCertificates) // output: null
However, the apkCertificates value is null. I have verified the APK's signed certificate using the apksigner command, and it appears to be correct.
I have also tried using keytool to retrieve the certificate, but it returns a "Not a signed jar file" error.
Can someone help me understand why apkCertificates is null, and how I can retrieve the signed certificate of the downloaded APK?
Solved. I need to use GET_SIGNATURES flag for getting the certificates instead of GET_SIGNING_CERTIFICATES. But, this is specific to the OS which I am working in.