13 Star 88 Fork 85

OpenHarmony / security_appverify

Create your Gitee Account
Explore and code with more than 8 million developers,Free private repositories !:)
Sign up
Clone or Download
Cancel
Notice: Creating folder will generate an empty file .keep, because not support in Git
Loading...
README.md

appverify

Introduction

To ensure the integrity and trustworthiness of the applications to be installed in OpenHarmony, the applications must be signed and their signatures must be verified.

  • In application development: After developing an application, you need to sign its installation package to ensure that the installation package is not tampered with when it is released on devices. To sign the application package, you can use the signature tools and the public key certificates and follow the signing certificate generation specifications provided by the application integrity verification module. For your convenience, a public key certificate and a corresponding private key are preset in OpenHarmony. You need to replace the public key certificate and private key in your commercial version of OpenHarmony.

  • In application installation: The Application Framework subsystem of OpenHarmony installs applications. Upon receiving an application installation package, the Application Framework subsystem parses the signature of the installation package, and verifies the signature using the application integrity verification APIs. The application can be installed only after the verification succeeds. During the verification, the application integrity verification module uses the preset public key certificate to verify the signature.

Architecture

Figure 1 Application integrity verification architecture

  • APIs between subsystems: APIs provided by the application integrity verification module for other modules

  • Integrity verification: ensures the integrity of application bundles and prevents tampering through signature verification.

  • Application source identification: identifies the application source by matching the signature certificate chain with the trusted source list.

Directory Structure

/base/security/appverify
├── interfaces/innerkits/appverify         # Application integrity verification module
│       ├── config                         # Application signature root certificates and configuration files for the trusted source list
│       ├── include                        # Header files
│       ├── src                            # Source code
│       ├── test                           # Automated test cases
├── test/resource                          # Test resources

Constraints

The certificates used for application integrity verification are specific to OpenHarmony. The corresponding public key certificates and private keys are preset in the open-source code repositories of OpenHarmony to provide offline signing and verification capabilities for the open-source community. The public key certificates and the corresponding private keys need to be replaced in commercial versions that are based on OpenHarmony.

Usage

The application integrity verification module provides an inter-subsystem API, which is called by the Bundle Manager Service (BMS) during application installation.

Available APIs

API

Description

int HapVerify(const std::string& filePath, HapVerifyResult& hapVerifyResult)

Verifies application integrity and identifies the application source.

Usage Guidelines

The HapVerify() API provided by the application integrity verification module is an inter-subsystem API. This API can be called with the HAP file path passed to verify the integrity of an application, and the verification result can be obtained from the return value. The signature of the application can be obtained from the input parameter hapVerifyResult.

Security::Verify::HapVerifyResult verifyResult;
int32_t res = Security::Verify::HapVerify(hapPath, verifyResult);
if (res != Security::Verify::HapVerifyResultCode::VERIFY_SUCCESS) {
    // processing error
}

Repositories Involved

Security subsystem

hmf/security/appverify

Repository Comments ( 0 )

Sign in to post a comment

About

Signature verification for HAP packages | 提供对HAP包签名的验签能力 expand collapse
C++ and 2 more languages
Apache-2.0
Cancel

Releases (1)

All

OpenHarmony

Contributors

All

Activities

Load More
can not load any more
1
https://git.oschina.net/openharmony/security_appverify.git
git@git.oschina.net:openharmony/security_appverify.git
openharmony
security_appverify
security_appverify
master

Search

103111 552b83b3 1850385 103110 ed87a847 1850385