签名以保护JAR免受逆向工程
[英]Signing for protecting the JAR from reverse-engineering
问题描述
I'm thinking how to protect the JAR from reverse-engineering. 
我正在考虑如何保护JAR免受逆向工程。
(Question 1): (问题1):
If JAR is signed by signature, is the signature able to protect the JAR? 如果JAR是通过签名签名的,那么签名是否可以保护JAR? If not, then what is the purpose of signing? 如果不是,那么签名的目的是什么?
(Question 2): (问题2):
Android APK can be signed by platform signature, and It is impossible for extracting the platform signature from the APK itself. 可以通过平台签名对Android APK进行签名,并且无法从APK本身提取平台签名。
From this point of view, I think signature can be used to protect something. 从这个角度来看,我认为签名可以用来保护某些东西。 But why can we decompile any APK even it is protected by platform signature? 但是,为什么即使它受平台签名保护,我们也可以反编译它呢?
3 个解决方案
解决方案1
3 已采纳 2019-05-24 18:54:48
Think about your own signature, that you write with a pen. 考虑一下自己用笔写的签名。 Does signing a piece of paper make the contents of the paper somehow impossible to read? 签署一张纸会使纸上的内容以某种方式无法阅读吗?
No: it simply gives somebody reading the paper an indication that it was written by you (or you agree with its contents, or whatever). 否:它只是给阅读本文的人一个表明它是由您撰写的指示(或您同意其内容,或其他)。
And so it is with signing a jar: all it does is gives people an indication that you (or people you have authorized to use the signature) produced it, in order that nobody else can change the jar contents and present it as "authentic". 签名罐子也是如此:所做的所有工作都会向人们表明您(或您有权使用签名的人)产生了该罐子,以便其他人无法更改罐子内容并将其显示为“真实” 。
Signatures will not help you to stop reverse engineering. 签名不会帮助您停止逆向工程。
解决方案2
2 2019-05-24 19:14:14
If JAR is signed by signature, is the signature able to protect the JAR?
If you sign a contract, does that prevent any of the involved parties from breaking the contract?! 如果您签订合同,是否可以防止任何相关方违反合同? Nope, it doe not. 不,不是。 The signature is simply something that (theoretically) legally identifies you. 签名只是(理论上)可以合法识别您身份的东西。
And that is the whole point of signing software: to tell users of the software: "this is my delivery, you can trust it, because I signed it (and nobody else can have changed it)". 这就是签署软件的全部要点:告诉软件用户:“这是我的交付,您可以信任它,因为我已经签署了它(其他人都不能更改它)”。
Signatures do nothing to protect your content from reverse engineering. 签名并不能保护您的内容不受逆向工程的影响。 They are solely useful for users of your content, as they can be "sure", that they are really using your content, and not something that a third party faked and only claims to be your delivery. 它们仅对您的内容用户有用,因为可以“确定”他们确实在使用您的内容,而不是第三方伪造的东西,仅声称是您的交付内容。
The only kind of protection is to look into obfuscating your JAR file content. 唯一的保护措施是查看对JAR文件内容的混淆 。 There are tools for that (especially on Android). 有用于该目的的工具(尤其是在Android上)。 Nonetheless obfuscation for Java isn't exactly perfect. 但是,对Java的混淆并不完全完美。 See here for example. 例如参见这里 。
解决方案3
2 2019-05-24 19:26:59
If JAR is signed by signature, is the signature able to protect the JAR?
As the others have pointed out, it prevents others from distributing their own copies of your code under your name/brand. 正如其他人指出的那样,它可以防止其他人以您的名字/品牌分发自己的代码副本。 For example, suppose you write a calculator and post a signed bytecode on github, then I can't write my own bytecode and claim (without getting caught that its a false one, unless I find the key with which it was signed, which itself is very very ... very unlikely) that it is a copy of your calculator. 例如,假设您编写了一个计算器并在github上发布了一个已签名的字节码,那么我将无法编写自己的字节码并声明(除非被发现它是一个错误的字节码,除非我找到了对其进行签名的密钥,该密钥本身非常非常...非常不可能),它是您的计算器的副本。
But why can we decompile any APK even it is protected by platform signature?
Because, it does not prevent us from decompilation. 因为,这不会阻止我们进行反编译。 We can get the source code from such APKs but, we cannot like put our own arbitrary code in its place and makes others believe it is same as yours. 我们可以从这样的APK中获取源代码,但是,我们不能喜欢将自己的任意代码放在自己的位置,而让其他人相信它与您的相同。
Put in plain terms, a signature is a proof of source and authenticity of a code, nothing more. 简而言之,签名是代码来源和真实性的证明,仅此而已。
Edit: 编辑:
Why can't we extract the original signature from the APK?
Because the signature is a hash, generated using a cryptographic hash function and a key that only you hold (called private key) and a public key, which is freely available. 因为签名是哈希,所以使用加密哈希函数和只有您持有的密钥(称为私钥)和公用密钥(可以免费获得)生成。 Since that private key is with you and assuming that you used a powerful cryptographic hash function, it will take a lot of time for a person trying to impersonate that key to find that key by directly trying all the hashes possible, which is usually the only possible way unless you have a clever work-around to find the key. 由于该私钥与您同在,并假设您使用了强大的加密哈希函数,因此试图模拟该私钥的人通过直接尝试所有可能的散列来找到该私钥将花费大量时间,通常这是唯一的除非您有一个聪明的解决方法来找到密钥,否则可能的方法。 The public key is openly available and is used for verification of the authenticity of the signature. 公钥是公开可用的,用于验证签名的真实性。
Can we use this mechanism for protecting our JAR?
Depends on what you are trying to protect. 取决于您要保护的内容。 If it is impersonation by somebody else, then yes, for sometime, as long as they do not stumble upon the key by some way. 如果是其他人的模仿,则可以,只要他们不以某种方式偶然发现钥匙,就可以。 As seems for obvious, it is no good against reverse engineering 显而易见,逆向工程是不利的
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.