Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
理解した気になるApplication Signing
Search
Matsuda Jumpei
January 19, 2024
1
310
理解した気になるApplication Signing
2024/01/19 Shibuya.apk#46 で発表した内容です。
https://shibuya-apk.connpass.com/event/305120/
Matsuda Jumpei
January 19, 2024
Tweet
Share
More Decks by Matsuda Jumpei
See All by Matsuda Jumpei
Gradle Convention Plugins
jmatsu
1
1.5k
JCenterをちゃんと差し替える
jmatsu
0
120
Look Back Over Deep Links
jmatsu
0
460
Considerate App Update Delivery at DroidKaigi 2022
jmatsu
0
500
TechFeed Conference 2022 - Kotlin Experimental
jmatsu
0
1.5k
DroidKaigi 2021 - A Practical Guide to Building Mobile App Distribution Workflows
jmatsu
1
1.4k
Serialization in Kotlin World
jmatsu
3
710
Deep Dive into Kotlin DSL
jmatsu
6
1.8k
[日本語注釈つき] Deep Dive into Kotlin DSL
jmatsu
2
790
Featured
See All Featured
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Optimising Largest Contentful Paint
csswizardry
12
2.4k
The Brand Is Dead. Long Live the Brand.
mthomps
49
29k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
19
1.6k
Art, The Web, and Tiny UX
lynnandtonic
290
19k
Code Reviewing Like a Champion
maltzj
515
39k
What's new in Ruby 2.0
geeforr
337
31k
Making the Leap to Tech Lead
cromwellryan
125
8.5k
Debugging Ruby Performance
tmm1
70
11k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
13
8.3k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
323
20k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
21
1.9k
Transcript
TIJCVZBBQL+VNQFJ.BUTVEB !SFE@GBU@EBSVNB ͳΜͱͳ͘ɺ ͔ͦ͜ͱͳ͘ɺ ͍͍͔Μ͡ʹɺ ;Θͬͱɺ ཧղͨ͠ؾʹͳΕΔ"QQMJDBUJPO4JHOJOH 1
"OESPJEͷ"QQMJDBUJPO4JHOJOHͱ w "1,ϑΝΠϧʹॺ໊͢Δ͜ͱɺ·ͨͦͷॺ໊ใͦͷͷ w ॺ໊ͷݕূΛ௨ͯ͠ɺ"1,ϑΝΠϧͷ*OUFHSJUZΛอূ͢Δ w *OUFHSJUZશੑPS߹ੑ w ͬ͘͟Γݴ͏ͱʮॺ໊ஈ֊͔Βվ͟Μ͞Ε͍ͯͳ͍͜ͱʯ͕͔Δ w
ҟͳΔύοέʔδ໊Ͱಉ͡ॺ໊Ͱ͖Δ͠ɺಉʹΠϯετʔϧ͕Մೳ 2
Α͋͘Δޡղ w ❌ਖ਼͍͠ॺ໊Ͱ͋ΕͦͷΞϓϦϑΝΠϧ҆શͰ͋Δ w ❌ͦͷॺ໊Λͨ͠ͻͱɾ৫ͷݩ͕อূ͞ΕΔ w ❌ࠓݱࡏ ݕূ࣌ ɺͦͷॺ໊ͷݩʹͳͬͨ伴͕։ൃݩʹ͓͍ͯ༗ޮͰ͋Δ w
BOETPPO 3
🤯 4
*OUFHSJUZ͕อূ͞ΕΔͱԿ͕خ͍͠ͷ w ةݥɾಛݖૢ࡞ʹ͓͍ͯਪఆͷอূΛ͢Δ͜ͱ͕Ͱ͖Δ w ྫ͑ΞϓϦͷΠϯετʔϧɾΞοϓσʔτຆͲͷૢ࡞͕ಛݖૢ࡞ w ύοέʔδ໊໊લۭؒҎ্ͷ৴པੑΛ࣋ͨͳ͍ͷͰҰக͚ͩͰෆे w 㱺ΑΓ৴པͰ͖ΔԿ͔͕ඞཁ w
*OUFHSJUZΛߟ͑ͣʹ࣮ݱ͢Δʹ w ૢ࡞ऀݸਓͷͷͱɺಛݖΛڐՄ͢Δͱ͍ͬͨૢ࡞͕ඞཁ 5
*OUFHSJUZ͕อূ͞ΕΔͱԿ͕خ͍͠ͷ w *OUFHSJUZΛར༻ͨ͠৴པͷ࣮ྫ w ҟͳΔͭͷ"1,ϑΝΠϧ͕ಉॺ໊Λ࣋ͭ㱺ॴ༗ऀͷҰகΛ৴པ w ಉύοέʔδ໊Ͱಉॺ໊ͷϑΝΠϧ㱺ॴ༗ऀʹΑΔΞοϓσʔτͱਪఆ w ॴ༗ऀ͕ಉҰͷҟͳΔͭͷΞϓϦ㱺QFSNJTTJPOΛࣗಈ༩FUD w
ͦͷอূͷ͔֬͞ใྔ૿ՃͳͲʹ͍ͭͯɺվળ͕ॏͶΒΕ͍ͯΔ w ݱࡏɺछྨͷॺ໊ํࣜ 4JHOBUVSF4DIFNF ͕ଘࡏ͢Δ 6
"1,4JHOBUVSF4DIFNFT w ॺ໊ใͷ༷ɾදݱܗࣜ w ݱࡏW W W W Wͷ༷ ࣌ܥྻॱ
w W W Wಉ͡ઃܭࢥͷͨΊɺW ͱݺΕΔ w ݕূͷखॱͦΕͧΕͰࢦఆ͕͋Δ w ͨͩ͠ॺ໊ݕূػߏ04࣮ʹ͋ΔͷͰɺ࣮ߦʹґଘ͢Δ w $54͋ΔͷͰɺଟ͘ͷਓʹ͕ͳ͍ w ڍಈมߋෆ۩߹Ͱ04όʔδϣϯ͝ͱʹएׯڍಈ͕ҟͳΔ͜ͱ 7
"1,4JHOBUVSF4DIFNFͷݕূ֓ཁ w ͦͷ͕ೝࣝͰ͖Δ࠷େ ͷTDIFNF͔Βॱ൪ʹԼΔܗͰݕূ w W͕ෆਖ਼ͳΒΘΓʹWΛݕূ͢ΔɾɾɾͱͳΒͳ͍ 8 https://source.android.com/docs/security/features/apksigning/v4
"1,4JHOBUVSF4DIFNFW w +BSͷॺ໊ʹجͮ͘"1,͚ͷ֦ுํࣜ w 㲈;*1ϑΝΠϧͱͯ͠ͷॺ໊ w ηΩϡϦςΟతͳ FH$7&r ͔Βݱࡏඇਪ w
վ͟ΜΛݫີʹ͛ΔΘ͚Ͱͳ͍FH.&5"*/'ͷϑΝΠϧ w ݕূ࣌ʹVODPNQSFTT͕ඞཁͳͷͰϦεΫɾίετ͕ߴ͍ w ݱࡏͰ"1*ҎԼͷͰಈ͔͢ͱ͖ඞཁʹͳͬͯ͠·͏ w .JO4%,Ҏ্ͷઃఆΛڧ͘ਪ͠·͢ 9
"1,4JHOBUVSF4DIFNFWҎ্ڞ௨ࣝ w ݱঢ়ͷجૅͰ͋ΓɺWͱશ͘ҟͳΔํࣜ w ;*1Ͱͳ͘όΠφϦͱͯ͠ѻ͍ɺϑΝΠϧશମͷอޢ͕Մೳʹ w WؚΊɺ֤4DIFNFͱΈ߹ΘͤڞଘՄೳ Ұ෦Ճཁ݅༗Γ w
4DIFNF͝ͱʹఆٛ͞Εͨ*%Λ࣋ͭॺ໊ϒϩοΫΛԼهྖҬʹՃ͢Δ w ͦͷϒϩοΫ*%ΛΒͳ͍04ೝࣝͰ͖ͳ͍ ෆਖ਼ͱࢥΘͳ͍ 10 https://source.android.com/docs/security/features/apksigning/v2
"1,4JHOBUVSF4DIFNFW w ϑΝΠϧશମʹରͯ͠վ͟Μݕ͕Ͱ͖ΔΑ͏ʹͳͬͨॳΊͯͷॺ໊ํࣜ w "1* "OESPJE/ ͔Βಋೖ w 5BSHFU4%,Ҏ্ͩͱɺ"1*Ҏ߱ͷͰඞਢʹ w
"1*ҎԼWॺ໊͔͠ೝࣝͰ͖ͳ͍ʹҙ w ΩʔϩʔςʔγϣϯʹରԠ͍ͯ͠ͳ͍ 11
"1,4JHOBUVSF4DIFNFW w Ωʔϩʔςʔγϣϯ͕ՄೳʹͳͬͨॳΊͯͷॺ໊ํࣜ w "1* "OESPJE1 ͔Βಋೖ w ݪଇɺ"1*ҎԼ༻ʹWॺ໊ ϩʔςʔγϣϯલͷॺ໊
Λ͢Δ w Ҏલͷॺ໊͢ SPMMCBDL ڐՄͳͲͷDBQBCJMJUZͷཧͰ͖Δ w ෳ伴ʹΑΔॺ໊αϙʔτ͍ͯ͠ͳ͍ w "1*Ͱෆ۩߹ഁյతมߋ͕ೖΔͳͲɺ༷͕ෆ҆ఆʹ 12
"1,4JHOBUVSF4DIFNFW w ετϦʔϛϯάରԠΛͨ͠ॳΊͯͷॺ໊ํࣜͰɺݱঢ়།Ұ w "1* "OESPJE3 ͔Βಋೖ w W ͱิతʹಈ࡞͢ΔͷͰɺWͷ७ਮ֦ுͰͳ͍
w Wͷॺ໊ใผϑΝΠϧ JETJH ͱͯ͠อଘ͞ΕΔ w "1,αΠζ͕େ͖͘ͳ͍ͱԸܙʹؾ͖ͮͮΒ͍͔ w BECJOTUBMMJODSFNFOUBM࣌ʹॺ໊ݕূ͕ૣ͘ऴΘͬͯخ͍͠ w ·ͨݱࡏɺ(PPHMF1MBZ͔ΒΠϯετʔϧ͢Δ߹ʹΘΕ͍ͯΔ 13
"1,4JHOBUVSF4DIFNFW w ݱࡏɺΩʔϩʔςʔγϣϯΛ͢Δ߹ͷਪॺ໊ํࣜ w "1* "OESPJE5 Ͱಋೖ w "1*Ͱద༻͞ΕͨWͷվળΛؚΜ֦ͩு w
ॺ໊ϒϩοΫʹ5BSHFU"1*Λࢦఆग़དྷΔΑ͏ʹͳͬͨ w "1*͕࠷৽ͷݱঢ়ͩͱಛஈҙࣝ͠ͳ͍͕ɺࠓޙޮ͍ͯ͘Δ ͣ 14 (API 31, API 32 ͱมߋ͕ೖͬͨͳΒ v3.3 Ͱɾɾɾ?)
Έ߹Θͤʹ͍ͭͯ w ٕज़తʹҙͷΈ߹Θ͕ͤ༗ΓಘΔ w ࣮ͨͩ͠༻ੑΛߟྀ͢Δͱ.JO4%,ʹ݁ہҾ͖ͣΒΕΔ w ͦͷ"1*Ϩϕϧ͕৴པ͍ͯ͠Δॺ໊ํ͕ࣜͭͰ͋ΕWBMJEѻ͍ 15 API Ϩϕϧ
v1 v2 v3 v3.1 24 28 33
͏ʔΜɾɾɾ w ͦͷΞϓϦͷ։ൃݩͬͯຊʹ͔Βͳ͍ͷ w 04͝ͱʹೝࣝͰ͖Δॺ໊ํ͕ࣜҧ͏ͳΒɺݹ͍੬ऑͳͷͰ w ϩʔςʔγϣϯޙͷ伴Λೝࣝ͢Δ͚ͩ͡Όͪΐͬͱෆͯ͠ͳ͍
w લͷ伴Λࣦޮ͍ͤͨ͞Μ͚ͩͲɾɾɾ w ͜ͷόʔδϣϯҎ্৽͍͠伴͡Όͳ͍ͱΠϯετʔϧͤͨ͘͞ͳ͍Α 16
ॺ໊ݕূͱ࿈ಈ͢ΔՁͷྫ w Πϯετʔϧݩ FH(PPHMF1MBZ ʹΑΔΞϓϦ৴ऀͷݩอূ w 1MBZ"QQ4JHOJOHʹΑΔ伴ͷཧ w ࠷ऴॺ໊ʹؔΘΔൿີ伴Λ։ൃऀ͕࣋ͭඞཁ͕ͳ͘ͳΔ w
ϩʔςʔγϣϯʹؔ͢Δ伴ใͳͲΛ1MBZ1SPUFDUఏڙͰ͖Δ w 1MBZ1SPUFDUʹΑΔΠϯετʔϧલݕূ w ݹ͍04Ͱ৽͍͠ॺ໊ํࣜͷݕূࣦޮͨ͠伴ͷڋ൱Λߦ͑Δ w ةݥͳΞϓϦΛΠϯετʔϧલʹ͘ 17
ࣗͰͬͱֶͼ͍ͨ w ࣮ߦதͷͰ1BDLBHF.BOBHFS"1*Λ͏ w ͨͩ͠'JSF04Ұ෦"1*͕దʹಈ࡞͠ͳ͍ w 04ʹ͋Δ4JHOBUVSFؔͷΫϥεษڧ͖Ͱͳ͍ w FHTDIFNFWFSTJPOMJOFBHF͕OPOQVCMJD"1* w
CVJMEUPPMTͷBQLTJHOFSΛ͏ w ΦϓγϣϯΛ͏·͘Έ߹Θͤͳ͍ͱॺ໊ํࣜผͷݕূ͕Ͱ͖ͳ͍ w ΞϓϦݕূΛߦ͏7FSJ fi DBUJPO4FSWJDF"QQΛ࡞Δ w 4ZTUFNQFSNJTTJPOͳͷͰ໘͍͘͞$54͘Β͍͔͠ࢀߟࢿྉͳ͍ 18
😇 19
·ͱΊ w "QQMJDBUJPO4JHOJOHϑΝΠϧͷ*OUFHSJUZΛอূ͢Δ w ͦͷੑ࣭Λར༻ͨ͠ػೳ͕͍ͭ͘ఏڙ͞Ε͍ͯΔ w ৴པੑ্։ൃऀͷརศੑͷͨΊɺ৭ʑͳվળ͕Ճ͑ΒΕ͖ͯͨ w WWW ͑ΒΕͳ͍น
W w WW ͱซ༻͢ΔύϑΥʔϚϯεվળ༻్ w ݪଇɺ1MBZ"QQ4JHOJOHΛ͑ҙࣝ͠ͳͯ͘ࡁΉ w ͦ͠͏ͳΒ.JO4%, WରԠόʔδϣϯ ʹ͠Α͏ 20
3FGFSFODFT w IUUQTFOHJOFFSJOHMJOFDPSQDPNKBCMPHBJSHPBQLTJHOJOH w IUUQTTPVSDFBOESPJEDPNEPDTTFDVSJUZGFBUVSFTBQLTJHOJOH w IUUQTTVQQPSUHPPHMFDPNHPPHMFQMBZBOESPJEEFWFMPQFSBOTXFS IMFO 21