android - 什么原因需要对apk进行签名？

Question

我知道它只能用于管理 Google Play 商店中的应用程序。
但是还有其他原因来保护代码免受反编译器的攻击吗？

我想知道面试中这个问题的正确答案是什么。
谁让我知道我们应该签署申请的原因？

Answer 1

如果您问我们为什么要对 apk 进行签名，那么数字签名是一种证明数字文件(例如文档、消息或本例中的 apk，实际上只是一个集合)真实性的方法文件数。

因此，通过对 apk 进行签名，我们有效地创建了一种方法，确保使用该 apk 的任何人都能获得他们期望收到的文件的可验证副本。这在安全性方面具有明显的优势，因为其他人无法在保持相同签名的同时对此文件进行更改。

来自the docs :

There are several reasons why you should do so:

App upgrade: When the system is installing an update to an app, it compares the certificate(s) in the new version with those in the existing version. The system allows the update if the certificates match. If you sign the new version with a different certificate, you must assign a different package name to the app—in this case, the user installs the new version as a completely new app.

App modularity: Android allows APKs signed by the same certificate to run in the same process, if the apps so request, so that the system treats them as a single app. In this way you can deploy your app in modules, and users can update each of the modules independently.

Code/data sharing through permissions: Android provides signature-based permissions enforcement, so that an app can expose functionality to another app that is signed with a specified certificate. By signing multiple APKs with the same certificate and using signature-based permissions checks, your apps can share code and data in a secure manner.

If you plan to support upgrades for an app, ensure that your app signing key has a validity period that exceeds the expected lifespan of that app. A validity period of 25 years or more is recommended. When your key's validity period expires, users will no longer be able to seamlessly upgrade to new versions of your app.

If you plan to publish your apps on Google Play, the key you use to sign your app must have a validity period ending after 22 October 2033. Google Play enforces this requirement to ensure that users can seamlessly upgrade apps when new versions are available.