Development on Application Signature Verification

When to Use

To ensure the integrity and trustworthiness of the applications to be installed in OpenHarmony, the applications must be signed and their signatures must be verified.

In application development: After developing an application, you need to sign its installation package to ensure that the installation package is not tampered with when it is released on devices. To sign the application package, you can use the signature tools and the public key certificates and follow the signing certificate generation specifications provided by the application integrity verification module. For your convenience, a public key certificate and a corresponding private key are preset in OpenHarmony. You need to replace the public key certificate and private key in your commercial version of OpenHarmony.
In application installation: The Application Framework subsystem of OpenHarmony installs applications. Upon receiving an application installation package, the Application Framework subsystem parses the signature of the installation package, and verifies the signature using the application integrity verification APIs. The application can be installed only after the verification succeeds. During the verification, the application integrity verification module uses the preset public key certificate to verify the signature.

Signature Verification Process

An unsigned HAP is in .zip format and consists of a file block, central directory, and end of central directory (EOCD).

After the HAP is signed, a signature block is added between the file block and the central directory. The integrated signature block consists of a profile signature block, HAP signature block, and signature header. The following figure shows the structure of a signed HAP.

Figure 1 Structure of a signed HAP

The signature verification process consists of three steps: HAP signature verification, profile signature verification, and profile content verification.

HAP signature verification

The HAP signature block is a signed data block in PKCS7 format. The signature verification process includes PKSC7 signature verification, hash comparison, certificate chain verification, and matching between the certificate chain and the device's preset root certificate.

Profile signature verification

The profile signature block is a signed data block in PKCS7 format. The profile content is stored in contentinfo of the PKCS7 signature block. The signature verification process includes PKCS7 signature verification, hash comparison, certificate chain verification, and profile certificate validity verification.

Profile content verification

The signature verification module checks the validity of the profile content. If the profile is of the debugging type, the module checks whether the UDID of the current device is contained in the UDID list in the profile. If yes, the module compares the certificate in the profile with the certificate used for HAP signature verification. If they are the same, the entire verification process is complete.

Available APIs

The following table lists the innerkits APIs provided by the signature verification component. These APIs are available only for system applications.

Table 1 APIs provided by the signature verification component for mini systems

API	Description
int APPVERI_AppVerify(const char filePath, VerifyResult verifyRst)	Verifies a signature by specifying the file path and returns the data obtained from the profile to the caller through verifyRst. This is the main entry function.
int APPVERI_SetDebugMode(bool mode)	Sets the debugging mode. If mode is set to true, certificate chain verification based on the debugging root key is enabled; if mode is set to false, it is disabled. Note: Currently, no certificate based on the existing debugging root key is available. You can replace the debugging root key and perform related verification as required.
void APPVERI_FreeVerifyRst(VerifyResult *verifyRst)	Releases memory in verifyRst.

API

Description

int APPVERI_AppVerify(const char *filePath, VerifyResult *verifyRst)

Verifies a signature by specifying the file path and returns the data obtained from the profile to the caller through verifyRst. This is the main entry function.

int APPVERI_SetDebugMode(bool mode)

Sets the debugging mode. If mode is set to true, certificate chain verification based on the debugging root key is enabled; if mode is set to false, it is disabled.

Note: Currently, no certificate based on the existing debugging root key is available. You can replace the debugging root key and perform related verification as required.

void APPVERI_FreeVerifyRst(VerifyResult *verifyRst)

Releases memory in verifyRst.

Table 2 API provided by the signature verification component for standard systems

API	Description
nt HapVerify(const std::string& filePath, HapVerifyResult& hapVerifyResult)	Verifies application integrity and identifies the application source.

How to Develop

OpenHarmony Self-signed Application

For details about how to develop an OpenHarmony self-signed application, see Having Your App Automatically Signed.