feat: implement APK signing fingerprint verification and improve Shiz…

composeApp/src/androidMain/kotlin/zed/rainxch/githubstore/app/GithubStoreApp.kt

@@ -144,6 +144,7 @@ class GithubStoreApp : Application() {
                         isPendingInstall = false,
                         installedVersionName = versionName,
                         installedVersionCode = versionCode,
+                        signingFingerprint = SELF_SHA256_FINGERPRINT,
                     )
 
                 repo.saveInstalledApp(selfApp)
@@ -156,6 +157,9 @@ class GithubStoreApp : Application() {
 
     companion object {
         private const val SELF_REPO_ID = 1101281251L
+        private const val SELF_SHA256_FINGERPRINT =
+            @Suppress("ktlint:standard:max-line-length")
+            "B7:F2:8E:19:8E:48:C1:93:B0:38:C6:5D:92:DD:F7:BC:07:7B:0D:B5:9E:BC:9B:25:0A:6D:AC:48:C1:18:03:CA"
         private const val SELF_REPO_OWNER = "OpenHub-Store"
         private const val SELF_REPO_NAME = "GitHub-Store"
         private const val SELF_AVATAR_URL =

core/data/src/androidMain/kotlin/zed/rainxch/core/data/local/db/initDatabase.kt

@@ -6,6 +6,7 @@ import kotlinx.coroutines.Dispatchers
 import zed.rainxch.core.data.local.db.migrations.MIGRATION_1_2
 import zed.rainxch.core.data.local.db.migrations.MIGRATION_2_3
 import zed.rainxch.core.data.local.db.migrations.MIGRATION_3_4
+import zed.rainxch.core.data.local.db.migrations.MIGRATION_4_5
 
 fun initDatabase(context: Context): AppDatabase {
     val appContext = context.applicationContext
@@ -19,5 +20,6 @@ fun initDatabase(context: Context): AppDatabase {
             MIGRATION_1_2,
             MIGRATION_2_3,
             MIGRATION_3_4,
+            MIGRATION_4_5,
         ).build()
 }

core/data/src/androidMain/kotlin/zed/rainxch/core/data/local/db/migrations/MIGRATION_4_5.kt

@@ -0,0 +1,11 @@
+package zed.rainxch.core.data.local.db.migrations
+
+import androidx.room.migration.Migration
+import androidx.sqlite.db.SupportSQLiteDatabase
+
+val MIGRATION_4_5 =
+    object : Migration(4, 5) {
+        override fun migrate(db: SupportSQLiteDatabase) {
+            db.execSQL("ALTER TABLE installed_apps ADD COLUMN signingFingerprint TEXT")
+        }
+    }

core/data/src/androidMain/kotlin/zed/rainxch/core/data/services/AndroidInstallerInfoExtractor.kt

@@ -2,13 +2,15 @@ package zed.rainxch.core.data.services
 
 import android.content.Context
 import android.content.pm.PackageManager
+import android.content.pm.PackageManager.GET_SIGNING_CERTIFICATES
 import android.os.Build
 import co.touchlab.kermit.Logger
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.withContext
 import zed.rainxch.core.domain.model.ApkPackageInfo
 import zed.rainxch.core.domain.system.InstallerInfoExtractor
 import java.io.File
+import java.security.MessageDigest
 
 class AndroidInstallerInfoExtractor(
     private val context: Context,
@@ -17,7 +19,11 @@ class AndroidInstallerInfoExtractor(
         withContext(Dispatchers.IO) {
             try {
                 val packageManager = context.packageManager
-                val flags = PackageManager.GET_META_DATA or PackageManager.GET_ACTIVITIES
+                val flags =
+                    PackageManager.GET_META_DATA or
+                        PackageManager.GET_ACTIVITIES or
+                        GET_SIGNING_CERTIFICATES
+
                 val packageInfo =
                     if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
                         packageManager.getPackageArchiveInfo(
@@ -31,9 +37,11 @@ class AndroidInstallerInfoExtractor(
 
                 if (packageInfo == null) {
                     Logger.e {
-                        "Failed to parse APK at $filePath, file exists: ${File(
-                            filePath,
-                        ).exists()}, size: ${File(filePath).length()}"
+                        "Failed to parse APK at $filePath, file exists: ${
+                            File(
+                                filePath,
+                            ).exists()
+                        }, size: ${File(filePath).length()}"
                     }
                     return@withContext null
                 }
@@ -50,12 +58,43 @@ class AndroidInstallerInfoExtractor(
                         @Suppress("DEPRECATION")
                         packageInfo.versionCode.toLong()
                     }
+                val fingerprint: String? =
+                    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
+                        val sigInfo = packageInfo.signingInfo
+                        val certs =
+                            if (sigInfo?.hasMultipleSigners() == true) {
+                                sigInfo.apkContentsSigners
+                            } else {
+                                sigInfo?.signingCertificateHistory
+                            }
+                        certs?.firstOrNull()?.toByteArray()?.let { certBytes ->
+                            MessageDigest
+                                .getInstance("SHA-256")
+                                .digest(certBytes)
+                                .joinToString(":") { "%02X".format(it) }
+                        }
+                    } else {
+                        @Suppress("DEPRECATION")
+                        val legacyInfo =
+                            packageManager.getPackageArchiveInfo(
+                                filePath,
+                                PackageManager.GET_SIGNATURES,
+                            )
+                        @Suppress("DEPRECATION")
+                        legacyInfo?.signatures?.firstOrNull()?.toByteArray()?.let { certBytes ->
+                            MessageDigest
+                                .getInstance("SHA-256")
+                                .digest(certBytes)
+                                .joinToString(":") { "%02X".format(it) }
+                        }
+                    }
 
                 ApkPackageInfo(
+                    appName = appName,
                     packageName = packageInfo.packageName,
                     versionName = packageInfo.versionName ?: "unknown",
                     versionCode = versionCode,
-                    appName = appName,
+                    signingFingerprint = fingerprint,
                 )
             } catch (e: Exception) {
                 Logger.e { "Failed to extract APK info: ${e.message}, file: $filePath" }

core/data/src/androidMain/kotlin/zed/rainxch/core/data/services/AndroidPackageMonitor.kt

@@ -3,12 +3,14 @@ package zed.rainxch.core.data.services
 import android.content.Context
 import android.content.pm.ApplicationInfo
 import android.content.pm.PackageManager
+import android.content.pm.PackageManager.GET_SIGNING_CERTIFICATES
 import android.os.Build
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.withContext
 import zed.rainxch.core.domain.model.DeviceApp
 import zed.rainxch.core.domain.model.SystemPackageInfo
 import zed.rainxch.core.domain.system.PackageMonitor
+import java.security.MessageDigest
 
 class AndroidPackageMonitor(
     context: Context,
@@ -20,12 +22,23 @@ class AndroidPackageMonitor(
     override suspend fun getInstalledPackageInfo(packageName: String): SystemPackageInfo? =
         withContext(Dispatchers.IO) {
             runCatching {
+                val flags =
+                    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
+                        GET_SIGNING_CERTIFICATES.toLong()
+                    } else {
+                        @Suppress("DEPRECATION")
+                        PackageManager.GET_SIGNATURES.toLong()
+                    }
+
                 val packageInfo =
                     if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
-                        packageManager.getPackageInfo(packageName, PackageManager.PackageInfoFlags.of(0L))
+                        packageManager.getPackageInfo(
+                            packageName,
+                            PackageManager.PackageInfoFlags.of(flags),
+                        )
                     } else {
                         @Suppress("DEPRECATION")
-                        packageManager.getPackageInfo(packageName, 0)
+                        packageManager.getPackageInfo(packageName, flags.toInt())
                     }
 
                 val versionCode =
@@ -36,11 +49,37 @@ class AndroidPackageMonitor(
                         packageInfo.versionCode.toLong()
                     }
 
+                val signingFingerprint: String? =
+                    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
+                        val sigInfo = packageInfo.signingInfo
+                        val certs =
+                            if (sigInfo?.hasMultipleSigners() == true) {
+                                sigInfo.apkContentsSigners
+                            } else {
+                                sigInfo?.signingCertificateHistory
+                            }
+                        certs?.firstOrNull()?.toByteArray()?.let { certBytes ->
+                            MessageDigest
+                                .getInstance("SHA-256")
+                                .digest(certBytes)
+                                .joinToString(":") { "%02X".format(it) }
+                        }
+                    } else {
+                        @Suppress("DEPRECATION")
+                        packageInfo.signatures?.firstOrNull()?.toByteArray()?.let { certBytes ->
+                            MessageDigest
+                                .getInstance("SHA-256")
+                                .digest(certBytes)
+                                .joinToString(":") { "%02X".format(it) }
+                        }
+                    }
+
                 SystemPackageInfo(
                     packageName = packageInfo.packageName,
                     versionName = packageInfo.versionName ?: "unknown",
                     versionCode = versionCode,
                     isInstalled = true,
+                    signingFingerprint = signingFingerprint,
                 )
             }.getOrNull()
         }
@@ -70,12 +109,10 @@ class AndroidPackageMonitor(
 
             packages
                 .filter { pkg ->
-                    // Exclude system apps (keep user-installed + updated system apps)
                     val isSystemApp = (pkg.applicationInfo?.flags ?: 0) and ApplicationInfo.FLAG_SYSTEM != 0
                     val isUpdatedSystem = (pkg.applicationInfo?.flags ?: 0) and ApplicationInfo.FLAG_UPDATED_SYSTEM_APP != 0
                     !isSystemApp || isUpdatedSystem
-                }
-                .map { pkg ->
+                }.map { pkg ->
                     val versionCode =
                         if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
                             pkg.longVersionCode
@@ -89,8 +126,8 @@ class AndroidPackageMonitor(
                         appName = pkg.applicationInfo?.loadLabel(packageManager)?.toString() ?: pkg.packageName,
                         versionName = pkg.versionName,
                         versionCode = versionCode,
+                        signingFingerprint = null,
                     )
-                }
-                .sortedBy { it.appName.lowercase() }
+                }.sortedBy { it.appName.lowercase() }
         }
 }