talsec-app
commented
2 years ago Hello. Thanks for reaching out.
SHA256 value of the certificate can be represented in many formats. By default, the hash of signing key certificate for Android application is defined in xx:xx:xx… HEX format. So you are correct.
This value has to be encoded to base64 and used in expectedSigningCertificateHash.HEX format is just a representation of bytes. You need to encode those bytes (which you have in HEX format) to Base64 form. So the encoding should look something like this - Base64.encode(Hex.decodeToBytes(xx:xx:xx:xx:xx:xx)).
Your way of getting base64 form wouldn't work because you are using utf8 encoding before encoding to base64 - that will result in wrong hash encoding.
You can use this online HEX to Base64 encoder to get your expectedSigningCertificateHash. Just copy your SHA256 value in HEX form to this online tool - https://base64.guru/converter/encode/hex
If you want to check whether your SHA256 key was properly formatted to base64 form, you can use this site https://base64.guru/converter/decode/hex to convert the value back to HEX form.
Note that this converter strips ":" but still convert back to HEX correctly - you can add ":" by hand after each tuple of signs.
Talsec Team
rakesh0689
Hello,
application is considered tampered if it has incorrect package name or if it was signed/resigned with an unknown signing key (signing certificate mismatch). If the application is installed from an untrusted application store, onUntrustedInstallationDetected is triggered. Please verify, that your expectedSigningCertificateHash is correct. You can use this link for Base64 -> Hex conversion: https://base64.guru/converter/decode/hex We will try to add expectedSigningCertificateHash checks to the next version of Talsec.
Talsec Team
Originally posted by @talsec-app in https://github.com/talsec/Free-RASP-Flutter/issues/12#issuecomment-1061205542
Hello,
onPackageTamperDetected is getting called when I am installing the release build in emulator as well as real device. I have certain doubt regarding the expectedSigningCertificateHash.
sha256 value is in the format 'xx:xx:xx:xx:xx' right? So should we covert that to Base64 format? I converted to Base64. format using the code base64.encode(utf8.encode(xx:xx:xx:xx:xx)). Is it the right way? The above link provided converts base64 to hex value and I am not getting back mu sha256 value from the encoded one. So should I convert sha256 to hex and then hex to base64? Please revert at the earliest as I am wanna make sure all the checks works before continuing my work. Thanks is advance.