WO2020062233A1 - Method and apparatus for processing and deploying application program, and computer-readable medium - Google Patents

Method and apparatus for processing and deploying application program, and computer-readable medium Download PDF

Info

Publication number
WO2020062233A1
WO2020062233A1 PCT/CN2018/109072 CN2018109072W WO2020062233A1 WO 2020062233 A1 WO2020062233 A1 WO 2020062233A1 CN 2018109072 W CN2018109072 W CN 2018109072W WO 2020062233 A1 WO2020062233 A1 WO 2020062233A1
Authority
WO
WIPO (PCT)
Prior art keywords
installation package
file
application
module
checksum
Prior art date
Application number
PCT/CN2018/109072
Other languages
French (fr)
Chinese (zh)
Inventor
毛怿
Original Assignee
西门子股份公司
毛怿
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西门子股份公司, 毛怿 filed Critical 西门子股份公司
Priority to PCT/CN2018/109072 priority Critical patent/WO2020062233A1/en
Publication of WO2020062233A1 publication Critical patent/WO2020062233A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating

Definitions

  • the present invention relates to the technical field of computer application programs, and in particular, to a method, an apparatus, and a computer-readable medium for processing and deploying application programs.
  • the performance of terminal devices used in the field of Internet of Things technology is constantly upgraded.
  • the terminal devices can interact with the cloud platform for information, thereby enabling ultra-large-scale Internet of Things.
  • Application becomes possible.
  • the installation package of the developed application program is stored in the application library.
  • the application program needs to be deployed on a terminal device, the corresponding application is downloaded from the application library A program installation package, and then use the downloaded application installation package to deploy an application on a terminal device.
  • the application installation package may be maliciously tampered with. If the application installation package that has been maliciously tampered with is used to deploy the application on the terminal device, the deployed application may cause The terminal device performs malicious actions, which causes very serious consequences such as personal injury and property damage. Therefore, the existing applications deployed on terminal devices have lower security.
  • the method, device, and computer-readable medium for processing and deploying applications provided by the present invention can improve the security of deploying applications on terminal devices.
  • an embodiment of the present invention provides an application program processing method, including:
  • a second installation package with a first digital signature added is obtained, and the second installation package can be double-validated according to the checksum stored in the first digital signature and the verification file to Determine whether the second installation package has been tampered with, and then use the second installation package to deploy the application on the terminal device after determining that the second installation package has not been tampered with, and ensure that the application deployed on the terminal device does not perform malicious actions, so that Improve the security of deploying applications on end devices.
  • the decompressing the first installation package to obtain at least one application file includes:
  • the noise file is a file unrelated to the function implementation of the application program
  • the at least one application file is a file related to the function implementation of the application program.
  • the second installation package includes only check files and application files and does not include noise files.
  • the number of files that need to be checked and calculated can be reduced, which can improve the efficiency of generating the second installation package.
  • the method before the compressing and packaging the verification file and the at least one application file, the method further includes: adding a second digital signature to the verification file; and correspondingly, verifying the calibration file.
  • Compressing and packaging the verification file and the at least one application file include: compressing and packaging the verification file and the at least one application file to which the second digital signature is added to obtain the second installation package .
  • the adding a first digital signature to the second installation package includes:
  • the PKI object is embedded in the second installation package.
  • the first identity is obtained by hashing the second installation package, and the encrypted identity is obtained by encrypting the first identity through the private key, and then the PKI object including the encrypted identity is embedded in the second installation package.
  • the private key cannot be obtained, so the first identity cannot be forged, and it is guaranteed that when the application is deployed, the second installation package can be accurately judged based on the first identity, so that the application deployed by the second installation package can be guaranteed Security.
  • an embodiment of the present invention further provides an application program deployment method, including:
  • S3 Decompress the second installation package to obtain a verification file and at least one application program file
  • the second installation package After obtaining the second installation package added with the first digital signature, first verify whether the first digital signature is correct, and on the premise that the first signature is correct, the second installation package is further compressed to obtain a verification file and each The application file, and then checksum operation is performed on the application file to obtain the corresponding checksum, and then the obtained checksum is compared with the checksum stored in the check file to determine all the obtained checksums Whether it is the same as the corresponding checksum in the check file. If so, use the second installation package to deploy the application on the terminal device; otherwise, determine that the second installation package has been tampered with. Double verification is performed on the second installation package through the checksum stored in the first digital signature and the verification file. After determining that the second installation package has not been tampered with, the second installation package is used to deploy the application on the terminal device to ensure that the deployed Applications do not perform malicious actions, which can improve the security of deploying applications on end devices.
  • a second digital signature is added to the verification file, further including between the S3 and the S4:
  • Verify whether the second digital signature is correct if yes, execute S4, otherwise execute S7.
  • the second digital signature When the second digital signature is added to the verification file decompressed from the second installation package, after verifying that the first digital signature is correct, then verify that the second digital signature is correct. If the second digital signature is correct, use the verification Files verify that individual application files have not been tampered with. By verifying whether the second digital signature is correct, it can be determined whether the verification file is tampered, and the accuracy of verifying whether each application file is tampered is verified by using the checksum stored in the verification file. Performing triple verification on the second installation package before using the second installation package to deploy the application can further improve the security of deploying the application on the terminal device.
  • the verifying whether the first digital signature is correct includes:
  • the encrypted identity is decrypted by using the corresponding public key to obtain the first identity, where the first identity is obtained by un-tampered
  • the second installation package is obtained by performing a hash operation. Then perform a hash operation on the obtained second installation package to obtain a second identity. If the second identity is the same as the first identity, it means that the second installation package has not been tampered with, and it is determined that the first digital label is correct.
  • the second identity user has a different first identity, indicating that the second installation package has been tampered with, and it is determined that the first digital label is incorrect. By verifying the correctness of the first digital label, the integrity and consistency of the second installation package can be ensured.
  • an embodiment of the present invention further provides an application program processing apparatus, including:
  • a first installation package obtaining module configured to obtain a compressed first installation package of a compiled application program
  • a first installation package decompression module configured to decompress the first installation package obtained by the first installation package acquisition module to obtain at least one application program file
  • a first checksum operation module configured to perform a checksum operation on the at least one application file obtained by the first installation package decompression module
  • a check file generating module configured to store the checksum obtained by performing the checksum operation by the first checksum calculation module into a check file
  • An application compression module is configured to compress and package the verification file in which the verification file generation module stores a checksum and the at least one application file obtained by the first installation package decompression module. To obtain the second installation package;
  • An installation package signature module is configured to add a first digital signature to the second installation package obtained by the application compression module.
  • the first installation package decompression module includes:
  • a decompression unit configured to decompress the first installation package
  • a screening unit configured to determine a noise file from a file obtained by decompressing the first installation package by the decompression unit, and decompress other than the noise file from the first installation package Is determined to be the at least one application program file, wherein the noise file is a file that is not related to the function implementation of the application program, and the at least one application file is a file that is related to the function implementation of the application program .
  • the application processing apparatus further includes: a verification file signature module;
  • the verification file signature module is configured to add a second digital signature to the verification file obtained by the verification file generation module;
  • the application compression module is configured to add the second digital signature to the verification file and the at least one application obtained by the first installation package decompression module after the verification file signature module.
  • the program file is compressed and packed to obtain the second installation package.
  • the installation package signature module includes:
  • a first hash operation unit configured to perform a hash operation on the second installation package by using a hash algorithm to obtain a first identity corresponding to the second installation package;
  • An identity encryption unit configured to encrypt the first identity obtained by the first hash operation unit by using a private key to obtain an encrypted identity
  • a PKI object generating unit configured to generate a public key infrastructure PKI object corresponding to the private key and including the encrypted identity obtained by the identity encryption unit;
  • a PKI object embedding unit is configured to embed the PKI object generated by the PKI object generating unit into the second installation package.
  • an embodiment of the present invention further provides an application program deployment apparatus, including:
  • a second installation package obtaining module configured to obtain a second installation package added with a first digital signature
  • An installation package signature verification module configured to verify whether the first digital signature added to the second installation package obtained by the second installation package acquisition module is correct
  • a second installation package decompression module configured to decompress the second installation package to obtain a verification file and at least one application program when the installation package signature verification module verifies that the first digital signature is correct. file;
  • a second checksum operation module configured to perform a checksum operation on the at least one application program obtained by the second installation package decompression module
  • a checksum verification module configured to determine a checksum obtained by the second checksum operation module performing a checksum operation and a checksum stored in the check file obtained by the second installation package decompression module. Whether the corresponding checksums are all the same;
  • An application deployment module configured to use the second installation package to install an application on a terminal device when the judgment result of the checksum verification module is yes;
  • An installation package status confirmation module configured to determine that the second installation package has been completed when the installation package signature verification module verifies that the first digital signature is incorrect, or when the judgment result of the checksum verification module is no. Tampered.
  • the application deployment device further includes: a check file signature verification module;
  • the verification file signature verification module is configured to verify whether the second digital signature is correct when the verification file decompressed by the second installation package decompression module is added with a second digital signature;
  • the installation package status confirmation module is further configured to determine that the second installation package has been tampered with when the verification file signature verification module verifies that the second digital signature is incorrect.
  • the installation package signature verification module includes:
  • a PKI object obtaining unit configured to obtain a PKI object embedded in the second installation package
  • An identity decryption unit configured to decrypt the encrypted identity included in the PKI object by using a public key corresponding to the PKI object obtained by the PKI object obtaining unit to obtain a first identity
  • a second hash operation unit configured to perform a hash operation on the second installation package by using a hash algorithm to obtain a second identity corresponding to the second installation package;
  • An identity comparison unit configured to determine whether the first identity obtained by the identity decryption unit and the second identity obtained by the second hash operation unit are the same, and if yes, determining the The first digital signature is correct, otherwise it is determined that the first digital signature is incorrect.
  • an embodiment of the present invention further provides an application program processing apparatus, including: at least one memory and at least one processor;
  • the at least one memory is configured to store a machine-readable program
  • the at least one processor is configured to call the machine-readable program and execute the method provided by the first aspect or any implementation manner of the first aspect.
  • a machine-readable program is stored in the memory.
  • the processor can execute the method provided in the first aspect or any one of the implementable methods of the first aspect by calling the machine-readable program stored in the memory.
  • File and the second installation package of the application file and add a first digital signature to the second installation package.
  • the second installation package with the first digital signature added can be obtained according to the first A digital signature and a checksum stored in a verification file double-check the second installation package to determine whether the second installation package has been tampered with, and then determine that the second installation package has not been tampered with, and then use the second installation package on the terminal.
  • the application is deployed on the device to ensure that the application deployed on the terminal device does not perform malicious actions, thereby improving the security of the application deployed on the terminal device.
  • an embodiment of the present invention further provides an application program deployment apparatus, including: at least one memory and at least one processor;
  • the at least one memory is configured to store a machine-readable program
  • the at least one processor is configured to call the machine-readable program and execute the method provided in the second aspect or any implementation manner of the second aspect.
  • a machine-readable program is stored in the memory, and the processor can execute the method provided in the second aspect or any one of the implementable manners of the second aspect by calling the machine-readable program stored in the memory.
  • the second installation package is double-checked by checking the checksum stored in the file. After determining that the second installation package has not been tampered with, the second installation package is used to deploy the application on the terminal device to ensure that the deployed application does not perform malicious actions. , Which can improve the security of deploying applications on terminal devices.
  • an embodiment of the present invention further provides a computer-readable medium.
  • the computer-readable medium stores computer instructions.
  • the processor causes the processor to execute the foregoing first aspect, second aspect, The method provided by any one possible implementation manner of the first aspect or any one possible implementation manner of the second aspect.
  • Computer instructions are stored on the machine-readable medium.
  • the processor executes the application processing method provided by the first aspect or any possible implementation manner of the first aspect, or executes the first The application deployment method provided by the second aspect or any one of the possible implementation manners of the second aspect, before the application is deployed on the terminal device according to the second installation package, the first digital signature and the verification of the stored file are verified.
  • Check and double-check the second installation package After determining that the second installation package has not been tampered with, use the second installation package to deploy the application on the terminal device to ensure that the deployed application does not perform malicious actions, which can improve the Security of applications deployed on end devices.
  • the application processing and deployment method, device, and computer-readable medium provided by the embodiments of the present invention include adding a digital signature to the installation package and adding a verification file storing a checksum to the installation package. Before the application is deployed, multiple verifications can be performed on the installation package to ensure the integrity and consistency of the installation package, thereby ensuring the security of the application deployed by the installation package.
  • This solution is not limited by the application programming language and platform , Has strong applicability.
  • FIG. 1 is a flowchart of an application program processing method according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for decompressing an installation package according to an embodiment of the present invention
  • FIG. 3 is a flowchart of a method for adding a digital signature according to an embodiment of the present invention.
  • FIG. 4 is a flowchart of a method for deploying an application program according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of another application deployment method according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of a digital signature verification method according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of an application program processing apparatus according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of an installation package decompression module provided by an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of another application processing apparatus according to an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of an installation package signature module provided by an embodiment of the present invention.
  • FIG. 11 is a schematic diagram of an application deployment device provided by an embodiment of the present invention.
  • FIG. 12 is a schematic diagram of another application deployment device according to an embodiment of the present invention.
  • FIG. 13 is a schematic diagram of an installation package signature verification module provided by an embodiment of the present invention.
  • FIG. 14 is a schematic diagram of another application processing apparatus according to an embodiment of the present invention.
  • FIG. 15 is a schematic diagram of another application deployment device according to an embodiment of the present invention.
  • first installation package acquisition module 302 first installation package decompression module 303: first checksum calculation module
  • PKI object embedding unit 401 second installation package acquisition module 402: installation package signature verification module
  • Verification file signature verification module 4021 PKI object acquisition unit
  • the application installation package may be maliciously tampered with. If the use has been maliciously tampered with, The application installation package for the deployment of the application on the terminal device, the deployed application may perform malicious actions, resulting in serious consequences. Therefore, the existing applications deployed on terminal devices have lower security.
  • a checksum operation is performed on the application file included in the installation package of the application, and the obtained checksum is stored in the verification file.
  • obtain the installation package with a digital signature First verify that the digital signature of the installation package is correct. After verifying that the digital signature of the installation package is correct, decompress the installation package to obtain a verification file and each application. File, and then perform checksum calculation on each application file, and compare the obtained checksum with each checksum stored in the check file.
  • the obtained checksum is compared with the checksum stored in the check file, All the checksums are the same, then use the obtained installation package to deploy the application on the terminal device. It can be seen that before using the installation package to deploy the application, the integrity and consistency of the installation package is verified through digital signatures and checksums to ensure that the obtained installation package has not been maliciously tampered with, which can improve the terminal device. Deploy application security.
  • an embodiment of the present invention provides an application program processing method, and the method may include the following steps:
  • Step 101 Obtain a compressed first installation package of the compiled application program
  • Step 102 Decompress the first installation package to obtain at least one application file.
  • Step 103 Perform a checksum operation on at least one application file
  • Step 104 storing the checksum obtained by the checksum operation into a check file
  • Step 105 compress and package the verification file and at least one application file to obtain a second installation package
  • Step 106 Add a first digital signature to the second installation package.
  • the application program processing method after obtaining a first installation package of a compiled application program, decompressing the first installation package to obtain at least one application program file, and then performing processing on the obtained application program file.
  • Checksum operation and store the checksum obtained by the checksum operation into a check file, and then compress and pack the obtained check file and each decompressed application file to obtain a second installation package, and then Add a first digital signature to the obtained second installation package.
  • a checksum operation may be performed on the application file in the second installation package, and the obtained checksum and the check stored in the verification file may be used. And compare to determine whether each application file has been tampered with.
  • the integrity and consistency of the second installation package can be verified by the first digital signature added on the second installation package and the checksum stored in the verification file in the second installation package. Perform double verification of the security, and use the second installation package to deploy applications on the terminal device after verifying that the second installation package has not been tampered with, to ensure that the applications deployed on the terminal device will not perform malicious actions, thereby improving the Deploy application security on.
  • At least one application program file obtained by decompressing the first installation package is a target application program file obtained by compiling application source code.
  • a checksum algorithm such as MD5, SHA-1, or SHA-2 may be specifically used to perform a checksum operation on the application file to obtain the phase The corresponding checksum.
  • the application program processing method provided by the embodiment of the present invention may be applied to an application program publishing process. Specifically, after adding a first digital signature to a second installation package, the second installation package with the first digital signature added may be stored. Go to an application library, and then use the automatic deployment tool to publish the application corresponding to the second installation package.
  • the automatic deployment tool can be Jenkins.
  • any one of the following four methods may be selected to perform checksum calculation on the application file:
  • Method 1 Perform an overall checksum operation on all the obtained application files to obtain a checksum
  • Method 2 Perform a checksum operation on each of the obtained application programs and obtain a checksum corresponding to each application file;
  • Method 3 Perform an overall checksum operation on all application files with predefined file characteristics in all application files to obtain a checksum
  • Manner 4 Perform a checksum operation on each of the application files having a predefined file characteristic in the application file to obtain a checksum corresponding to each of the application files having a predefined file characteristic.
  • a checksum is obtained by performing an overall checksum operation on all application files. After the application files are compressed and packaged into the second installation package, any one or more applications in the second installation package are compressed. The tampering of the program file will cause the result of the overall checksum operation on all application files to be changed, so that it can be determined whether the tampered application file exists in the second installation package according to the checksum.
  • a checksum operation is performed on each application file separately to obtain a corresponding checksum. After compressing and packaging each application file into the second installation package, any application in the second installation package is used. The tampering of the program file will cause the result of the checksum operation of the application file to change, so that the tampered application file can be located according to the checksum.
  • the characteristics of the application files that are easily tampered with and the application files important to the application deployment are defined in advance, and then the overall checksum operation is performed on all application files with the predefined file characteristics to obtain a calibration. It is verified that, after all application files are compressed and packaged into the second installation package, any one or more application files with predefined file characteristics in the second installation package are tampered with, which will result in the The result of the overall checksum operation of the application file with the file characteristics changes, so that it can be determined according to the checksum whether there is a tampered application file with a predefined file characteristic in the second installation package to determine an important application Whether the program file has been tampered with.
  • step 102 obtains at least one application file by decompressing the first installation package, which may be specifically implemented by the following sub-steps:
  • Step 1021 decompress the first installation package
  • Step 1022 Determine a noise file from the files obtained by decompressing the first installation package, and determine the files decompressed from the first installation package other than the noise file as application files, where the noise file is the same as The function of the application is not related to the file, and the application file is a file related to the function of the application.
  • the compressed first installation package of the compiled application includes two types of files.
  • the first type of files are files that are not related to the application's function implementation, that is, noise files, and the second type of files are related to the application's function implementation.
  • the file is the application file.
  • Noise files are usually files related to the application installation and deployment process. Such files vary according to the deployment environment. In order to avoid the noise file being mistaken for being tampered and causing the second installation package to fail verification, the first installation package is not passed.
  • the noise files included in the filtering are filtered out, and only the application files are compressed and packaged into the second installation package to ensure the accuracy of the verification of the second installation package.
  • noise files are filtered from the files obtained by decompressing the first installation package, and only checksum calculation is performed on the application files remaining after the noise files are filtered, so that the number of files requiring checksum calculation can be reduced. Number, thereby improving the efficiency of obtaining the second installation package.
  • the application when the application is subsequently deployed, it is only necessary to perform a checksum operation on the application file included in the second installation package, thereby improving the efficiency of verifying the second installation package.
  • the application deployment tool can automatically obtain the corresponding noise file according to the deployment environment. , And then use the obtained noise file and the second installation package for application deployment.
  • step 104 when compressing and packaging the verification file and each application file, there are two different compression and packaging methods:
  • First compression and packaging method Compress and package only the verification file and all application files to generate a second installation package.
  • the second installation package includes only one verification file and all application files.
  • the specific tools can be deployed by the deployment tool. Obtained automatically based on the deployment environment.
  • the second compression and packing method Compress and pack the verification file, all application files, and noise files.
  • the second installation package includes a verification file, all application files, and all noise files.
  • additional noise files need to be obtained.
  • a second digital signature may be added to the verification file storing the checksum.
  • the verification file added with the second digital signature and at least one application file may be compressed and packaged to obtain a second installation including the verification file added with the second digital signature and at least one application file. package.
  • a second digital signature is added to the verification file, and then the verification file to which the second digital signature is added and each application file are compressed.
  • Package to obtain a second installation package, and then add a first digital signature to the second installation package.
  • first verify that the first digital signature is correct decompress the second installation package after determining that the first digital signature is correct, and then verify that the second digital signature is correct.
  • a checksum operation is performed on each application file, and the obtained checksum is compared with the checksum stored in the check file to determine whether each application file is tampered. It can be seen that by adding a second digital signature to the verification file on the basis of the application processing method shown in FIG. 1, a triple verification is required before using the second installation package to deploy the application, which can further ensure that the terminal device Deploy application security.
  • this step may be specifically implemented by the following sub-steps:
  • Step 1061 Perform a hash operation on the second installation package by using a hash algorithm to obtain a first identity corresponding to the second installation package;
  • Step 1062 encrypt the first identity by using a private key to obtain an encrypted identity
  • Step 1063 Generate a public key infrastructure PKI object corresponding to the private key and including an encrypted identity
  • Step 1064 Embed the PKI object into the second installation package.
  • the second installation package After obtaining the second installation package, first perform an overall hash operation on the second installation package to obtain a first identity corresponding to the second installation package, and then encrypt the first identity through the private key of the application developer To obtain the corresponding encrypted identity, and then generate a public key infrastructure (PKI) object corresponding to the private key and including the encrypted identity, and then embed the generated PKI object into the second installation package So that the PKI object is downloaded when the second installation package is downloaded.
  • PKI public key infrastructure
  • a first identity corresponding to the second installation package is obtained by hashing the second installation package.
  • the first identity corresponds strictly to the content of the second installation package. If the content of the second installation package changes, the first The identity of the second installation package will also change, so it can be verified by the first identity that the second installation package has been tampered with.
  • the first identity is encrypted by the private key to obtain the encrypted identity.
  • the encrypted identity can be obtained from the public key corresponding to the private key.
  • the information of the evidence authority, the encrypted identity, the public key corresponding to the private key, and the PKI certificate can be integrated to obtain the PKI object.
  • the method for adding the second digital signature is similar to the method for adding the first digital signature.
  • FIG. 3 For the specific process, see FIG. 3 for the second installation package.
  • a method of digital signature the method of adding a second digital signature to the verification file will not be repeated here.
  • an embodiment of the present invention provides an application deployment method.
  • the method may include the following steps:
  • Step 201 Obtain a second installation package added with a first digital signature.
  • Step 202 verify whether the first digital signature is correct, if yes, go to step 203, otherwise go to step 207;
  • Step 203 Decompress the second installation package to obtain a verification file and at least one application file;
  • Step 204 Perform a checksum operation on the at least one application file.
  • Step 205 Determine whether the checksum obtained by the checksum operation is the same as the corresponding checksum stored in the check file, and if yes, go to step 206; otherwise, go to step 207;
  • Step 206 deploy the application on a terminal device by using the second installation package, and end the current process
  • Step 207 Determine that the second installation package has been tampered with.
  • the method for deploying an application provided by the embodiment of the present invention, after obtaining a second installation package added with a first digital signature, first verify whether the first digital signature is correct, and if the first digital signature is incorrect, directly determine that the second installation package has been installed. Tampered with, if the first digital signature is correct, decompress the second installation package to obtain a check file and at least one application file, and then perform a checksum operation on the application file to correct the checksum operation. The checksum is compared with the checksum stored in the check file. If all the obtained check files correspond to the checksum stored in the check file, the second installation package is used for deployment on a terminal device. Application, otherwise determine that the second installation package has been tampered with.
  • the second installation package is double-checked through the first digital signature and the checksum stored in the verification file to determine whether the second installation package has been tampered with.
  • Two-factor authentication determines that the second installation package has not been tampered with, and then uses the second installation package to deploy the application program on the terminal device, thereby improving the security of the application program deployment on the terminal device.
  • the application program when the application program is deployed on the terminal device by using the second installation package, the application program may be deployed by using a deployment tool.
  • the deployment tool can use the deployment environment of the terminal device to obtain the corresponding noise file, and then use the obtained noise file and the second installation package. Deploy applications on end devices.
  • steps 203 and 204 Among the further include:
  • Step 208 Determine whether the second digital signature is correct. If yes, go to step 204, otherwise go to step 207.
  • step 204 Steps to verify whether each application file has been tampered with. If the second digital signature error indicates that the check file has been tampered with, and the checksum stored in the check file has no reference value, go directly to step 207 to determine the second installation package. Has been tampered with.
  • the verification file is also verified using the second digital signature, so using the second installation package in Before the verification file is deployed on the terminal device, the second installation package is triple-verified to ensure that the second installation package has not been tampered with, thereby further improving the security of deploying the application program on the terminal device.
  • the step 202 of verifying whether the first digital signature is correct may be specifically implemented by the following sub-steps:
  • Step 2021 Obtain a PKI object embedded in the second installation package.
  • Step 2022 Decrypt the encrypted identity included in the PKI object by using the public key corresponding to the PKI object to obtain the first identity;
  • Step 2023 Perform a hash operation on the second installation package by using a hash algorithm to obtain a second identity corresponding to the second installation package.
  • Step 2024 Determine whether the first identity is the same as the second identity, and if yes, determine that the first digital signature is correct; otherwise, determine that the first digital signature is incorrect.
  • the second installation package After obtaining the second installation package added with the first digital signature, obtain the PKI object embedded in the second installation package, and then decrypt the encrypted identity included in the PKI object by using the public key corresponding to the PKI object to obtain The first identity, and then hashing the second installation package by a hash algorithm to obtain the second identity corresponding to the second installation package, and then determine whether the first identity is the same as the second identity. If the identity is the same as the second identity, it is determined that the first digital signature is correct, and if the first identity is different from the second identity, it is determined that the first digital signature is incorrect.
  • the encrypted identity included in the PKI object embedded in the second installation package is obtained by encrypting the first identity through the private key
  • the first An identity is obtained by hashing a second installation package that has not been tampered with.
  • the first identity can be obtained by decrypting the encrypted identity through the public key corresponding to the aforementioned private key, and obtaining the first identity by hashing the obtained second installation package.
  • the second identity because the result of the hash operation strictly corresponds to the content of the operation object.
  • the first identity is the same as the second identity, it can be determined that the second installation package has not been tampered with, that is, the first digital signature is correct. If the first identity is different from the second identity, it can be determined that the second installation package has been tampered with and the first digital signature is wrong.
  • the method for verifying the second digital signature is similar to the method for verifying the first digital signature.
  • the description of the first digital signature verification method shown in FIG. 6 will not be repeated here.
  • an embodiment of the present invention provides an application program processing apparatus, and the apparatus may include:
  • a first installation package obtaining module 301 configured to obtain a compressed first installation package of a compiled application program
  • a first installation package decompression module 302 configured to decompress the first installation package obtained by the first installation package acquisition module 301 to obtain at least one application file;
  • a first checksum operation module 303 configured to perform a checksum operation on at least one application program file obtained by the first installation package decompression module 302;
  • a check file generating module 304 configured to store the checksum obtained by the first checksum operation module 303 in a checksum operation into a check file;
  • An application compression module 305 is configured to compress and package a verification file in which the verification file generation module 304 stores a checksum and at least one application file obtained by the first installation package decompression module 302 to obtain a second installation. package;
  • An installation package signature module 306 is configured to add a first digital signature to the second installation package obtained by the application compression module 305.
  • the first installation package obtaining module 301 may be used to perform step 101 in the foregoing method embodiment, and the first installation package decompression module 302 may be used to perform step 102 in the foregoing method embodiment, and the first verification The sum operation module 303 may be used to perform step 103 in the foregoing method embodiment, the verification file generation module 304 may be used to perform step 104 in the foregoing method embodiment, and the application compression module 305 may be used to perform step 105 in the foregoing method embodiment.
  • the installation package signature module 306 may be configured to perform step 106 in the foregoing method embodiment.
  • the first installation package decompression module 302 includes:
  • a decompression unit 3021 configured to decompress the first installation package
  • a screening unit 3022 is configured to determine a noise file from the files obtained by decompressing the first installation package by the decompression unit 3021, and determine the files decompressed from the first installation package other than the noise files as at least one An application file, where the noise file is a file that is not related to the implementation of the function of the application, and at least one application file is a file that is related to the implementation of the function of the application.
  • the decompression unit 3021 may be configured to perform step 1021 in the foregoing method embodiment, and the screening unit 3022 may be configured to perform step 1022 in the foregoing method embodiment.
  • the application processing apparatus may further include: a verification file signature module 307;
  • a verification file signature module 307 configured to add a second digital signature to the verification file obtained by the verification file generation module 304;
  • the application compression module 305 is configured to compress and package at least one application file obtained by the verification file signature module 307 with the second digital signature and the first installation package decompression module 302, to obtain a second Installation package.
  • the installation package signature module 306 may include:
  • a first hash operation unit 3061 configured to perform a hash operation on the second installation package by using a hash algorithm to obtain a first identity corresponding to the second installation package;
  • An identity encryption unit 3062 configured to encrypt the first identity obtained by the first hash operation unit 3061 by using a private key to obtain an encrypted identity
  • a PKI object generating unit 3063 configured to generate a public key infrastructure PKI object corresponding to the private key and including the encrypted identity obtained by the identity encryption unit 3062;
  • a PKI object embedding unit 3064 is configured to embed the PKI object generated by the PKI object generating unit 3063 into the second installation package.
  • the first hash operation unit 3061 may be used to execute step 1061 in the foregoing method embodiment
  • the identification encryption unit 3062 may be used to execute step 1062 in the foregoing method embodiment
  • the PKI object generation unit 3063 may be used to execute In step 1063 in the foregoing method embodiment
  • the PKI object embedding unit 3064 may be configured to execute step 1064 in the foregoing method embodiment.
  • the application processing apparatus provided in each of the foregoing embodiments may be used to publish an application, and each module included in the application processing apparatus may perform steps in the foregoing embodiment of an application processing method, and may further
  • the second installation package with the first digital signature added is stored in an application library, and then the application corresponding to the second installation package is released through an automatic deployment tool, where the automatic deployment tool may be Jenkins.
  • an embodiment of the present invention provides an application deployment device, and the device may include:
  • a second installation package obtaining module 401 configured to obtain a second installation package added with a first digital signature
  • An installation package signature verification module 402 configured to verify whether the first digital signature added to the second installation package obtained by the second installation package acquisition module 401 is correct,
  • a second installation package decompression module 403, configured to decompress the second installation package when the installation package signature verification module 402 verifies that the first digital signature is correct, to obtain a verification file and at least one application file;
  • a second checksum operation module 404 configured to perform a checksum operation on at least one application program obtained by the second installation package decompression module 403;
  • a checksum verification module 405 is used to determine that the checksum obtained by the second checksum calculation module 404 performs a checksum operation corresponding to the checksum stored in the check file obtained by the second installation package decompression module 403. Checksums are all the same;
  • An application deployment module 406 is configured to install an application on a terminal device by using a second installation package when the judgment result of the checksum verification module 405 is yes;
  • An installation package status confirmation module 407 is configured to determine that the second installation package has been tampered with when the installation package signature verification module 402 verifies that the first digital signature is incorrect, or when the judgment result of the checksum verification module 405 is no.
  • the second installation package obtaining module 401 may be used to perform step 201 in the foregoing method embodiment, and the installation package signature verification module 402 may be used to perform step 202 in the foregoing method embodiment, and the second installation package is decompressed.
  • the module 403 may be used to perform step 203 in the foregoing method embodiment, the second checksum calculation module 404 may be used to perform step 204 in the foregoing method embodiment, and the checksum verification module 405 may be used to perform step in the foregoing method embodiment. 205.
  • the application deployment module 406 may be configured to perform step 206 in the foregoing method embodiment, and the installation package status confirmation module 407 may be configured to perform step 207 in the foregoing method embodiment.
  • the application deployment device may further include: a verification file signature verification module 408;
  • the verification file signature verification module 408 is configured to verify whether the second digital signature is correct when the verification file decompressed by the second installation package decompression module 403 is added with a second digital signature;
  • the installation package status confirmation module 407 is further configured to determine that the second installation package has been tampered with when the verification file signature verification module 408 verifies that the second digital signature is incorrect.
  • the verification file signature verification module 408 may be configured to perform step 208 in the foregoing method embodiment.
  • the application deployment device includes an installation package status confirmation module 407
  • the verification file signature verification module 408 determines that the second digital signature is correct
  • the second checksum calculation module 404 starts to perform the second installation package.
  • Each of the at least one application acquired by the decompression module 403 performs a checksum operation separately to obtain a checksum corresponding to each application file.
  • the installation package signature verification module 402 may include:
  • a PKI object obtaining unit 4021 configured to obtain a PKI object embedded in the second installation package
  • An identity decryption unit 4022 configured to decrypt the encrypted identity included in the PKI object by using the public key corresponding to the PKI object obtained by the PKI object obtaining unit 4021 to obtain a first identity
  • a second hash operation unit 4023 configured to perform a hash operation on the second installation package by using a hash algorithm to obtain a second identity corresponding to the second installation package;
  • An identity comparison unit 4024 is configured to determine whether the first identity obtained by the identity decryption unit 4022 and the second identity obtained by the second hash operation unit 4023 are the same. If yes, determine that the first digital signature is correct, otherwise Determine the first digital signature is wrong.
  • the PKI object obtaining unit 4021 may be used to execute step 2021 in the foregoing method embodiment
  • the identity decryption unit 4022 may be used to execute step 2022 in the foregoing method embodiment
  • the second hash operation unit 4023 may be used to execute In step 2023 in the foregoing method embodiment
  • the identification comparison unit 4024 may be used to execute step 2024 in the foregoing method embodiment.
  • an embodiment of the present invention provides an application program processing apparatus, including: at least one memory 501 and at least one processor 502;
  • At least one memory 501 for storing a machine-readable program
  • the at least one processor 502 is configured to call a machine-readable program stored in the at least one memory 501 and execute each step in the foregoing application program processing method embodiment.
  • an embodiment of the present invention provides an application program deployment apparatus, including: at least one memory 601 and at least one processor 602;
  • At least one processor 602 is configured to call a machine-readable program stored in at least one memory 601 and execute each step in the foregoing application program deployment method embodiment.
  • the present invention also provides a computer-readable medium storing instructions for causing a machine to execute an application program processing method or an application program deployment method as described herein.
  • a system or device equipped with a storage medium may be provided, on which software program code that implements the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or device is stored ) Read out and execute the program code stored in the storage medium.
  • the program code itself read from the storage medium can implement the functions of any one of the above-mentioned embodiments, so the program code and the storage medium storing the program code constitute a part of the present invention.
  • Examples of storage media for providing program code include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), Magnetic tape, non-volatile memory card and ROM.
  • the program code may be downloaded from a server computer by a communication network.
  • the program code read from the storage medium is written into a memory provided in an expansion board inserted into the computer or into a memory provided in an expansion unit connected to the computer, and then based on the program code
  • the instructions cause the CPU and the like installed on the expansion board or the expansion unit to perform part and all of the actual operations, thereby realizing the functions of any one of the above embodiments.
  • the execution order of each step is not fixed and can be adjusted as needed.
  • the system structure described in the above embodiments may be a physical structure or a logical structure, that is, some modules may be implemented by the same physical entity, or some modules may be implemented by multiple physical entities, or may be implemented by multiple Some components in separate devices are implemented together.
  • the hardware unit may be implemented mechanically or electrically.
  • a hardware unit may include permanently dedicated circuits or logic (such as a dedicated processor, FPGA or ASIC) to perform the corresponding operations.
  • the hardware unit may also include programmable logic or circuits (such as general-purpose processors or other programmable processors), which may be temporarily set by software to complete the corresponding operations.
  • the specific implementation manner mechanical manner, or a dedicated permanent circuit, or a temporarily set circuit

Abstract

Provided in the present invention are a method and apparatus for processing and deploying an application program, and a machine-readable medium. The method for processing an application program comprises: acquiring a first installation package of the compressed compiled application program; decompressing the first installation package to acquire at least one application program file; performing a checksum operation on the at least one application program file; storing the checksum obtained by the checksum operation in a check file; compressing and packaging the check file and the at least one application program to acquire a second installation package; and adding a first digital signature to the second installation package. The present solution can improve the security of deploying an application program on a terminal device.

Description

应用程序处理和部署的方法、装置及计算机可读介质Application program processing and deployment method, device and computer-readable medium 技术领域Technical field
本发明涉及计算机应用程序技术领域,尤其涉及应用程序处理和部署的方法、装置及计算机可读介质。The present invention relates to the technical field of computer application programs, and in particular, to a method, an apparatus, and a computer-readable medium for processing and deploying application programs.
背景技术Background technique
随着物联网技术的不断发展与进步,应用于物联网技术领域的终端设备的性能不断升级,通过在终端设备上部署应用程序,使得终端设备可以与云平台进行信息交互,从而使超大规模物联网应用成为可能。为了方便对终端设备的应用程序进行统一管理,将开发完成的应用程序的安装包存储到应用程序库中,当需要在一个终端设备上部署应用程序时,从应用程序库中下载相对应的应用程序安装包,进而利用下载的应用程序安装包在终端设备上部署应用程序。With the continuous development and progress of the Internet of Things technology, the performance of terminal devices used in the field of Internet of Things technology is constantly upgraded. By deploying applications on terminal devices, the terminal devices can interact with the cloud platform for information, thereby enabling ultra-large-scale Internet of Things. Application becomes possible. In order to facilitate the unified management of application programs on the terminal device, the installation package of the developed application program is stored in the application library. When the application program needs to be deployed on a terminal device, the corresponding application is downloaded from the application library A program installation package, and then use the downloaded application installation package to deploy an application on a terminal device.
应用程序安装包被从应用程序库下载后,该应用程序安装包可能会被恶意篡改,如果利用已经被恶意篡改的应用程序安装包在终端设备上部署应用程序,所部署的应用程序可能会使终端设备执行恶意动作,进而造成人身伤害、财产损失等十分严重的后果。因此,现有在终端设备上部署应用程序的安全性较低。After the application installation package is downloaded from the application library, the application installation package may be maliciously tampered with. If the application installation package that has been maliciously tampered with is used to deploy the application on the terminal device, the deployed application may cause The terminal device performs malicious actions, which causes very serious consequences such as personal injury and property damage. Therefore, the existing applications deployed on terminal devices have lower security.
发明内容Summary of the Invention
有鉴于此,本发明提供的应用程序处理和部署的方法、装置及计算机可读介质,能够提高在终端设备上部署应用程序的安全性。In view of this, the method, device, and computer-readable medium for processing and deploying applications provided by the present invention can improve the security of deploying applications on terminal devices.
第一方面,本发明实施例提供了一种应用程序处理方法,包括:In a first aspect, an embodiment of the present invention provides an application program processing method, including:
获取经过编译的应用程序压缩后的第一安装包;Get the first compressed installation package of the compiled application;
对所述第一安装包进行解压缩,获得至少一个应用程序文件;Decompressing the first installation package to obtain at least one application file;
对所述至少一个应用程序文件进行校验和运算;Performing a checksum operation on the at least one application file;
将校验和运算得到的校验和存储到一个校验文件中;Store the checksum obtained by the checksum operation in a check file;
对所述校验文件和所述至少一个应用程序文件进行压缩打包,获得第二安装包;Compressing and packaging the verification file and the at least one application program file to obtain a second installation package;
为所述第二安装包添加第一数字签名。Adding a first digital signature to the second installation package.
对经过编译并压缩而成的第一安装包进行加压缩后,对解压缩出的各个应用程序文件进行校验和运算,将校验和运算获取到校验和存储到校验文件之后,对校验文件和各个应用程 序文件进行压缩打包,获得第二安装包,之后为第二安装包添加第一数字签名。当需要在终端设备上部署应用程序时,获取添加有第一数字签名的第二安装包,可以根据第一数字签名和校验文件中存储的校验和对第二安装包进行双重验证,以确定第二安装包是否被篡改,进而在确定第二安装包没有被篡改后利用第二安装包在终端设备上部署应用程序,保证部署在终端设备上的应用程序不会执行恶意动作,从而可以提高在终端设备上部署应用程序的安全性。After compiling and compressing the first installation package that is compiled and compressed, checksum calculation is performed on each decompressed application file, and after the checksum operation is obtained and the checksum is stored in the checkfile, the The verification file and each application file are compressed and packaged to obtain a second installation package, and then a first digital signature is added to the second installation package. When an application needs to be deployed on a terminal device, a second installation package with a first digital signature added is obtained, and the second installation package can be double-validated according to the checksum stored in the first digital signature and the verification file to Determine whether the second installation package has been tampered with, and then use the second installation package to deploy the application on the terminal device after determining that the second installation package has not been tampered with, and ensure that the application deployed on the terminal device does not perform malicious actions, so that Improve the security of deploying applications on end devices.
可选地,所述对所述第一安装包进行解压缩,获得至少一个应用程序文件,包括:Optionally, the decompressing the first installation package to obtain at least one application file includes:
对所述第一安装包进行解压缩;Decompressing the first installation package;
从对所述第一安装包进行解压缩获得的文件中确定噪声文件,将除所述噪声文件之外的其他从所述第一安装包解压缩出的文件确定为所述至少一个应用程序文件,其中,所述噪声文件为与所述应用程序的功能实现无关的文件,所述至少一个应用程序文件为与所述应用程序的功能实现相关的文件。Determine a noise file from a file obtained by decompressing the first installation package, and determine a file decompressed from the first installation package other than the noise file as the at least one application file Wherein, the noise file is a file unrelated to the function implementation of the application program, and the at least one application file is a file related to the function implementation of the application program.
对第一安装包进行解压缩后,从解压缩出的各个文件中去除噪声文件,将去除噪声文件之后剩余的其他文件确定为应用程序文件,由于噪声文件与应用程序的功能实现无关,在第二安装包中仅包括校验文件和应用程序文件而不包括噪声文件,一方面可以减少需要进行校验和运算的文件的个数,从而可以提高生成第二安装包的效率,另一方面在部署应用程序时也可以减少需要进行校验和运算的文件的个数,从而可以提高部署应用程序的效率。After the first installation package is decompressed, noise files are removed from each of the decompressed files, and other files remaining after the noise files are removed are determined as application files. Since the noise files are not related to the function implementation of the application, The second installation package includes only check files and application files and does not include noise files. On the one hand, the number of files that need to be checked and calculated can be reduced, which can improve the efficiency of generating the second installation package. On the other hand, When deploying an application, you can also reduce the number of files that need to be checked and calculated, which can improve the efficiency of deploying the application.
可选地,在所述对所述校验文件和所述至少一个应用程序文件进行压缩打包之前,进一步包括:为所述校验文件添加第二数字签名;相应地,所述对所述校验文件和所述至少一个应用程序文件进行压缩打包,包括:对添加了所述第二数字签名的所述校验文件和所述至少一个应用程序文件进行压缩打包,获得所述第二安装包。Optionally, before the compressing and packaging the verification file and the at least one application file, the method further includes: adding a second digital signature to the verification file; and correspondingly, verifying the calibration file. Compressing and packaging the verification file and the at least one application file include: compressing and packaging the verification file and the at least one application file to which the second digital signature is added to obtain the second installation package .
通过为校验文件添加第二数字签名,在利用第二安装包部署应用程序时,还需要验证第二数字签名是否正确,进而保证校验文件中存储的校验和没有被篡改,从而可以进一步提升在终端设备上部署应用程序的安全性。By adding a second digital signature to the verification file, when deploying the application using the second installation package, it is also necessary to verify whether the second digital signature is correct, thereby ensuring that the checksum stored in the verification file has not been tampered with, which can further Improved security for deploying applications on end devices.
可选地,所述为所述第二安装包添加第一数字签名,包括:Optionally, the adding a first digital signature to the second installation package includes:
通过哈希算法对所述第二安装包进行哈希运算,获得所述第二安装包对应的第一身份标识;Performing a hash operation on the second installation package by using a hash algorithm to obtain a first identity corresponding to the second installation package;
通过一个私钥对所述第一身份标识进行加密,获得加密身份标识;Encrypting the first identity by using a private key to obtain an encrypted identity;
生成与所述私钥相对应且包括有所述加密身份标识的公钥基础设施PKI对象;Generating a public key infrastructure PKI object corresponding to the private key and including the encrypted identity;
将所述PKI对象嵌入到所述第二安装包中。The PKI object is embedded in the second installation package.
通过对第二安装包进行哈希运算获得第一身份标识,通过私钥对第一身份标识进行加密 获得加密身份标识,进而在第二安装包中嵌入包括加密身份标识的PKI对象,由于不法人员无法获取到私钥,从而无法对第一身份标识进行伪造,保证在应用程序部署时可以根据第一身份标识准确判断第二安装包是否为篡改,从而可以保证利用第二安装包所部署应用程序的安全性。The first identity is obtained by hashing the second installation package, and the encrypted identity is obtained by encrypting the first identity through the private key, and then the PKI object including the encrypted identity is embedded in the second installation package. The private key cannot be obtained, so the first identity cannot be forged, and it is guaranteed that when the application is deployed, the second installation package can be accurately judged based on the first identity, so that the application deployed by the second installation package can be guaranteed Security.
第二方面,本发明实施例还提供了一种应用程序部署方法,包括:In a second aspect, an embodiment of the present invention further provides an application program deployment method, including:
S1:获取添加有第一数字签名的第二安装包;S1: Obtain a second installation package added with a first digital signature;
S2:验证所述第一数字签名是否正确,如果是,执行S3,否则执行S7;S2: verify whether the first digital signature is correct, if yes, execute S3, otherwise execute S7;
S3:对所述第二安装包进行解压缩,获得一个校验文件和至少一个应用程序文件;S3: Decompress the second installation package to obtain a verification file and at least one application program file;
S4:对所述至少一个应用程序文件进行校验和运算;S4: performing a checksum operation on the at least one application file;
S5:判断校验和运算得到的校验和与所述校验文件中存储的相对应的校验和是否全部相同,如果是,执行S6,否则执行S7;S5: Determine whether the checksum obtained by the checksum operation is the same as the corresponding checksum stored in the check file, if yes, execute S6, otherwise execute S7;
S6:利用所述第二安装包在一个终端设备上部署应用程序,并结束当前流程;S6: deploy the application on a terminal device by using the second installation package, and end the current process;
S7:确定所述第二安装包已经被篡改。S7: Determine that the second installation package has been tampered with.
在获取到添加有第一数字签名的第二安装包后,首先验证第一数字签名是否正确,在第一签字签名正确的前提下进而对第二安装包进行加压缩,获得校验文件和各个应用程序文件,之后对应用程序文件进行校验和运算获得相对应的校验和,之后将获得的校验和与校验文件中存储的校验和进行比对,判断获取到的所有校验和是否与校验文件中相应的校验和全部相同,如果是,利用第二安装包在终端设备上部署应用程序,否则确定第二安装包已经被篡改。通过第一数字签名和校验文件存储的校验和对第二安装包进行双重验证,在确定第二安装包没有被篡改后利用第二安装包在终端设备上部署应用程序,保证所部署的应用程序不会执行恶意动作,从而可以提高在终端设备上部署应用程序的安全性。After obtaining the second installation package added with the first digital signature, first verify whether the first digital signature is correct, and on the premise that the first signature is correct, the second installation package is further compressed to obtain a verification file and each The application file, and then checksum operation is performed on the application file to obtain the corresponding checksum, and then the obtained checksum is compared with the checksum stored in the check file to determine all the obtained checksums Whether it is the same as the corresponding checksum in the check file. If so, use the second installation package to deploy the application on the terminal device; otherwise, determine that the second installation package has been tampered with. Double verification is performed on the second installation package through the checksum stored in the first digital signature and the verification file. After determining that the second installation package has not been tampered with, the second installation package is used to deploy the application on the terminal device to ensure that the deployed Applications do not perform malicious actions, which can improve the security of deploying applications on end devices.
可选地,当所述校验文件添加有第二数字签名时,在所述S3与所述S4之间进一步包括:Optionally, when a second digital signature is added to the verification file, further including between the S3 and the S4:
验证所述第二数字签名是否正确,如果是,执行S4,否则执行S7。Verify whether the second digital signature is correct, if yes, execute S4, otherwise execute S7.
当从第二安装包解压缩出的校验文件添加有第二数字签名时,在验证第一数字签名正确后,紧接着验证第二数字签名是否正确,如果第二数字签名正确则利用校验文件验证各个应用程序文件是否被篡改。通过验证第二数字签名是否正确可以确定校验文件是否为篡改,保证在利用校验文件存储的校验和验证各个应用程序文件是否为篡改的结果的准确性。在利用第二安装包部署应用程序之前对第二安装包进行三重验证,可以进一步提高在终端设备上部署应用程序的安全性。When the second digital signature is added to the verification file decompressed from the second installation package, after verifying that the first digital signature is correct, then verify that the second digital signature is correct. If the second digital signature is correct, use the verification Files verify that individual application files have not been tampered with. By verifying whether the second digital signature is correct, it can be determined whether the verification file is tampered, and the accuracy of verifying whether each application file is tampered is verified by using the checksum stored in the verification file. Performing triple verification on the second installation package before using the second installation package to deploy the application can further improve the security of deploying the application on the terminal device.
可选地,所述验证所述第一数字签名是否正确,包括:Optionally, the verifying whether the first digital signature is correct includes:
获取嵌入在所述第二安装包中的PKI对象;Obtaining a PKI object embedded in the second installation package;
通过与所述PKI对象相对应的公钥对所述PKI对象包括的加密身份标识进行解密,获得第一身份标识;Decrypting the encrypted identity included in the PKI object by using a public key corresponding to the PKI object to obtain a first identity;
通过哈希算法对所述第二安装包进行哈希运算,获得所述第二安装包对应的第二身份标识;Performing a hash operation on the second installation package by using a hash algorithm to obtain a second identity corresponding to the second installation package;
判断所述第一身份标识与所述第二身份标识是否相同,如果是,确定所述第一数字签名正确,否则确定所述第一数字签名错误。Determine whether the first identity is the same as the second identity, and if so, determine that the first digital signature is correct; otherwise, determine that the first digital signature is incorrect.
从嵌入在第二安装包中的PKI对象中获取到加密身份标识后,通过相对应的公钥对加密身份标识进行解密,获得第一身份标识,其中第一身份标识为通过对未被篡改的第二安装包进行哈希运算而获得。之后对获取到的第二安装包进行哈希运算,获得第二身份标识,如果第二身份标识与第一身份标识相同,说明第二安装包没有被篡改,确定第一数字标签正确,如果第二身份标识用户第一身份标识不同,说明第二安装包已经被篡改,确定第一数字标签错误。通过验证第一数字标签的正确性,可以确保第二安装包的完整性和一致性。After obtaining the encrypted identity from the PKI object embedded in the second installation package, the encrypted identity is decrypted by using the corresponding public key to obtain the first identity, where the first identity is obtained by un-tampered The second installation package is obtained by performing a hash operation. Then perform a hash operation on the obtained second installation package to obtain a second identity. If the second identity is the same as the first identity, it means that the second installation package has not been tampered with, and it is determined that the first digital label is correct. The second identity user has a different first identity, indicating that the second installation package has been tampered with, and it is determined that the first digital label is incorrect. By verifying the correctness of the first digital label, the integrity and consistency of the second installation package can be ensured.
第三方面,本发明实施例还提供了一种应用程序处理装置,包括:According to a third aspect, an embodiment of the present invention further provides an application program processing apparatus, including:
一个第一安装包获取模块,用于获取经过编译的应用程序压缩后的第一安装包;A first installation package obtaining module, configured to obtain a compressed first installation package of a compiled application program;
一个第一安装包解压缩模块,用于对所述第一安装包获取模块获取到的所述第一安装包进行解压缩,获得至少一个应用程序文件;A first installation package decompression module, configured to decompress the first installation package obtained by the first installation package acquisition module to obtain at least one application program file;
一个第一校验和运算模块,用于对所述第一安装包解压缩模块获取到的所述至少一个应用程序文件进行校验和运算;A first checksum operation module, configured to perform a checksum operation on the at least one application file obtained by the first installation package decompression module;
一个校验文件生成模块,用于将所述第一校验和运算模块进行校验和运算得到的所述校验和存储到一个校验文件中;A check file generating module, configured to store the checksum obtained by performing the checksum operation by the first checksum calculation module into a check file;
一个应用程序压缩模块,用于对所述校验文件生成模块存储了校验和的所述校验文件和所述第一安装包解压缩模块获取到的所述至少一个应用程序文件进行压缩打包,获得第二安装包;An application compression module is configured to compress and package the verification file in which the verification file generation module stores a checksum and the at least one application file obtained by the first installation package decompression module. To obtain the second installation package;
一个安装包签名模块,用于为所述应用程序压缩模块获取到的所述第二安装包添加第一数字签名。An installation package signature module is configured to add a first digital signature to the second installation package obtained by the application compression module.
可选地,所述第一安装包解压缩模块包括:Optionally, the first installation package decompression module includes:
一个解压缩单元,用于对所述第一安装包进行解压缩;A decompression unit, configured to decompress the first installation package;
一个筛选单元,用于从所述解压缩单元对所述第一安装包进行解压缩获得的文件中确定噪声文件,将除所述噪声文件之外的其他从所述第一安装包解压缩出的文件确定为所述至少 一个应用程序文件,其中,所述噪声文件为与所述应用程序的功能实现无关的文件,所述至少一个应用程序文件为与所述应用程序的功能实现相关的文件。A screening unit, configured to determine a noise file from a file obtained by decompressing the first installation package by the decompression unit, and decompress other than the noise file from the first installation package Is determined to be the at least one application program file, wherein the noise file is a file that is not related to the function implementation of the application program, and the at least one application file is a file that is related to the function implementation of the application program .
可选地,该应用程序处理装置进一步包括:一个校验文件签名模块;Optionally, the application processing apparatus further includes: a verification file signature module;
所述校验文件签名模块,用于为所述校验文件生成模块获取到的所述校验文件添加第二数字签名;The verification file signature module is configured to add a second digital signature to the verification file obtained by the verification file generation module;
所述应用程序压缩模块,用于对经过所述校验文件签名模块添加了所述第二数字签名的所述校验文件和所述第一安装包解压缩模块获取到的所述至少一个应用程序文件进行压缩打包,获得所述第二安装包。The application compression module is configured to add the second digital signature to the verification file and the at least one application obtained by the first installation package decompression module after the verification file signature module. The program file is compressed and packed to obtain the second installation package.
可选地,所述安装包签名模块包括:Optionally, the installation package signature module includes:
一个第一哈希运算单元,用于通过哈希算法对所述第二安装包进行哈希运算,获得所述第二安装包对应的第一身份标识;A first hash operation unit, configured to perform a hash operation on the second installation package by using a hash algorithm to obtain a first identity corresponding to the second installation package;
一个标识加密单元,用于通过一个私钥对所述第一哈希运算单元获取到的所述第一身份标识进行加密,获得加密身份标识;An identity encryption unit, configured to encrypt the first identity obtained by the first hash operation unit by using a private key to obtain an encrypted identity;
一个PKI对象生成单元,用于生成与所述私钥相对应且包括有所述标识加密单元获取到的所述加密身份标识的公钥基础设施PKI对象;A PKI object generating unit, configured to generate a public key infrastructure PKI object corresponding to the private key and including the encrypted identity obtained by the identity encryption unit;
一个PKI对象嵌入单元,用于将所述PKI对象生成单元生成的所述PKI对象嵌入到所述第二安装包中。A PKI object embedding unit is configured to embed the PKI object generated by the PKI object generating unit into the second installation package.
第四方面,本发明实施例还提供了一种应用程序部署装置,包括:In a fourth aspect, an embodiment of the present invention further provides an application program deployment apparatus, including:
一个第二安装包获取模块,用于获取添加有第一数字签名的第二安装包;A second installation package obtaining module, configured to obtain a second installation package added with a first digital signature;
一个安装包签名验证模块,用于验证所述第二安装包获取模块获取到的所述第二安装包中添加的所述第一数字签名是否正确,An installation package signature verification module, configured to verify whether the first digital signature added to the second installation package obtained by the second installation package acquisition module is correct,
一个第二安装包解压缩模块,用于在所述安装包签名验证模块验证所述第一数字签名正确时,对所述第二安装包进行解压缩,获得一个校验文件和至少一个应用程序文件;A second installation package decompression module, configured to decompress the second installation package to obtain a verification file and at least one application program when the installation package signature verification module verifies that the first digital signature is correct. file;
一个第二校验和运算模块,用于对所述第二安装包解压缩模块获取到的所述至少一个应用程序进行校验和运算;A second checksum operation module, configured to perform a checksum operation on the at least one application program obtained by the second installation package decompression module;
一个校验和验证模块,用于判断所述第二校验和运算模块进行校验和运算得到的校验和与所述第二安装包解压缩模块获取到的所述校验文件中存储的相对应的校验和是否全部相同;A checksum verification module, configured to determine a checksum obtained by the second checksum operation module performing a checksum operation and a checksum stored in the check file obtained by the second installation package decompression module. Whether the corresponding checksums are all the same;
一个应用程序部署模块,用于在所述校验和验证模块的判断结果为是时,利用所述第二安装包在一个终端设备上安装应用程序;An application deployment module, configured to use the second installation package to install an application on a terminal device when the judgment result of the checksum verification module is yes;
一个安装包状态确认模块,用于在所述安装包签名验证模块验证所述第一数字签名错误时,或者所述校验和验证模块的判断结果为否时,确定所述第二安装包已经被篡改。An installation package status confirmation module, configured to determine that the second installation package has been completed when the installation package signature verification module verifies that the first digital signature is incorrect, or when the judgment result of the checksum verification module is no. Tampered.
可选地,该应用程序部署装置进一步包括:一个校验文件签名验证模块;Optionally, the application deployment device further includes: a check file signature verification module;
所述校验文件签名验证模块,用于在所述第二安装包解压缩模块解压缩出的所述校验文件添加有第二数字签名时,验证所述第二数字签名是否正确;The verification file signature verification module is configured to verify whether the second digital signature is correct when the verification file decompressed by the second installation package decompression module is added with a second digital signature;
所述安装包状态确认模块,进一步用于在所述校验文件签名验证模块验证所述第二数字签名错误时,确定所述第二安装包已经被篡改。The installation package status confirmation module is further configured to determine that the second installation package has been tampered with when the verification file signature verification module verifies that the second digital signature is incorrect.
可选地,所述安装包签名验证模块包括:Optionally, the installation package signature verification module includes:
一个PKI对象获取单元,用于获取嵌入在所述第二安装包中的PKI对象;A PKI object obtaining unit, configured to obtain a PKI object embedded in the second installation package;
一个标识解密单元,用于通过与所述PKI对象获取单元获取到的所述PKI对象相对应的公钥对所述PKI对象包括的加密身份标识进行解密,获得第一身份标识;An identity decryption unit, configured to decrypt the encrypted identity included in the PKI object by using a public key corresponding to the PKI object obtained by the PKI object obtaining unit to obtain a first identity;
一个第二哈希运算单元,用于通过哈希算法对所述第二安装包进行哈希运算,获得所述第二安装包对应的第二身份标识;A second hash operation unit, configured to perform a hash operation on the second installation package by using a hash algorithm to obtain a second identity corresponding to the second installation package;
一个标识比对单元,用于判断所述标识解密单元获取到的所述第一身份标识与所述第二哈希运算单元获取到的所述第二身份标识是否相同,如果是,确定所述第一数字签名正确,否则确定所述第一数字签名错误。An identity comparison unit, configured to determine whether the first identity obtained by the identity decryption unit and the second identity obtained by the second hash operation unit are the same, and if yes, determining the The first digital signature is correct, otherwise it is determined that the first digital signature is incorrect.
第五方面,本发明实施例还提供了一种应用程序处理装置,包括:至少一个存储器和至少一个处理器;In a fifth aspect, an embodiment of the present invention further provides an application program processing apparatus, including: at least one memory and at least one processor;
所述至少一个存储器,用于存储机器可读程序;The at least one memory is configured to store a machine-readable program;
所述至少一个处理器,用于调用所述机器可读程序,执行上述第一方面或第一方面的任一可实现方式所提供的方法。The at least one processor is configured to call the machine-readable program and execute the method provided by the first aspect or any implementation manner of the first aspect.
存储器中存储有机器可读程序,处理器通过调用存储器中存储的机器可读程序,可执行上述第一方面或第一方面的任意一种可实现方式提供的方法,压缩打包获得包括有校验文件和应用程序文件的第二安装包,并为第二安装包添加第一数字签名,当需要在终端设备上部署应用程序时,获取添加有第一数字签名的第二安装包,可以根据第一数字签名和校验文件中存储的校验和对第二安装包进行双重验证,以确定第二安装包是否被篡改,进而在确定第二安装包没有被篡改后利用第二安装包在终端设备上部署应用程序,保证部署在终端设备上的应用程序不会执行恶意动作,从而可以提高在终端设备上部署应用程序的安全性。A machine-readable program is stored in the memory. The processor can execute the method provided in the first aspect or any one of the implementable methods of the first aspect by calling the machine-readable program stored in the memory. File and the second installation package of the application file, and add a first digital signature to the second installation package. When the application needs to be deployed on the terminal device, the second installation package with the first digital signature added can be obtained according to the first A digital signature and a checksum stored in a verification file double-check the second installation package to determine whether the second installation package has been tampered with, and then determine that the second installation package has not been tampered with, and then use the second installation package on the terminal. The application is deployed on the device to ensure that the application deployed on the terminal device does not perform malicious actions, thereby improving the security of the application deployed on the terminal device.
第六方面,本发明实施例还提供了一种应用程序部署装置,包括:至少一个存储器和至 少一个处理器;According to a sixth aspect, an embodiment of the present invention further provides an application program deployment apparatus, including: at least one memory and at least one processor;
所述至少一个存储器,用于存储机器可读程序;The at least one memory is configured to store a machine-readable program;
所述至少一个处理器,用于调用所述机器可读程序,执行述第二方面或第二方面的任一可实现方式所提供的方法。The at least one processor is configured to call the machine-readable program and execute the method provided in the second aspect or any implementation manner of the second aspect.
存储器中存储有机器可读程序,处理器通过调用存储器中存储的机器可读程序,可执行上述第二方面或第二方面的任意一种可实现方式提供的方法,通过第一数字签名和校验文件存储的校验和对第二安装包进行双重验证,在确定第二安装包没有被篡改后利用第二安装包在终端设备上部署应用程序,保证所部署的应用程序不会执行恶意动作,从而可以提高在终端设备上部署应用程序的安全性。A machine-readable program is stored in the memory, and the processor can execute the method provided in the second aspect or any one of the implementable manners of the second aspect by calling the machine-readable program stored in the memory. The second installation package is double-checked by checking the checksum stored in the file. After determining that the second installation package has not been tampered with, the second installation package is used to deploy the application on the terminal device to ensure that the deployed application does not perform malicious actions. , Which can improve the security of deploying applications on terminal devices.
第七方面,本发明实施例还提供了一种计算机可读介质,计算机可读介质上存储有计算机指令,计算机指令在被处理器执行时,使处理器执行上述第一方面、第二方面、第一方面的任一种可能的实现方式或第二方面的任一种可能的实现方式所提供的方法。According to a seventh aspect, an embodiment of the present invention further provides a computer-readable medium. The computer-readable medium stores computer instructions. When the computer instructions are executed by the processor, the processor causes the processor to execute the foregoing first aspect, second aspect, The method provided by any one possible implementation manner of the first aspect or any one possible implementation manner of the second aspect.
机器可读介质上存储有计算机指令,当计算机指令被处理执行时,处理器会执行上述第一方面或第一方面的任一种可能的实现方式所提供的应用程序处理方法,或者执行上述第二方面或第二方面的任一种可能的实现方式所提供的应用程序部署方法,以在根据第二安装包在终端设备上部署应用程序之前,通过第一数字签名和校验文件存储的校验和对第二安装包进行双重验证,在确定第二安装包没有被篡改后利用第二安装包在终端设备上部署应用程序,保证所部署的应用程序不会执行恶意动作,从而可以提高在终端设备上部署应用程序的安全性。Computer instructions are stored on the machine-readable medium. When the computer instructions are processed and executed, the processor executes the application processing method provided by the first aspect or any possible implementation manner of the first aspect, or executes the first The application deployment method provided by the second aspect or any one of the possible implementation manners of the second aspect, before the application is deployed on the terminal device according to the second installation package, the first digital signature and the verification of the stored file are verified. Check and double-check the second installation package. After determining that the second installation package has not been tampered with, use the second installation package to deploy the application on the terminal device to ensure that the deployed application does not perform malicious actions, which can improve the Security of applications deployed on end devices.
本发明实施例提供的应用程序处理和部署方法、装置及计算机可读介质,通过为安装包添加数字签名和在安装包中加入存储有校验和的校验文件,在利用安装包在终端设备上部署应用程序之前,可以对安装包进行多重验证,以保证安装包的完整性和一致性,从而保证利用安装包所部署应用程序的安全性,该方案不受应用程序编程语言和平台的限制,具有较强的适用性。The application processing and deployment method, device, and computer-readable medium provided by the embodiments of the present invention include adding a digital signature to the installation package and adding a verification file storing a checksum to the installation package. Before the application is deployed, multiple verifications can be performed on the installation package to ensure the integrity and consistency of the installation package, thereby ensuring the security of the application deployed by the installation package. This solution is not limited by the application programming language and platform , Has strong applicability.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是本发明一个实施例提供的一种应用程序处理方法的流程图;FIG. 1 is a flowchart of an application program processing method according to an embodiment of the present invention; FIG.
图2是本发明一个实施例提供的一种安装包解压缩方法的流程图;2 is a flowchart of a method for decompressing an installation package according to an embodiment of the present invention;
图3是本发明一个实施例提供的一种添加数字签名方法的流程图;3 is a flowchart of a method for adding a digital signature according to an embodiment of the present invention;
图4是本发明一个实施例提供的一种应用程序部署方法的流程图;4 is a flowchart of a method for deploying an application program according to an embodiment of the present invention;
图5是本发明一个实施例提供的另一种应用程序部署方法的流程图;FIG. 5 is a flowchart of another application deployment method according to an embodiment of the present invention; FIG.
图6是本发明一个实施例提供的一种数字签名验证方法的流程图;6 is a flowchart of a digital signature verification method according to an embodiment of the present invention;
图7是本发明一个实施例提供的一种应用程序处理装置的示意图;7 is a schematic diagram of an application program processing apparatus according to an embodiment of the present invention;
图8是本发明一个实施例提供的一种安装包解压缩模块的示意图;8 is a schematic diagram of an installation package decompression module provided by an embodiment of the present invention;
图9是本发明一个实施例提供的另一种应用程序处理装置的示意图;FIG. 9 is a schematic diagram of another application processing apparatus according to an embodiment of the present invention; FIG.
图10是本发明一个实施例提供的一种安装包签名模块的示意图;10 is a schematic diagram of an installation package signature module provided by an embodiment of the present invention;
图11是本发明一个实施例提供的一种应用程序部署装置的示意图;11 is a schematic diagram of an application deployment device provided by an embodiment of the present invention;
图12是本发明一个实施例提供的另一种应用程序部署装置的示意图;FIG. 12 is a schematic diagram of another application deployment device according to an embodiment of the present invention; FIG.
图13是本发明一个实施例提供的一种安装包签名验证模块的示意图;13 is a schematic diagram of an installation package signature verification module provided by an embodiment of the present invention;
图14是本发明一个实施例提供的又一种应用程序处理装置的示意图;FIG. 14 is a schematic diagram of another application processing apparatus according to an embodiment of the present invention; FIG.
图15是本发明一个实施例提供的又一种应用程序部署装置的示意图。FIG. 15 is a schematic diagram of another application deployment device according to an embodiment of the present invention.
附图标记列表:List of reference signs:
101:获取第一安装包101: Obtain the first installation package
102:对第一安装包进行解压缩,获得至少一个应用程序文件102: Decompress the first installation package to obtain at least one application file.
103:对应用程序文件进行校验和运算103: Checksum operation on application file
104:将校验和运算得到的校验和存储到一个校验文件中104: Store the checksum obtained by the checksum operation in a check file
105:对校验文件和各个应用程序文件进行压缩打包,获得第二安装包105: Compress and package the verification file and each application file to obtain a second installation package
106:为第二安装包添加第一数字签名106: Add the first digital signature to the second installation package
1021:对第一安装包进行解压缩1021: Extract the first installation package
1022:将除噪声文件之外从第一安装包解压缩出的其他文件确定为应用程序文件1022: Determine other files that are decompressed from the first installation package in addition to the noise files as application files
1061:对第二安装包进行哈希运算,获得相对应的第一身份标识1061: Perform a hash operation on the second installation package to obtain a corresponding first identity
1062:通过私钥对第一身份标识进行加密,获得加密身份标识1062: Encrypt the first identity by using the private key to obtain an encrypted identity
1063:生成与私钥相对应且包括有加密身份标识的公钥基础设施PKI对象1063: Generate a public key infrastructure PKI object corresponding to the private key and including an encrypted identity
1064:将PKI对象嵌入到第二安装包中1064: Embed the PKI object into the second installation package
201:获取添加有第一数字签名的第二安装包201: Obtain a second installation package added with a first digital signature
202:验证第一数字签名是否正确202: Verify that the first digital signature is correct
203:对第二安装包进行解压缩,获得一个校验文件和至少一个应用程序文件203: Decompress the second installation package to obtain a verification file and at least one application file.
204:对获取到的应用程序文件进行校验和运算204: Perform a checksum operation on the obtained application file
205:判断校验和运算得到的校验和与校验文件中相对应的校验和是否全部相同205: Determine whether the checksum obtained by the checksum operation is the same as the corresponding checksum in the check file.
206:利用第二安装包在一个终端设备上部署应用程序206: Use the second installation package to deploy the application on a terminal device
207:确定第二安装包已经被篡改207: Determine that the second installation package has been tampered with
208:判断第二数字签名是否正确208: Determine whether the second digital signature is correct
2021:获取嵌入在第二安装包中的PKI对象2021: Get the PKI object embedded in the second installation package
2022:通过公钥对PKI对象包括的加密身份标识进行解密,获得第一身份标识2022: Decrypt the encrypted identity included in the PKI object by using the public key to obtain the first identity
2023:对第二安装包进行哈希运算,获得相对应的第二身份标识2023: Perform a hash operation on the second installation package to obtain a corresponding second identity.
2024:判断第一身份标识与第二身份标识是否相同2024: Determine whether the first identity is the same as the second identity
301:第一安装包获取模块  302:第一安装包解压缩模块 303:第一校验和运算模块301: first installation package acquisition module 302: first installation package decompression module 303: first checksum calculation module
304:校验文件生成模块    305:应用程序压缩模块     306:安装包签名模块304: verification file generation module 305: application compression module 306: installation package signature module
307:校验文件签名模块    3021:解压缩单元          3022:筛选单元307: Check file signature module 3021: Decompression unit 3022: Screening unit
3061:第一哈希运算单元   3062:标识加密单元        3063:PKI对象生成单元3061: the first hash operation unit 3062: the identity encryption unit 3063: the PKI object generation unit
3064:PKI对象嵌入单元    401:第二安装包获取模块   402:安装包签名验证模块3064: PKI object embedding unit 401: second installation package acquisition module 402: installation package signature verification module
403:第二安装包解压缩模块404:第二校验和运算模块403: Second installation package decompression module 404: Second checksum calculation module
405:校验和验证模块      406:应用程序部署模块     407:安装包状态确认模块405: checksum verification module 406: application deployment module 407: installation package status confirmation module
408:校验文件签名验证模块                          4021:PKI对象获取单元408: Verification file signature verification module 4021: PKI object acquisition unit
4022:标识解密单元       4023:第二哈希运算单元    4024:标识比对单元4022: Identification decryption unit 4023: Second hash operation unit 4024: Identification comparison unit
501:存储器              502:处理器               601:存储器501: memory 502: processor 601: memory
602:处理器602: Processor
具体实施方式detailed description
如前所述,从应用程序库下载应用程序安装包后,在利用所下载的应用程序安装包在终端设备上部署应用程序之前,应用程序安装包可能会被恶意篡改,如果利用已经被恶意篡改的应用程序安装包在终端设备上部署应用程序,所部署的应用程序可能会执行恶意动作,进而造成严重的后果。因此,现有在终端设备上部署应用程序的安全性较低。As mentioned before, after downloading the application installation package from the application library, before using the downloaded application installation package to deploy the application on the terminal device, the application installation package may be maliciously tampered with. If the use has been maliciously tampered with, The application installation package for the deployment of the application on the terminal device, the deployed application may perform malicious actions, resulting in serious consequences. Therefore, the existing applications deployed on terminal devices have lower security.
本发明实施例中,在应用程序发布过程中,对应用程序的安装包中包括的应用程序文件进行校验和运算,将获得的校验和存储到校验文件中,通过对校验文件和各个应用程序文件进行压缩打包获得新的安装包,并为新的安装包添加数字签名。在应用程序部署过程中,获取添加有数字签名的安装包,首先验证安装包的数字签名是否正确,在验证安装包的数字签名正确后对安装包进行解压缩,获得校验文件和各个应用程序文件,之后对各个应用程序文件进行校验和运算,将获取到的校验和与校验文件中存储的各个校验和进行比对,如果获取到的校验和与校验文件中存储的校验和全部对应相同,则利用获取到的安装包在终端设备上部署应用程序。由此可见,在利用安装包部署应用程序之前,通过数字签名和校验和对安装 包的完整性和一致性进行验证,保证获取到的安装包没有被恶意篡改,从而可以提高在终端设备上部署应用程序的安全性。In the embodiment of the present invention, during the application publishing process, a checksum operation is performed on the application file included in the installation package of the application, and the obtained checksum is stored in the verification file. Compress and package each application file to obtain a new installation package, and add a digital signature to the new installation package. During the application deployment process, obtain the installation package with a digital signature. First verify that the digital signature of the installation package is correct. After verifying that the digital signature of the installation package is correct, decompress the installation package to obtain a verification file and each application. File, and then perform checksum calculation on each application file, and compare the obtained checksum with each checksum stored in the check file. If the obtained checksum is compared with the checksum stored in the check file, All the checksums are the same, then use the obtained installation package to deploy the application on the terminal device. It can be seen that before using the installation package to deploy the application, the integrity and consistency of the installation package is verified through digital signatures and checksums to ensure that the obtained installation package has not been maliciously tampered with, which can improve the terminal device. Deploy application security.
下面结合附图对本发明实施例提供的应用程序处理和部署的方法和装置进行详细说明。The method and device for application processing and deployment provided by the embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
如图1所示,本发明一个实施例提供了一种应用程序处理方法,该方法可以包括以下步骤:As shown in FIG. 1, an embodiment of the present invention provides an application program processing method, and the method may include the following steps:
步骤101:获取经过编译的应用程序压缩后的第一安装包;Step 101: Obtain a compressed first installation package of the compiled application program;
步骤102:对第一安装包进行解压缩,获得至少一个应用程序文件;Step 102: Decompress the first installation package to obtain at least one application file.
步骤103:对至少一个应用程序文件进行校验和运算;Step 103: Perform a checksum operation on at least one application file;
步骤104:将校验和运算得到的校验和存储到一个校验文件中;Step 104: storing the checksum obtained by the checksum operation into a check file;
步骤105:对校验文件和至少一个应用程序文件进行压缩打包,获得第二安装包;Step 105: compress and package the verification file and at least one application file to obtain a second installation package;
步骤106:为第二安装包添加第一数字签名。Step 106: Add a first digital signature to the second installation package.
本发明实施例提供的应用程序处理方法,在获取到一个经过编译的应用程序的第一安装包后,对第一安装包进行解压缩获得至少一个应用程序文件,之后对获得的应用程序文件进行校验和运算,并将校验和运算得到的校验和存储到一个校验文件,之后对获取到的校验文件和解压缩出的各个应用程序文件进行压缩打包,获得第二安装包,之后为获取到的第二安装包添加第一数字签名。首先,为第二安装包添加第一数字签名,在利用第二安装包部署应用程序之前可以通过验证第一数字签名是否正确来确定第二安装包是否被篡改,其次,将校验文件压缩打包到第二安装包中,在利用第二安装包部署应用程序之前可以对第二安装包中应用程序文件进行校验和运算,并将获取到的校验和与校验文件中存储的校验和进行比对,以此来判断各个应用程序文件是否为篡改。这样,在利用第二安装包部署应用程序之前,可以通过第二安装包上添加的第一数字签名和第二安装包内校验文件存储的校验和对第二安装包的完整性和一致性进行双重验证,在验证第二安装包没有被篡改后再利用第二安装包在终端设备上部署应用程序,保证在终端设备上所部署的应用程序不会执行恶意动作,从而可以提高在终端上部署应用程序的安全性。In the application program processing method provided by the embodiment of the present invention, after obtaining a first installation package of a compiled application program, decompressing the first installation package to obtain at least one application program file, and then performing processing on the obtained application program file. Checksum operation, and store the checksum obtained by the checksum operation into a check file, and then compress and pack the obtained check file and each decompressed application file to obtain a second installation package, and then Add a first digital signature to the obtained second installation package. First, add a first digital signature to the second installation package. Before deploying the application using the second installation package, you can determine whether the second installation package has been tampered by verifying that the first digital signature is correct. Second, the verification file is compressed and packaged. In the second installation package, before the application is deployed by using the second installation package, a checksum operation may be performed on the application file in the second installation package, and the obtained checksum and the check stored in the verification file may be used. And compare to determine whether each application file has been tampered with. In this way, before using the second installation package to deploy the application, the integrity and consistency of the second installation package can be verified by the first digital signature added on the second installation package and the checksum stored in the verification file in the second installation package. Perform double verification of the security, and use the second installation package to deploy applications on the terminal device after verifying that the second installation package has not been tampered with, to ensure that the applications deployed on the terminal device will not perform malicious actions, thereby improving the Deploy application security on.
在本发明实施例中,通过对第一安装包进行解压缩获得的至少一个应用程序文件,是通过对应用程序源代码进行编译而获得的目标应用程序文件。In the embodiment of the present invention, at least one application program file obtained by decompressing the first installation package is a target application program file obtained by compiling application source code.
在本发明实施例中,在对应用程序文件进行校验和运算时,具体可以采用MD5、SHA-1或者SHA-2等校验和算法分别对应用程序文件进行校验和运算,以获得相对应的校验和。In the embodiment of the present invention, when performing a checksum operation on an application file, a checksum algorithm such as MD5, SHA-1, or SHA-2 may be specifically used to perform a checksum operation on the application file to obtain the phase The corresponding checksum.
本发明实施例提供的应用程序处理方法可以应用于应用程序的发布过程中,具体地,在为第二安装包添加第一数字签名之后,可以将添加有第一数字签名的第二安装包存储到一个 应用程序库中,之后通过自动部署工具对第二安装包对应的应用程序进行发布,其中,自动部署工具可以是Jenkins。The application program processing method provided by the embodiment of the present invention may be applied to an application program publishing process. Specifically, after adding a first digital signature to a second installation package, the second installation package with the first digital signature added may be stored. Go to an application library, and then use the automatic deployment tool to publish the application corresponding to the second installation package. The automatic deployment tool can be Jenkins.
需要说明的是,步骤103对应用程序文件进行校验和运算时,具体可以选择如下四种方式中的任意一种方式对应用程序文件进行校验和运算:It should be noted that when performing checksum calculation on the application file in step 103, specifically, any one of the following four methods may be selected to perform checksum calculation on the application file:
方式一:对获取到的所有应用程序文件进行整体的校验和运算,获得一个校验和;Method 1: Perform an overall checksum operation on all the obtained application files to obtain a checksum;
方式二:对获取到的所有应用程序中的每一个应用出现分别进行校验和运算,获得每一个应用程序文件对应的校验和;Method 2: Perform a checksum operation on each of the obtained application programs and obtain a checksum corresponding to each application file;
方式三:对所有应用程序文件中具有预先定义的文件特征的应用程序文件进行整体的校验和运算,获得一个校验和;Method 3: Perform an overall checksum operation on all application files with predefined file characteristics in all application files to obtain a checksum;
方式四:对所述应用程序文件中具有预先定义的文件特征的每一个应用程序文件分别进行校验和运算,获得每一个具有预先定义的文件特征的应用程序文件对应的校验和。Manner 4: Perform a checksum operation on each of the application files having a predefined file characteristic in the application file to obtain a checksum corresponding to each of the application files having a predefined file characteristic.
针对上述方式一,通过对所有应用程序文件进行整体的校验和运算获得一个校验和,在将应用程序文件压缩打包到第二安装包中之后,第二安装包中任意一个或多个应用程序文件被篡改都会导致对所有应用程序文件进行整体校验和运算的结果发生改变,从而可以根据校验和确定第二安装包中是否存在被篡改的应用程序文件。According to the above manner 1, a checksum is obtained by performing an overall checksum operation on all application files. After the application files are compressed and packaged into the second installation package, any one or more applications in the second installation package are compressed. The tampering of the program file will cause the result of the overall checksum operation on all application files to be changed, so that it can be determined whether the tampered application file exists in the second installation package according to the checksum.
针对上述方式二,分别对每一个应用程序文件进行校验和运算获得相对应的一个校验和,在将各个应用程序文件压缩打包到第二安装包中之后,第二安装包中任意一个应用程序文件被篡改都会导致对该应用程序文件进行校验和运算的结果发生改变,从而可以根据校验和对被篡改的应用程序文件进行定位。For the above second method, a checksum operation is performed on each application file separately to obtain a corresponding checksum. After compressing and packaging each application file into the second installation package, any application in the second installation package is used. The tampering of the program file will cause the result of the checksum operation of the application file to change, so that the tampered application file can be located according to the checksum.
针对上述方式三,预先对容易被篡改的应用程序文件和对应用程序部署重要的应用程序文件定义文件特征,之后对所有具有预先定义的文件特征的应用程序文件进行整体校验和运算获得一个校验和,在将所有应用程序文件压缩打包到第二安装包中之后,第二安装包中任意一个或多个具有预先定义的文件特征的应用程序文件被篡改,都会导致对所有具有预先定义的文件特征的应用程序文件进行整体校验和运算的结果发生改变,从而可以根据校验和确定第二安装包中是否存在被篡改的具有预先定义的文件特征的应用程序文件,以确定重要的应用程序文件是否被篡改。In response to the third method, the characteristics of the application files that are easily tampered with and the application files important to the application deployment are defined in advance, and then the overall checksum operation is performed on all application files with the predefined file characteristics to obtain a calibration. It is verified that, after all application files are compressed and packaged into the second installation package, any one or more application files with predefined file characteristics in the second installation package are tampered with, which will result in the The result of the overall checksum operation of the application file with the file characteristics changes, so that it can be determined according to the checksum whether there is a tampered application file with a predefined file characteristic in the second installation package to determine an important application Whether the program file has been tampered with.
针对上述方式四,预先对容易被篡改的应用程序文件和对应用程序部署重要的应用程序文件定义文件特征,之后分别对每一个具有预先定义的文件特征的应用程序文件进行校验和运算获得相对应的一个校验和,在将所有应用程序文件压缩打包到第二安装包中之后,第二安装包中任意一个具有预先定义的文件特征的应用程序文件被篡改都会导致对该应用程序文件记性校验和运算的结果发生改变,从而可以校验和对被篡改的具有预先定义的文件特征的 应用程序文件进行定位。可选地,在图1所示应用程序处理方法的基础上,如图2所示,步骤102通过对第一安装包进行解压缩获得至少一个应用程序文件具体可以通过如下子步骤实现:In response to the fourth method, the file characteristics that are easily tampered with and the application files important to application deployment are defined in advance, and then the checksum operation is performed on each application file with the predefined file characteristics to obtain the phase characteristics. A corresponding checksum. After all application files are compressed and packaged into the second installation package, any application file with predefined file characteristics in the second installation package is tampered with, which will result in the memory of the application file. The result of the checksum operation changes, so that the checksum can locate the tampered application file with predefined file characteristics. Optionally, on the basis of the application processing method shown in FIG. 1, as shown in FIG. 2, step 102 obtains at least one application file by decompressing the first installation package, which may be specifically implemented by the following sub-steps:
步骤1021:对第一安装包进行解压缩;Step 1021: decompress the first installation package;
步骤1022:从对第一安装包进行解压缩获得的文件中确定噪声文件,将除噪声文件之外的其他从第一安装包解压缩出的文件确定为应用程序文件,其中,噪声文件为与应用程序的功能实现无关的文件,应用程序文件为与应用程序的功能实现相关的文件。Step 1022: Determine a noise file from the files obtained by decompressing the first installation package, and determine the files decompressed from the first installation package other than the noise file as application files, where the noise file is the same as The function of the application is not related to the file, and the application file is a file related to the function of the application.
经过编译的应用程序压缩后的第一安装包中包括两类文件,第一类文件为与应用程序的功能实现无关的文件,即为噪声文件,第二类文件为与应用程序的功能实现相关的文件,即为应用程序文件。噪声文件通常为与应用程序安装、部署过程相关的文件,这类文件根据部署环境的不同而不同,为了避免噪声文件被误认为被篡改而造成第二安装包验证不通过,将第一安装包中包括的噪声文件筛选出去,仅保留应用程序文件压缩打包到第二安装包中,保证对第二安装包进行验证的准确性。The compressed first installation package of the compiled application includes two types of files. The first type of files are files that are not related to the application's function implementation, that is, noise files, and the second type of files are related to the application's function implementation. The file is the application file. Noise files are usually files related to the application installation and deployment process. Such files vary according to the deployment environment. In order to avoid the noise file being mistaken for being tampered and causing the second installation package to fail verification, the first installation package is not passed. The noise files included in the filtering are filtered out, and only the application files are compressed and packaged into the second installation package to ensure the accuracy of the verification of the second installation package.
另外,从对第一安装包进行解压缩获得的文件中滤除噪声文件,仅对滤除噪声文件之后剩余的应用程序文件进行校验和运算,这样可以减少需要进行校验和运算的文件的个数,从而可以提高获取第二安装包的效率。同时,在后续部署应用程序时,也仅需对第二安装包中包括的应用程序文件进行校验和运算,从而可以提高对第二安装包进行验证的效率。In addition, noise files are filtered from the files obtained by decompressing the first installation package, and only checksum calculation is performed on the application files remaining after the noise files are filtered, so that the number of files requiring checksum calculation can be reduced. Number, thereby improving the efficiency of obtaining the second installation package. At the same time, when the application is subsequently deployed, it is only necessary to perform a checksum operation on the application file included in the second installation package, thereby improving the efficiency of verifying the second installation package.
需要说明的是,由于第二安装包有没有应用程序安装、部署过程所需的噪声文件,在利用第二安装包部署应用程序时,应用程序部署工具可以自动根据部署环境获取相对应的噪声文件,进而利用所获取到的噪声文件和第二安装包进行应用程序部署。It should be noted that, because the second installation package has no noise files required for application installation and deployment, when the application is deployed using the second installation package, the application deployment tool can automatically obtain the corresponding noise file according to the deployment environment. , And then use the obtained noise file and the second installation package for application deployment.
另外需要说明的是,步骤104在对校验文件和各个应用程序文件进行压缩打包时,具有两种不同的压缩打包方法:In addition, it should be noted that, in step 104, when compressing and packaging the verification file and each application file, there are two different compression and packaging methods:
第一压缩打包方法:仅对校验文件和所有应用程序文件进行压缩打包生成第二安装包。First compression and packaging method: Compress and package only the verification file and all application files to generate a second installation package.
此时第二安装包中仅包括有一个校验文件和所有的应用程序文件,在利用第二安装包部署应用程序是需要另外获取用于应用程序部署和安装的噪声文件,具体可以由部署工具根据部署环境自动获取。At this time, the second installation package includes only one verification file and all application files. When deploying an application using the second installation package, you need to obtain additional noise files for application deployment and installation. The specific tools can be deployed by the deployment tool. Obtained automatically based on the deployment environment.
第二压缩打包方法:对校验文件、所有应用程序文件和噪声文件进行压缩打包。The second compression and packing method: Compress and pack the verification file, all application files, and noise files.
此时第二安装包中包括有一个校验文件、所有的应用程序文件和所有的噪声文件,在利用第二安装包部署应用程序时需要在额外获取噪声文件。At this time, the second installation package includes a verification file, all application files, and all noise files. When the application is deployed using the second installation package, additional noise files need to be obtained.
可选地,在图1所示应用程序处理方法的基础上,在步骤105对校验文件和至少一个应用程序进行压缩打包之前,可以为存储有校验和的校验文件添加第二数字签名,进而步骤105 可以对添加了第二数字签名的校验文件和至少一个应用程序文件进行压缩打包,以获得包括有添加了第二数字签名的校验文件和至少一个应用程序文件的第二安装包。Optionally, on the basis of the application program processing method shown in FIG. 1, before the verification file and at least one application program are compressed and packaged in step 105, a second digital signature may be added to the verification file storing the checksum. In step 105, the verification file added with the second digital signature and at least one application file may be compressed and packaged to obtain a second installation including the verification file added with the second digital signature and at least one application file. package.
在将获取到的各个应用程序文件的校验和存储到校验文件中之后,为校验文件添加第二数字签名,之后对添加了第二数字签名的校验文件和各个应用程序文件进行压缩打包,获得第二安装包,之后为第二安装包添加第一数字签名。这样,在利用第二安装包部署应用程序之前,首先需要验证第一数字签名是否正确,在确定第一数字签名正确后对第二安装包进行解压缩,之后验证第二数字签名是否正确,在确定第二数字签名正确后对各个应用程序文件进行校验和运算,将获取到的校验和与校验文件中存储的校验和进行比对,以确定各个应用程序文件是否为篡改。由此可见,在图1所示应用程序处理方法的基础上通过为校验文件添加第二数字签名,在利用第二安装包部署应用程序之前需要经过三重验证,从而可以进一步保证在终端设备上部署应用程序的安全性。After the obtained checksum of each application file is stored in the verification file, a second digital signature is added to the verification file, and then the verification file to which the second digital signature is added and each application file are compressed. Package to obtain a second installation package, and then add a first digital signature to the second installation package. In this way, before using the second installation package to deploy the application, first verify that the first digital signature is correct, decompress the second installation package after determining that the first digital signature is correct, and then verify that the second digital signature is correct. After determining that the second digital signature is correct, a checksum operation is performed on each application file, and the obtained checksum is compared with the checksum stored in the check file to determine whether each application file is tampered. It can be seen that by adding a second digital signature to the verification file on the basis of the application processing method shown in FIG. 1, a triple verification is required before using the second installation package to deploy the application, which can further ensure that the terminal device Deploy application security.
可选地,在图1或图2所述应用程序处理方法的基础上,步骤106为第二安装包添加第一数字签名时,如图3所示,该步骤具体可以通过如下子步骤实现:Optionally, based on the application processing method described in FIG. 1 or FIG. 2, when adding a first digital signature to the second installation package in step 106, as shown in FIG. 3, this step may be specifically implemented by the following sub-steps:
步骤1061:通过哈希算法对第二安装包进行哈希运算,获得第二安装包对应的第一身份标识;Step 1061: Perform a hash operation on the second installation package by using a hash algorithm to obtain a first identity corresponding to the second installation package;
步骤1062:通过一个私钥对第一身份标识进行加密,获得加密身份标识;Step 1062: encrypt the first identity by using a private key to obtain an encrypted identity;
步骤1063:生成与私钥相对应且包括有加密身份标识的公钥基础设施PKI对象;Step 1063: Generate a public key infrastructure PKI object corresponding to the private key and including an encrypted identity;
步骤1064:将PKI对象嵌入到第二安装包中。Step 1064: Embed the PKI object into the second installation package.
在获取到第二安装包之后,首先对第二安装包进行整体的哈希运算,获得第二安装包对应的第一身份标识,之后通过应用程序开发者的私钥对第一身份标识进行加密,获得相对应的加密身份标识,之后生成与上述私钥相对应且包括有加密身份标识的公钥基础设施(Public Key Infrastructure,PKI)对象,之后将所生成的PKI对象嵌入到第二安装包中,以使PKI对象在第二安装包被下载时一同被下载。After obtaining the second installation package, first perform an overall hash operation on the second installation package to obtain a first identity corresponding to the second installation package, and then encrypt the first identity through the private key of the application developer To obtain the corresponding encrypted identity, and then generate a public key infrastructure (PKI) object corresponding to the private key and including the encrypted identity, and then embed the generated PKI object into the second installation package So that the PKI object is downloaded when the second installation package is downloaded.
通过对第二安装包进行哈希运算获得与第二安装包相对应的第一身份标识,第一身份标识与第二安装包的内容严格对应,如果第二安装包的内容发生改变,则第二安装包对应的身份标识也会发生改变,因此可以通过第一身份标识来验证第二安装包是否为篡改。A first identity corresponding to the second installation package is obtained by hashing the second installation package. The first identity corresponds strictly to the content of the second installation package. If the content of the second installation package changes, the first The identity of the second installation package will also change, so it can be verified by the first identity that the second installation package has been tampered with.
为了避免不法人员对第二安装包进行篡改并伪造相匹配的身份标识的情况发生,通过私钥对第一身份标识进行加密获得加密身份标识,加密身份标识可以通过与私钥相对应的公钥进行解密,保证在验证第一数字签名时可以解密获得第一身份标识,而不法人员由于无法获取到私钥而无法伪造第一身份标识,从而可以保证利用第一数字签名验证第二安装包完整性和一致性的可靠性。In order to prevent illegal persons from tampering with the second installation package and forging a matching identity, the first identity is encrypted by the private key to obtain the encrypted identity. The encrypted identity can be obtained from the public key corresponding to the private key. Perform decryption to ensure that the first identity can be obtained by decrypting when verifying the first digital signature, and the criminal can't forge the first identity because the private key cannot be obtained, so that the first digital signature can be used to verify the integrity of the second installation package. Reliability and consistency.
在生成PKI对象时,具体可以对证据办法机构的信息、加密身份标识、与私钥相对应的公钥以及PKI证书进行整合,获得PKI对象。When generating a PKI object, the information of the evidence authority, the encrypted identity, the public key corresponding to the private key, and the PKI certificate can be integrated to obtain the PKI object.
需要说明的是,当需要对校验文件添加第二数字签名时,第二数字签名的添加方法与第一数字签名的添加方法相似,具体过程可以参见图3所示为第二安装包添加第一数字签名的方法,此处不再对为校验文件添加第二数字签名的方法进行赘述。It should be noted that when the second digital signature needs to be added to the verification file, the method for adding the second digital signature is similar to the method for adding the first digital signature. For the specific process, see FIG. 3 for the second installation package. A method of digital signature, the method of adding a second digital signature to the verification file will not be repeated here.
如图4所示,本发明一个实施例提供了一种应用程序部署方法,该方法可以包括以下步骤:As shown in FIG. 4, an embodiment of the present invention provides an application deployment method. The method may include the following steps:
步骤201:获取添加有第一数字签名的第二安装包;Step 201: Obtain a second installation package added with a first digital signature.
步骤202:验证第一数字签名是否正确,如果是,执行步骤203,否则执行步骤207;Step 202: verify whether the first digital signature is correct, if yes, go to step 203, otherwise go to step 207;
步骤203:对第二安装包进行解压缩,获得一个校验文件和至少一个应用程序文件;Step 203: Decompress the second installation package to obtain a verification file and at least one application file;
步骤204:对至少一个应用程序文件进行校验和运算;Step 204: Perform a checksum operation on the at least one application file.
步骤205:判断校验和运算得到的校验和与校验文件中存储的相对应的校验和是否全部相同,如果是,执行步骤206,否则执行步骤207;Step 205: Determine whether the checksum obtained by the checksum operation is the same as the corresponding checksum stored in the check file, and if yes, go to step 206; otherwise, go to step 207;
步骤206:利用第二安装包在一个终端设备上部署应用程序,并结束当前流程;Step 206: deploy the application on a terminal device by using the second installation package, and end the current process;
步骤207:确定第二安装包已经被篡改。Step 207: Determine that the second installation package has been tampered with.
本发明实施例提供的应用程序部署方法,在获取到添加有第一数字签名的第二安装包后,首先验证第一数字签名是否正确,如果第一数字签名错误则直接确定第二安装包已经被篡改,如果第一数字签名正确则对第二安装包进行解压缩,获得一个校验文件和至少一个应用程序文件,之后对应用程序文件进行校验和运算,将校验和运算得到的校验和与校验文件中存储的校验和进行比对,如果获取到的所有校验文件全部与校验文件中存储的校验和对应相同,则利用第二安装包在一个终端设备上部署应用程序,否则确定第二安装包已经被篡改。由此可见,在利用第二安装包部署应用程序之前,通过第一数字签名和校验文件存储的校验和对第二安装包进行双重验证,以确定第二安装包是否包篡改,在通过双重验证确定第二安装包没有被篡改后再利用第二安装包在终端设备上部署应用程序,从而可以提升在终端设备上部署应用程序的安全性。The method for deploying an application provided by the embodiment of the present invention, after obtaining a second installation package added with a first digital signature, first verify whether the first digital signature is correct, and if the first digital signature is incorrect, directly determine that the second installation package has been installed. Tampered with, if the first digital signature is correct, decompress the second installation package to obtain a check file and at least one application file, and then perform a checksum operation on the application file to correct the checksum operation. The checksum is compared with the checksum stored in the check file. If all the obtained check files correspond to the checksum stored in the check file, the second installation package is used for deployment on a terminal device. Application, otherwise determine that the second installation package has been tampered with. It can be seen that before the application is deployed using the second installation package, the second installation package is double-checked through the first digital signature and the checksum stored in the verification file to determine whether the second installation package has been tampered with. Two-factor authentication determines that the second installation package has not been tampered with, and then uses the second installation package to deploy the application program on the terminal device, thereby improving the security of the application program deployment on the terminal device.
在本发明实施例中,在利用第二安装包在终端设备上部署应用程序时,可以通过部署工具对应用程序进行部署。具体地,由于第二安装包中没有用于存储程序安装和部署的噪声文件,部署工具可以工具终端设备的部署环境而获得相对应的噪声文件,进而利用获取到的噪声文件和第二安装包在终端设备上部署应用程序。In the embodiment of the present invention, when the application program is deployed on the terminal device by using the second installation package, the application program may be deployed by using a deployment tool. Specifically, because there is no noise file for storing and installing the program in the second installation package, the deployment tool can use the deployment environment of the terminal device to obtain the corresponding noise file, and then use the obtained noise file and the second installation package. Deploy applications on end devices.
可选地,在图4所示应用程序部署方法的基础上,如果从第二安装包中解压缩出的校验 文件添加有第二数字签名,如图5所示,在步骤203与步骤204之间进一步包括有:Optionally, based on the application deployment method shown in FIG. 4, if the verification file decompressed from the second installation package is added with a second digital signature, as shown in FIG. 5, in steps 203 and 204 Among the further include:
步骤208:判断第二数字签名是否正确,如果是,执行步骤204,否则执行步骤207。Step 208: Determine whether the second digital signature is correct. If yes, go to step 204, otherwise go to step 207.
当从第二安装包解压缩出的校验文件添加有第二数字签名时,判断第二数字签名是否正确,如果第二数字签名正确说明校验文件没有被篡改,相应地执行步骤204及后续步骤,以验证各个应用程序文件是否被篡改,如果第二数字签名错误说明校验文件已经被篡改,校验文件中存储的校验和已经没有参考价值,直接执行步骤207,确定第二安装包已经被篡改。这样,除了通过第一数字签名对第二安装包整体进行验证和通过校验和对各个应用程序进行验证外,还通过第二数字签名对校验文件进行验证,因此在利用第二安装包在终端设备上部署校验文件之前对第二安装包进行了三重验证,保证第二安装包没有被篡改,从而可以进一步提高在终端设备上部署应用程序的安全性。When the verification file decompressed from the second installation package is added with the second digital signature, it is judged whether the second digital signature is correct. If the second digital signature is correct, it means that the verification file has not been tampered with, and step 204 and subsequent steps are performed accordingly. Steps to verify whether each application file has been tampered with. If the second digital signature error indicates that the check file has been tampered with, and the checksum stored in the check file has no reference value, go directly to step 207 to determine the second installation package. Has been tampered with. In this way, in addition to verifying the second installation package as a whole through the first digital signature and verifying each application through the checksum, the verification file is also verified using the second digital signature, so using the second installation package in Before the verification file is deployed on the terminal device, the second installation package is triple-verified to ensure that the second installation package has not been tampered with, thereby further improving the security of deploying the application program on the terminal device.
可选地,在图4或图5所示应用程序部署方法的基础上,如图6所示,步骤202验证第一数字签名是否正确具体可以通过如下子步骤实现:Optionally, on the basis of the application deployment method shown in FIG. 4 or FIG. 5, as shown in FIG. 6, the step 202 of verifying whether the first digital signature is correct may be specifically implemented by the following sub-steps:
步骤2021:获取嵌入在第二安装包中的PKI对象;Step 2021: Obtain a PKI object embedded in the second installation package.
步骤2022:通过与PKI对象相对应的公钥对PKI对象包括的加密身份标识进行解密,获得第一身份标识;Step 2022: Decrypt the encrypted identity included in the PKI object by using the public key corresponding to the PKI object to obtain the first identity;
步骤2023:通过哈希算法对第二安装包进行哈希运算,获得第二安装包对应的第二身份标识;Step 2023: Perform a hash operation on the second installation package by using a hash algorithm to obtain a second identity corresponding to the second installation package.
步骤2024:判断第一身份标识与第二身份标识是否相同,如果是,确定第一数字签名正确,否则确定第一数字签名错误。Step 2024: Determine whether the first identity is the same as the second identity, and if yes, determine that the first digital signature is correct; otherwise, determine that the first digital signature is incorrect.
在获取到添加有第一数字签名的第二安装包后,获取嵌入在第二安装包中的PKI对象,之后通过与PKI对象相对应的公钥对PKI对象包括的加密身份标识进行解密,获得第一身份标识,之后通过哈希算法对第二安装包进行哈希运算,获得第二安装包对应的第二身份标识,继而判断第一身份标识与第二身份标识是否相同,如果断第一身份标识与第二身份标识相同,则确定第一数字签名正确,如果断第一身份标识与第二身份标识不同,则确定第一数字签名错误。After obtaining the second installation package added with the first digital signature, obtain the PKI object embedded in the second installation package, and then decrypt the encrypted identity included in the PKI object by using the public key corresponding to the PKI object to obtain The first identity, and then hashing the second installation package by a hash algorithm to obtain the second identity corresponding to the second installation package, and then determine whether the first identity is the same as the second identity. If the identity is the same as the second identity, it is determined that the first digital signature is correct, and if the first identity is different from the second identity, it is determined that the first digital signature is incorrect.
在本发明实施例中,根据前述应用程序处理方法实施例中的描述,嵌入在第二安装包中的PKI对象包括的加密身份标识是通过私钥对第一身份标识进行加密而获得,而第一身份标识为通过对未被篡改的第二安装包进行哈希运算而获得。在获取到PKI对象包括的加密身份标识后,通过与前述私钥相对应的公钥对加密身份标识进行解密便可以获得第一身份标识,通过获取到的第二安装包进行哈希运算获得第二身份标识,由于哈希运算的结果与运算对象的内容严格对应,如果第一身份标识与第二身份标识相同,则可以确定第二安装包没有被篡 改,即第一数字签名是正确的,如果第一身份标识与第二身份标识不同,则可以确定第二安装包已经被篡改,及第一数字签名是错误的。In the embodiment of the present invention, according to the description in the foregoing embodiment of the application processing method, the encrypted identity included in the PKI object embedded in the second installation package is obtained by encrypting the first identity through the private key, and the first An identity is obtained by hashing a second installation package that has not been tampered with. After obtaining the encrypted identity included in the PKI object, the first identity can be obtained by decrypting the encrypted identity through the public key corresponding to the aforementioned private key, and obtaining the first identity by hashing the obtained second installation package. The second identity, because the result of the hash operation strictly corresponds to the content of the operation object. If the first identity is the same as the second identity, it can be determined that the second installation package has not been tampered with, that is, the first digital signature is correct. If the first identity is different from the second identity, it can be determined that the second installation package has been tampered with and the first digital signature is wrong.
需要说明的是,当通过对第二安装包进行解压缩获得到的校验文件添加有第二数字签名时,验证第二数字签名的方法与验证第一数字签名的方法相似,具体可以参见图6所示第一数字签名验证方法中的描述,此处不再对验证第二数字签名的方法进行赘述。It should be noted that, when the verification file obtained by decompressing the second installation package is added with a second digital signature, the method for verifying the second digital signature is similar to the method for verifying the first digital signature. The description of the first digital signature verification method shown in FIG. 6 will not be repeated here.
如图7所示,本发明一个实施例提供了一种应用程序处理装置,该装置可以包括:As shown in FIG. 7, an embodiment of the present invention provides an application program processing apparatus, and the apparatus may include:
一个第一安装包获取模块301,用于获取经过编译的应用程序压缩后的第一安装包;A first installation package obtaining module 301, configured to obtain a compressed first installation package of a compiled application program;
一个第一安装包解压缩模块302,用于对第一安装包获取模块301获取到的第一安装包进行解压缩,获得至少一个应用程序文件;A first installation package decompression module 302, configured to decompress the first installation package obtained by the first installation package acquisition module 301 to obtain at least one application file;
一个第一校验和运算模块303,用于对第一安装包解压缩模块302获取到的至少一个应用程序文件进行校验和运算;A first checksum operation module 303, configured to perform a checksum operation on at least one application program file obtained by the first installation package decompression module 302;
一个校验文件生成模块304,用于将第一校验和运算模块303进行校验和运算得到的校验和存储到一个校验文件中;A check file generating module 304, configured to store the checksum obtained by the first checksum operation module 303 in a checksum operation into a check file;
一个应用程序压缩模块305,用于对校验文件生成模块304存储了校验和的校验文件和第一安装包解压缩模块302获取到的至少一个应用程序文件进行压缩打包,获得第二安装包;An application compression module 305 is configured to compress and package a verification file in which the verification file generation module 304 stores a checksum and at least one application file obtained by the first installation package decompression module 302 to obtain a second installation. package;
一个安装包签名模块306,用于为应用程序压缩模块305获取到的第二安装包添加第一数字签名。An installation package signature module 306 is configured to add a first digital signature to the second installation package obtained by the application compression module 305.
在本发明实施例中,第一安装包获取模块301可用于执行前述方法实施例中的步骤101,第一安装包解压缩模块302可用于执行前述方法实施例中的步骤102,第一校验和运算模块303可用于执行前述方法实施例中的步骤103,校验文件生成模块304可用于执行前述方法实施例中的步骤104,应用程序压缩模块305可用于执行前述方法实施例中的步骤105,安装包签名模块306可用于执行前述方法实施例中的步骤106。In the embodiment of the present invention, the first installation package obtaining module 301 may be used to perform step 101 in the foregoing method embodiment, and the first installation package decompression module 302 may be used to perform step 102 in the foregoing method embodiment, and the first verification The sum operation module 303 may be used to perform step 103 in the foregoing method embodiment, the verification file generation module 304 may be used to perform step 104 in the foregoing method embodiment, and the application compression module 305 may be used to perform step 105 in the foregoing method embodiment. The installation package signature module 306 may be configured to perform step 106 in the foregoing method embodiment.
可选地,在图7所示应用程序处理装置的基础上,如图8所述,第一安装包解压缩模块302包括:Optionally, based on the application program processing apparatus shown in FIG. 7, as described in FIG. 8, the first installation package decompression module 302 includes:
一个解压缩单元3021,用于对第一安装包进行解压缩;A decompression unit 3021, configured to decompress the first installation package;
一个筛选单元3022,用于从解压缩单元3021对第一安装包进行解压缩获得的文件中确定噪声文件,将除噪声文件之外的其他从第一安装包解压缩出的文件确定为至少一个应用程序文件,其中,噪声文件为与应用程序的功能实现无关的文件,至少一个应用程序文件为与应用程序的功能实现相关的文件。A screening unit 3022 is configured to determine a noise file from the files obtained by decompressing the first installation package by the decompression unit 3021, and determine the files decompressed from the first installation package other than the noise files as at least one An application file, where the noise file is a file that is not related to the implementation of the function of the application, and at least one application file is a file that is related to the implementation of the function of the application.
在本发明实施例中,解压缩单元3021可用于执行前述方法实施例中的步骤1021,筛选 单元3022可用于执行前述方法实施例中的步骤1022。In the embodiment of the present invention, the decompression unit 3021 may be configured to perform step 1021 in the foregoing method embodiment, and the screening unit 3022 may be configured to perform step 1022 in the foregoing method embodiment.
可选地,在图7所示应用程序处理装置的基础上,如图9所示,该应用程序处理装置可以进一步包括:一个校验文件签名模块307;Optionally, on the basis of the application processing apparatus shown in FIG. 7, as shown in FIG. 9, the application processing apparatus may further include: a verification file signature module 307;
校验文件签名模块307,用于为校验文件生成模块304获取到的校验文件添加第二数字签名;A verification file signature module 307, configured to add a second digital signature to the verification file obtained by the verification file generation module 304;
应用程序压缩模块305,用于对经过校验文件签名模块307添加了第二数字签名的校验文件和第一安装包解压缩模块302获取到的至少一个应用程序文件进行压缩打包,获得第二安装包。The application compression module 305 is configured to compress and package at least one application file obtained by the verification file signature module 307 with the second digital signature and the first installation package decompression module 302, to obtain a second Installation package.
可选地,在图7或图9所示应用程序处理装置的基础上,如图10所示,安装包签名模块306可以包括:Optionally, on the basis of the application processing apparatus shown in FIG. 7 or FIG. 9, as shown in FIG. 10, the installation package signature module 306 may include:
一个第一哈希运算单元3061,用于通过哈希算法对第二安装包进行哈希运算,获得第二安装包对应的第一身份标识;A first hash operation unit 3061, configured to perform a hash operation on the second installation package by using a hash algorithm to obtain a first identity corresponding to the second installation package;
一个标识加密单元3062,用于通过一个私钥对第一哈希运算单元3061获取到的第一身份标识进行加密,获得加密身份标识;An identity encryption unit 3062, configured to encrypt the first identity obtained by the first hash operation unit 3061 by using a private key to obtain an encrypted identity;
一个PKI对象生成单元3063,用于生成与私钥相对应且包括有标识加密单元3062获取到的加密身份标识的公钥基础设施PKI对象;A PKI object generating unit 3063, configured to generate a public key infrastructure PKI object corresponding to the private key and including the encrypted identity obtained by the identity encryption unit 3062;
一个PKI对象嵌入单元3064,用于将PKI对象生成单元3063生成的PKI对象嵌入到第二安装包中。A PKI object embedding unit 3064 is configured to embed the PKI object generated by the PKI object generating unit 3063 into the second installation package.
在本发明实施例中,第一哈希运算单元3061可用于执行前述方法实施例中的步骤1061,标识加密单元3062可用于执行前述方法实施例中的步骤1062,PKI对象生成单元3063可用于执行前述方法实施例中的步骤1063,PKI对象嵌入单元3064可用于执行前述方法实施例中的步骤1064。In the embodiment of the present invention, the first hash operation unit 3061 may be used to execute step 1061 in the foregoing method embodiment, the identification encryption unit 3062 may be used to execute step 1062 in the foregoing method embodiment, and the PKI object generation unit 3063 may be used to execute In step 1063 in the foregoing method embodiment, the PKI object embedding unit 3064 may be configured to execute step 1064 in the foregoing method embodiment.
需要说明的是,上述各个实施例提供的应用程序处理装置可用于对应用程序进行发布,该应用程序处理装置所包括的各个模块除了执行前述应用程序处理方法实施例中的各个步骤外,还可以将添加有第一数字签名的第二安装包存储到一个应用程序库中,之后通过自动部署工具对第二安装包对应的应用程序进行发布,其中,自动部署工具可以是Jenkins。It should be noted that the application processing apparatus provided in each of the foregoing embodiments may be used to publish an application, and each module included in the application processing apparatus may perform steps in the foregoing embodiment of an application processing method, and may further The second installation package with the first digital signature added is stored in an application library, and then the application corresponding to the second installation package is released through an automatic deployment tool, where the automatic deployment tool may be Jenkins.
如图11所示,本发明一个实施例提供了一种应用程序部署装置,该装置可以包括:As shown in FIG. 11, an embodiment of the present invention provides an application deployment device, and the device may include:
一个第二安装包获取模块401,用于获取添加有第一数字签名的第二安装包;A second installation package obtaining module 401, configured to obtain a second installation package added with a first digital signature;
一个安装包签名验证模块402,用于验证第二安装包获取模块401获取到的第二安装包中添加的第一数字签名是否正确,An installation package signature verification module 402, configured to verify whether the first digital signature added to the second installation package obtained by the second installation package acquisition module 401 is correct,
一个第二安装包解压缩模块403,用于在安装包签名验证模块402验证第一数字签名正确时,对第二安装包进行解压缩,获得一个校验文件和至少一个应用程序文件;A second installation package decompression module 403, configured to decompress the second installation package when the installation package signature verification module 402 verifies that the first digital signature is correct, to obtain a verification file and at least one application file;
一个第二校验和运算模块404,用于对第二安装包解压缩模块403获取到的至少一个应用程序进行校验和运算;A second checksum operation module 404, configured to perform a checksum operation on at least one application program obtained by the second installation package decompression module 403;
一个校验和验证模块405,用于判断第二校验和运算模块404进行校验和运算得到的校验和与第二安装包解压缩模块403获取到的校验文件中存储的相对应的校验和是否全部相同;A checksum verification module 405 is used to determine that the checksum obtained by the second checksum calculation module 404 performs a checksum operation corresponding to the checksum stored in the check file obtained by the second installation package decompression module 403. Checksums are all the same;
一个应用程序部署模块406,用于在校验和验证模块405的判断结果为是时,利用第二安装包在一个终端设备上安装应用程序;An application deployment module 406 is configured to install an application on a terminal device by using a second installation package when the judgment result of the checksum verification module 405 is yes;
一个安装包状态确认模块407,用于在安装包签名验证模块402验证第一数字签名错误时,或者校验和验证模块405的判断结果为否时,确定第二安装包已经被篡改。An installation package status confirmation module 407 is configured to determine that the second installation package has been tampered with when the installation package signature verification module 402 verifies that the first digital signature is incorrect, or when the judgment result of the checksum verification module 405 is no.
在本发明实施例中,第二安装包获取模块401可用于执行前述方法实施例中的步骤201,安装包签名验证模块402可用于执行前述方法实施例中的步骤202,第二安装包解压缩模块403可用于执行前述方法实施例中的步骤203,第二校验和运算模块404可用于执行前述方法实施例中的步骤204,校验和验证模块405可用于执行前述方法实施例中的步骤205,应用程序部署模块406可用于执行前述方法实施例中的步骤206,安装包状态确认模块407可用于执行前述方法实施例中的步骤207。In the embodiment of the present invention, the second installation package obtaining module 401 may be used to perform step 201 in the foregoing method embodiment, and the installation package signature verification module 402 may be used to perform step 202 in the foregoing method embodiment, and the second installation package is decompressed. The module 403 may be used to perform step 203 in the foregoing method embodiment, the second checksum calculation module 404 may be used to perform step 204 in the foregoing method embodiment, and the checksum verification module 405 may be used to perform step in the foregoing method embodiment. 205. The application deployment module 406 may be configured to perform step 206 in the foregoing method embodiment, and the installation package status confirmation module 407 may be configured to perform step 207 in the foregoing method embodiment.
可选地,在图11所示应用程序部署装置的基础上,如图12所示,该应用程序部署装置可以进一步包括:一个校验文件签名验证模块408;Optionally, on the basis of the application deployment device shown in FIG. 11, as shown in FIG. 12, the application deployment device may further include: a verification file signature verification module 408;
校验文件签名验证模块408,用于在第二安装包解压缩模块403解压出的校验文件添加有第二数字签名时,验证第二数字签名是否正确;The verification file signature verification module 408 is configured to verify whether the second digital signature is correct when the verification file decompressed by the second installation package decompression module 403 is added with a second digital signature;
安装包状态确认模块407,进一步用于在校验文件签名验证模块408验证第二数字签名错误时,确定第二安装包已经被篡改。The installation package status confirmation module 407 is further configured to determine that the second installation package has been tampered with when the verification file signature verification module 408 verifies that the second digital signature is incorrect.
在本发明实施例中,校验文件签名验证模块408可用于执行前述方法实施例中的步骤208。In the embodiment of the present invention, the verification file signature verification module 408 may be configured to perform step 208 in the foregoing method embodiment.
需要说明的是,当应用程序部署装置包括安装包状态确认模块407时,在校验文件签名验证模块408确定第二数字签名正确后,第二校验和运算模块404再开始对第二安装包解压缩模块403获取到的至少一个应用程序中的每一个分别进行校验和运算,获得每一个应用程序文件对应的校验和。It should be noted that when the application deployment device includes an installation package status confirmation module 407, after the verification file signature verification module 408 determines that the second digital signature is correct, the second checksum calculation module 404 starts to perform the second installation package. Each of the at least one application acquired by the decompression module 403 performs a checksum operation separately to obtain a checksum corresponding to each application file.
可选地,在图11或图12所示应用程序部署装置的基础上,如图13所示,安装包签名验证模块402可以包括:Optionally, based on the application deployment device shown in FIG. 11 or FIG. 12, as shown in FIG. 13, the installation package signature verification module 402 may include:
一个PKI对象获取单元4021,用于获取嵌入在第二安装包中的PKI对象;A PKI object obtaining unit 4021, configured to obtain a PKI object embedded in the second installation package;
一个标识解密单元4022,用于通过与PKI对象获取单元4021获取到的PKI对象相对应的公钥对PKI对象包括的加密身份标识进行解密,获得第一身份标识;An identity decryption unit 4022, configured to decrypt the encrypted identity included in the PKI object by using the public key corresponding to the PKI object obtained by the PKI object obtaining unit 4021 to obtain a first identity;
一个第二哈希运算单元4023,用于通过哈希算法对第二安装包进行哈希运算,获得第二安装包对应的第二身份标识;A second hash operation unit 4023, configured to perform a hash operation on the second installation package by using a hash algorithm to obtain a second identity corresponding to the second installation package;
一个标识比对单元4024,用于判断标识解密单元4022获取到的第一身份标识与第二哈希运算单元4023获取到的第二身份标识是否相同,如果是,确定第一数字签名正确,否则确定第一数字签名错误。An identity comparison unit 4024 is configured to determine whether the first identity obtained by the identity decryption unit 4022 and the second identity obtained by the second hash operation unit 4023 are the same. If yes, determine that the first digital signature is correct, otherwise Determine the first digital signature is wrong.
在本发明实施例中,PKI对象获取单元4021可用于执行前述方法实施例中的步骤2021,标识解密单元4022可用于执行前述方法实施例中的步骤2022,第二哈希运算单元4023可用于执行前述方法实施例中的步骤2023,标识比对单元4024可用于执行前述方法实施例中的步骤2024。In the embodiment of the present invention, the PKI object obtaining unit 4021 may be used to execute step 2021 in the foregoing method embodiment, the identity decryption unit 4022 may be used to execute step 2022 in the foregoing method embodiment, and the second hash operation unit 4023 may be used to execute In step 2023 in the foregoing method embodiment, the identification comparison unit 4024 may be used to execute step 2024 in the foregoing method embodiment.
如图14所示,本发明一个实施例提供了一种应用程序处理装置,包括:至少一个存储器501和至少一个处理器502;As shown in FIG. 14, an embodiment of the present invention provides an application program processing apparatus, including: at least one memory 501 and at least one processor 502;
至少一个存储器501,用于存储机器可读程序;At least one memory 501 for storing a machine-readable program;
至少一个处理器502,用于调用至少一个存储器501中存储的机器可读程序,执行上述应用程序处理方法实施例中的各个步骤。The at least one processor 502 is configured to call a machine-readable program stored in the at least one memory 501 and execute each step in the foregoing application program processing method embodiment.
如图15所示,本发明一个实施例提供了一种应用程序部署装置,包括:至少一个存储器601和至少一个处理器602;As shown in FIG. 15, an embodiment of the present invention provides an application program deployment apparatus, including: at least one memory 601 and at least one processor 602;
至少一个存储器601,用于存储机器可读程序;At least one memory 601, configured to store a machine-readable program;
至少一个处理器602,用于调用至少一个存储器601中存储的机器可读程序,执行上述应用程序部署方法实施例中的各个步骤。At least one processor 602 is configured to call a machine-readable program stored in at least one memory 601 and execute each step in the foregoing application program deployment method embodiment.
本发明还提供了一种计算机可读介质,存储用于使一机器执行如本文所述的应用程序处理方法或者应用程序部署方法的指令。具体地,可以提供配有存储介质的系统或者装置,在该存储介质上存储着实现上述实施例中任一实施例的功能的软件程序代码,且使该系统或者装置的计算机(或CPU或MPU)读出并执行存储在存储介质中的程序代码。The present invention also provides a computer-readable medium storing instructions for causing a machine to execute an application program processing method or an application program deployment method as described herein. Specifically, a system or device equipped with a storage medium may be provided, on which software program code that implements the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or device is stored ) Read out and execute the program code stored in the storage medium.
在这种情况下,从存储介质读取的程序代码本身可实现上述实施例中任何一项实施例的功能,因此程序代码和存储程序代码的存储介质构成了本发明的一部分。In this case, the program code itself read from the storage medium can implement the functions of any one of the above-mentioned embodiments, so the program code and the storage medium storing the program code constitute a part of the present invention.
用于提供程序代码的存储介质实施例包括软盘、硬盘、磁光盘、光盘(如CD-ROM、CD-R、CD-RW、DVD-ROM、DVD-RAM、DVD-RW、DVD+RW)、磁带、非易失性存储卡和ROM。可选择地,可以由通信网络从服务器计算机上下载程序代码。Examples of storage media for providing program code include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), Magnetic tape, non-volatile memory card and ROM. Alternatively, the program code may be downloaded from a server computer by a communication network.
此外,应该清楚的是,不仅可以通过执行计算机所读出的程序代码,而且可以通过基于程序代码的指令使计算机上操作的操作系统等来完成部分或者全部的实际操作,从而实现上述实施例中任意一项实施例的功能。In addition, it should be clear that some or all of the actual operations can be completed not only by executing the program code read by the computer, but also by operating the computer operating system based on instructions based on the program code, thereby realizing the above embodiments. The function of any one embodiment.
此外,可以理解的是,将由存储介质读出的程序代码写到插入计算机内的扩展板中所设置的存储器中或者写到与计算机相连接的扩展单元中设置的存储器中,随后基于程序代码的指令使安装在扩展板或者扩展单元上的CPU等来执行部分和全部实际操作,从而实现上述实施例中任一实施例的功能。In addition, it can be understood that the program code read from the storage medium is written into a memory provided in an expansion board inserted into the computer or into a memory provided in an expansion unit connected to the computer, and then based on the program code The instructions cause the CPU and the like installed on the expansion board or the expansion unit to perform part and all of the actual operations, thereby realizing the functions of any one of the above embodiments.
需要说明的是,上述各流程和各系统结构图中不是所有的步骤和模块都是必须的,可以根据实际的需要忽略某些步骤或模块。各步骤的执行顺序不是固定的,可以根据需要进行调整。上述各实施例中描述的系统结构可以是物理结构,也可以是逻辑结构,即,有些模块可能由同一物理实体实现,或者,有些模块可能分由多个物理实体实现,或者,可以由多个独立设备中的某些部件共同实现。It should be noted that not all steps and modules in the above processes and system structure diagrams are necessary, and some steps or modules can be ignored according to actual needs. The execution order of each step is not fixed and can be adjusted as needed. The system structure described in the above embodiments may be a physical structure or a logical structure, that is, some modules may be implemented by the same physical entity, or some modules may be implemented by multiple physical entities, or may be implemented by multiple Some components in separate devices are implemented together.
以上各实施例中,硬件单元可以通过机械方式或电气方式实现。例如,一个硬件单元可以包括永久性专用的电路或逻辑(如专门的处理器,FPGA或ASIC)来完成相应操作。硬件单元还可以包括可编程逻辑或电路(如通用处理器或其它可编程处理器),可以由软件进行临时的设置以完成相应操作。具体的实现方式(机械方式、或专用的永久性电路、或者临时设置的电路)可以基于成本和时间上的考虑来确定。In the above embodiments, the hardware unit may be implemented mechanically or electrically. For example, a hardware unit may include permanently dedicated circuits or logic (such as a dedicated processor, FPGA or ASIC) to perform the corresponding operations. The hardware unit may also include programmable logic or circuits (such as general-purpose processors or other programmable processors), which may be temporarily set by software to complete the corresponding operations. The specific implementation manner (mechanical manner, or a dedicated permanent circuit, or a temporarily set circuit) can be determined based on cost and time considerations.
上文通过附图和优选实施例对本发明进行了详细展示和说明,然而本发明不限于这些已揭示的实施例,基与上述多个实施例本领域技术人员可以知晓,可以组合上述不同实施例中的代码审核手段得到本发明更多的实施例,这些实施例也在本发明的保护范围之内。The present invention has been shown and described in detail above with reference to the drawings and preferred embodiments. However, the present invention is not limited to these disclosed embodiments, and those skilled in the art can know based on the above-mentioned multiple embodiments, and can combine the different embodiments described above. The code review method in the present invention obtains more embodiments of the present invention, and these embodiments are also within the protection scope of the present invention.

Claims (17)

  1. 应用程序处理方法,其特征在于,包括:The application program processing method is characterized by including:
    获取经过编译的应用程序压缩后的第一安装包;Get the first compressed installation package of the compiled application;
    对所述第一安装包进行解压缩,获得至少一个应用程序文件;Decompressing the first installation package to obtain at least one application file;
    对所述至少一个应用程序文件进行校验和运算;Performing a checksum operation on the at least one application file;
    将校验和运算得到的校验和存储到一个校验文件中;Store the checksum obtained by the checksum operation in a check file;
    对所述校验文件和所述至少一个应用程序文件进行压缩打包,获得第二安装包;Compressing and packaging the verification file and the at least one application program file to obtain a second installation package;
    为所述第二安装包添加第一数字签名。Adding a first digital signature to the second installation package.
  2. 根据权利要求1所述的方法,其特征在于,所述对所述第一安装包进行解压缩,获得至少一个应用程序文件,包括:The method according to claim 1, wherein the decompressing the first installation package to obtain at least one application program file comprises:
    对所述第一安装包进行解压缩;Decompressing the first installation package;
    从对所述第一安装包进行解压缩获得的文件中确定噪声文件,将除所述噪声文件之外的其他从所述第一安装包解压缩出的文件确定为所述至少一个应用程序文件,其中,所述噪声文件为与所述应用程序的功能实现无关的文件,所述至少一个应用程序文件为与所述应用程序的功能实现相关的文件。Determine a noise file from a file obtained by decompressing the first installation package, and determine a file decompressed from the first installation package other than the noise file as the at least one application file Wherein, the noise file is a file unrelated to the function implementation of the application program, and the at least one application file is a file related to the function implementation of the application program.
  3. 根据权利要求1或2所述的方法,其特征在于,The method according to claim 1 or 2, wherein:
    在所述对所述校验文件和所述至少一个应用程序文件进行压缩打包之前,进一步包括:Before the compressing and packaging the verification file and the at least one application file, the method further includes:
    为所述校验文件添加第二数字签名;Adding a second digital signature to the verification file;
    所述对所述校验文件和所述至少一个应用程序文件进行压缩打包,包括:The compressing and packaging the verification file and the at least one application file includes:
    对添加了所述第二数字签名的所述校验文件和所述至少一个应用程序文件进行压缩打包,获得所述第二安装包。Compress and package the verification file and the at least one application file to which the second digital signature is added, to obtain the second installation package.
  4. 根据权利要求1至3中任一所述的方法,其特征在于,所述为所述第二安装包添加第一数字签名,包括:The method according to any one of claims 1 to 3, wherein the adding a first digital signature to the second installation package comprises:
    通过哈希算法对所述第二安装包进行哈希运算,获得所述第二安装包对应的第一身份标识;Performing a hash operation on the second installation package by using a hash algorithm to obtain a first identity corresponding to the second installation package;
    通过一个私钥对所述第一身份标识进行加密,获得加密身份标识;Encrypting the first identity by using a private key to obtain an encrypted identity;
    生成与所述私钥相对应且包括有所述加密身份标识的公钥基础设施PKI对象;Generating a public key infrastructure PKI object corresponding to the private key and including the encrypted identity;
    将所述PKI对象嵌入到所述第二安装包中。The PKI object is embedded in the second installation package.
  5. 应用程序部署方法,其特征在于,包括:The application deployment method is characterized by:
    S1:获取添加有第一数字签名的第二安装包;S1: Obtain a second installation package added with a first digital signature;
    S2:验证所述第一数字签名是否正确,如果是,执行S3,否则执行S7;S2: verify whether the first digital signature is correct, if yes, execute S3, otherwise execute S7;
    S3:对所述第二安装包进行解压缩,获得一个校验文件和至少一个应用程序文件;S3: Decompress the second installation package to obtain a verification file and at least one application program file;
    S4:对所述至少一个应用程序文件进行校验和运算;S4: performing a checksum operation on the at least one application file;
    S5:判断校验和运算得到的校验和与所述校验文件中存储的相对应的校验和是否全部相同,如果是,执行S6,否则执行S7;S5: Determine whether the checksum obtained by the checksum operation is the same as the corresponding checksum stored in the check file, if yes, execute S6, otherwise execute S7;
    S6:利用所述第二安装包在一个终端设备上部署应用程序,并结束当前流程;S6: deploy the application on a terminal device by using the second installation package, and end the current process;
    S7:确定所述第二安装包已经被篡改。S7: Determine that the second installation package has been tampered with.
  6. 根据权利要求5所述的方法,其特征在于,当所述校验文件添加有第二数字签名时,在所述S3与所述S4之间进一步包括:The method according to claim 5, characterized in that when the verification file is added with a second digital signature, further comprising between the S3 and the S4:
    验证所述第二数字签名是否正确,如果是,执行S4,否则执行S7。Verify whether the second digital signature is correct, if yes, execute S4, otherwise execute S7.
  7. 根据权利要求5或6所示的方法,其特征在于,所述验证所述第一数字签名是否正确,包括:The method according to claim 5 or 6, wherein the verifying whether the first digital signature is correct comprises:
    获取嵌入在所述第二安装包中的PKI对象;Obtaining a PKI object embedded in the second installation package;
    通过与所述PKI对象相对应的公钥对所述PKI对象包括的加密身份标识进行解密,获得第一身份标识;Decrypting the encrypted identity included in the PKI object by using a public key corresponding to the PKI object to obtain a first identity;
    通过哈希算法对所述第二安装包进行哈希运算,获得所述第二安装包对应的第二身份标识;Performing a hash operation on the second installation package by using a hash algorithm to obtain a second identity corresponding to the second installation package;
    判断所述第一身份标识与所述第二身份标识是否相同,如果是,确定所述第一数字签名正确,否则确定所述第一数字签名错误。Determine whether the first identity is the same as the second identity, and if so, determine that the first digital signature is correct; otherwise, determine that the first digital signature is incorrect.
  8. 应用程序处理装置,其特征在于,包括:An application program processing device, comprising:
    一个第一安装包获取模块(301),用于获取经过编译的应用程序压缩后的第一安装包;A first installation package obtaining module (301), configured to obtain a first installation package compressed by a compiled application program;
    一个第一安装包解压缩模块(302),用于对所述第一安装包获取模块(301)获取到的所述第一安装包进行解压缩,获得至少一个应用程序文件;A first installation package decompression module (302), configured to decompress the first installation package obtained by the first installation package acquisition module (301) to obtain at least one application program file;
    一个第一校验和运算模块(303),用于对所述第一安装包解压缩模块(302)获取到的所述至少一个应用程序文件进行校验和运算;A first checksum operation module (303), configured to perform a checksum operation on the at least one application file obtained by the first installation package decompression module (302);
    一个校验文件生成模块(304),用于将所述第一校验和运算模块(303)校验和运算得到的校验和存储到一个校验文件中;A check file generating module (304), configured to store a checksum obtained by a checksum operation of the first checksum computing module (303) into a check file;
    一个应用程序压缩模块(305),用于对所述校验文件生成模块(304)存储了校验和的所述校验文件和所述第一安装包解压缩模块(302)获取到的所述至少一个应用程序文件进行压缩打包,获得第二安装包;An application compression module (305), configured to store the checksum of the checksum generated by the checkfile generation module (304) and all the data obtained by the first installation package decompression module (302) Compressing and packaging at least one application file to obtain a second installation package;
    一个安装包签名模块(306),用于为所述应用程序压缩模块(305)获取到的所述第二安 装包添加第一数字签名。An installation package signature module (306) is configured to add a first digital signature to the second installation package obtained by the application compression module (305).
  9. 根据权利要求8所述的装置,其特征在于,所述第一安装包解压缩模块(302)包括:The apparatus according to claim 8, wherein the first installation package decompression module (302) comprises:
    一个解压缩单元(3021),用于对所述第一安装包进行解压缩;A decompression unit (3021), configured to decompress the first installation package;
    一个筛选单元(3022),用于从所述解压缩单元(3021)对所述第一安装包进行解压缩获得的文件中确定噪声文件,将除所述噪声文件之外的其他从所述第一安装包解压缩出的文件确定为所述至少一个应用程序文件,其中,所述噪声文件为与所述应用程序的功能实现无关的文件,所述至少一个应用程序文件为与所述应用程序的功能实现相关的文件。A screening unit (3022), configured to determine a noise file from a file obtained by decompressing the first installation package by the decompression unit (3021), and A file decompressed by an installation package is determined to be the at least one application program file, wherein the noise file is a file unrelated to the function implementation of the application program, and the at least one application program file is related to the application program. The functions are implemented in related files.
  10. 根据权利要求8或9所述的装置,其特征在于,进一步包括:一个校验文件签名模块(307);The device according to claim 8 or 9, further comprising: a verification file signature module (307);
    所述校验文件签名模块(307),用于为所述校验文件生成模块(304)获取到的所述校验文件添加第二数字签名;The verification file signature module (307) is configured to add a second digital signature to the verification file obtained by the verification file generation module (304);
    所述应用程序压缩模块(305),用于对经过所述校验文件签名模块(307)添加了所述第二数字签名的所述校验文件和所述第一安装包解压缩模块(302)获取到的所述至少一个应用程序文件进行压缩打包,获得所述第二安装包。The application compression module (305) is configured to add the second digital signature to the verification file and the first installation package decompression module (302) after the verification file signature module (307). ) The obtained at least one application file is compressed and packed to obtain the second installation package.
  11. 根据权利要求8至10中任一所述的装置,其特征在于,所述安装包签名模块(306)包括:The device according to any one of claims 8 to 10, wherein the installation package signature module (306) comprises:
    一个第一哈希运算单元(3061),用于通过哈希算法对所述第二安装包进行哈希运算,获得所述第二安装包对应的第一身份标识;A first hash operation unit (3061), configured to perform a hash operation on the second installation package by using a hash algorithm to obtain a first identity corresponding to the second installation package;
    一个标识加密单元(3062),用于通过一个私钥对所述第一哈希运算单元(3061)获取到的所述第一身份标识进行加密,获得加密身份标识;An identity encryption unit (3062), configured to encrypt the first identity obtained by the first hash operation unit (3061) with a private key to obtain an encrypted identity;
    一个PKI对象生成单元(3063),用于生成与所述私钥相对应且包括有所述标识加密单元(3062)获取到的所述加密身份标识的公钥基础设施PKI对象;A PKI object generating unit (3063) for generating a public key infrastructure PKI object corresponding to the private key and including the encrypted identity obtained by the identity encryption unit (3062);
    一个PKI对象嵌入单元(3064),用于将所述PKI对象生成单元(3063)生成的所述PKI对象嵌入到所述第二安装包中。A PKI object embedding unit (3064) is configured to embed the PKI object generated by the PKI object generating unit (3063) into the second installation package.
  12. 应用程序部署装置,其特征在于,包括:The application deployment device is characterized by including:
    一个第二安装包获取模块(401),用于获取添加有第一数字签名的第二安装包;A second installation package obtaining module (401), configured to obtain a second installation package added with a first digital signature;
    一个安装包签名验证模块(402),用于验证所述第二安装包获取模块(401)获取到的所述第二安装包中添加的所述第一数字签名是否正确,An installation package signature verification module (402), configured to verify whether the first digital signature added to the second installation package obtained by the second installation package acquisition module (401) is correct,
    一个第二安装包解压缩模块(403),用于在所述安装包签名验证模块(402)验证所述第一数字签名正确时,对所述第二安装包进行解压缩,获得一个校验文件和至少一个应用程序 文件;A second installation package decompression module (403), configured to decompress the second installation package to obtain a check when the installation package signature verification module (402) verifies that the first digital signature is correct. Files and at least one application file;
    一个第二校验和运算模块(404),用于对所述第二安装包解压缩模块(403)获取到的所述至少一个应用程序进行校验和运算;A second checksum operation module (404), configured to perform a checksum operation on the at least one application program obtained by the second installation package decompression module (403);
    一个校验和验证模块(405),用于判断所述第二校验和运算模块(404)校验和运算得到的校验和与所述第二安装包解压缩模块(403)获取到的所述校验文件中存储的相对应的校验和是否全部相同;A checksum verification module (405), configured to determine the checksum obtained by the checksum operation of the second checksum operation module (404) and the checksum obtained by the second installation package decompression module (403). Whether the corresponding checksums stored in the verification file are all the same;
    一个应用程序部署模块(406),用于在所述校验和验证模块(405)的判断结果为是时,利用所述第二安装包在一个终端设备上安装应用程序;An application deployment module (406), configured to use the second installation package to install an application on a terminal device when the judgment result of the checksum verification module (405) is yes;
    一个安装包状态确认模块(407),用于在所述安装包签名验证模块(402)验证所述第一数字签名错误时,或者所述校验和验证模块(405)的判断结果为否时,确定所述第二安装包已经被篡改。An installation package status confirmation module (407) is used when the installation package signature verification module (402) verifies that the first digital signature is incorrect, or when the judgment result of the checksum verification module (405) is no To determine that the second installation package has been tampered with.
  13. 根据权利要求12所述的装置,其特征在于,进一步包括:一个校验文件签名验证模块(408);The device according to claim 12, further comprising: a verification file signature verification module (408);
    所述校验文件签名验证模块(408),用于在所述第二安装包解压缩模块(403)解压缩出的所述校验文件添加有第二数字签名时,验证所述第二数字签名是否正确;The verification file signature verification module (408) is configured to verify the second digital signature when a second digital signature is added to the verification file decompressed by the second installation package decompression module (403). Whether the signature is correct;
    所述安装包状态确认模块(407),进一步用于在所述校验文件签名验证模块(408)验证所述第二数字签名错误时,确定所述第二安装包已经被篡改。The installation package status confirmation module (407) is further configured to determine that the second installation package has been tampered with when the check file signature verification module (408) verifies that the second digital signature is incorrect.
  14. 根据权利要求12或13所述的装置,其特征在于,所述安装包签名验证模块(402)包括:The device according to claim 12 or 13, wherein the installation package signature verification module (402) comprises:
    一个PKI对象获取单元(4021),用于获取嵌入在所述第二安装包中的PKI对象;A PKI object obtaining unit (4021), configured to obtain a PKI object embedded in the second installation package;
    一个标识解密单元(4022),用于通过与所述PKI对象获取单元(4021)获取到的所述PKI对象相对应的公钥对所述PKI对象包括的加密身份标识进行解密,获得第一身份标识;An identity decryption unit (4022), configured to decrypt the encrypted identity included in the PKI object by using a public key corresponding to the PKI object obtained by the PKI object obtaining unit (4021) to obtain a first identity Identification
    一个第二哈希运算单元(4023),用于通过哈希算法对所述第二安装包进行哈希运算,获得所述第二安装包对应的第二身份标识;A second hash operation unit (4023), configured to perform a hash operation on the second installation package by using a hash algorithm to obtain a second identity corresponding to the second installation package;
    一个标识比对单元(4024),用于判断所述标识解密单元(4022)获取到的所述第一身份标识与所述第二哈希运算单元(4023)获取到的所述第二身份标识是否相同,如果是,确定所述第一数字签名正确,否则确定所述第一数字签名错误。An identity comparison unit (4024), configured to determine the first identity obtained by the identity decryption unit (4022) and the second identity obtained by the second hash operation unit (4023) Whether they are the same, if yes, determine that the first digital signature is correct; otherwise, determine that the first digital signature is incorrect.
  15. 应用程序处理装置,其特征在于,包括:至少一个存储器(501)和至少一个处理器(502);An application program processing device, comprising: at least one memory (501) and at least one processor (502);
    所述至少一个存储器(501),用于存储机器可读程序;The at least one memory (501) is configured to store a machine-readable program;
    所述至少一个处理器(502),用于调用所述机器可读程序,执行如权利要求1至4任一项所述的方法。The at least one processor (502) is configured to call the machine-readable program to execute the method according to any one of claims 1 to 4.
  16. 应用程序部署装置,其特征在于,包括:至少一个存储器(601)和至少一个处理器(602);An application program deployment device, comprising: at least one memory (601) and at least one processor (602);
    所述至少一个存储器(601),用于存储机器可读程序;The at least one memory (601) is configured to store a machine-readable program;
    所述至少一个处理器(602),用于调用所述机器可读程序,执行如权利要求5至7任一项所述的方法。The at least one processor (602) is configured to call the machine-readable program to execute the method according to any one of claims 5 to 7.
  17. 计算机可读介质,其特征在于,所述计算机可读介质上存储有计算机指令,所述计算机指令在被处理器执行时,使所述处理器执行权利要求1至7中任一所述的方法。A computer-readable medium, characterized in that computer instructions are stored on the computer-readable medium, and when the computer instructions are executed by a processor, the processor causes the processor to execute the method according to any one of claims 1 to 7. .
PCT/CN2018/109072 2018-09-30 2018-09-30 Method and apparatus for processing and deploying application program, and computer-readable medium WO2020062233A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/109072 WO2020062233A1 (en) 2018-09-30 2018-09-30 Method and apparatus for processing and deploying application program, and computer-readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/109072 WO2020062233A1 (en) 2018-09-30 2018-09-30 Method and apparatus for processing and deploying application program, and computer-readable medium

Publications (1)

Publication Number Publication Date
WO2020062233A1 true WO2020062233A1 (en) 2020-04-02

Family

ID=69950237

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/109072 WO2020062233A1 (en) 2018-09-30 2018-09-30 Method and apparatus for processing and deploying application program, and computer-readable medium

Country Status (1)

Country Link
WO (1) WO2020062233A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114510293A (en) * 2022-02-17 2022-05-17 平安普惠企业管理有限公司 Application package reduction processing method and device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030226138A1 (en) * 1993-09-30 2003-12-04 Linda Luu Installation of application software through a network from a source computer system on to a target computer system
CN106156609A (en) * 2015-04-21 2016-11-23 宇龙计算机通信科技(深圳)有限公司 The certification of application program, installation method, device and terminal
CN106548065A (en) * 2016-10-27 2017-03-29 海信集团有限公司 Application program installs detection method and device
CN107766096A (en) * 2016-08-19 2018-03-06 阿里巴巴集团控股有限公司 The generation method of application program installation kit, the operation method of application program and device
CN107994993A (en) * 2017-11-21 2018-05-04 北京奇虎科技有限公司 Application program detection method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030226138A1 (en) * 1993-09-30 2003-12-04 Linda Luu Installation of application software through a network from a source computer system on to a target computer system
CN106156609A (en) * 2015-04-21 2016-11-23 宇龙计算机通信科技(深圳)有限公司 The certification of application program, installation method, device and terminal
CN107766096A (en) * 2016-08-19 2018-03-06 阿里巴巴集团控股有限公司 The generation method of application program installation kit, the operation method of application program and device
CN106548065A (en) * 2016-10-27 2017-03-29 海信集团有限公司 Application program installs detection method and device
CN107994993A (en) * 2017-11-21 2018-05-04 北京奇虎科技有限公司 Application program detection method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114510293A (en) * 2022-02-17 2022-05-17 平安普惠企业管理有限公司 Application package reduction processing method and device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
US10025576B2 (en) Method for deploying BIOS integrity measurement via BIOS update package and system therefor
US9276752B2 (en) System and method for secure software update
CN112507328B (en) File signature method, computing device and storage medium
FI114416B (en) Method for securing the electronic device, the backup system and the electronic device
CN101436141B (en) Firmware upgrading and encapsulating method and device based on digital signing
US8150039B2 (en) Single security model in booting a computing device
JP4501349B2 (en) System module execution device
US20070235517A1 (en) Secure digital delivery seal for information handling system
CN109194625B (en) Client application protection method and device based on cloud server and storage medium
CN104426658B (en) The method and device of authentication is carried out to the application on mobile terminal
WO2016019790A1 (en) Verification method, client, server and system for installation package
EP3316160A1 (en) Authentication method and apparatus for reinforced software
CN104915591A (en) Data processing method and electronic equipment
CN111131246A (en) Information upgrading and backup method and system suitable for embedded equipment of power system
US7353386B2 (en) Method and device for authenticating digital data by means of an authentication extension module
KR20170089352A (en) Firmware integrity verification for performing the virtualization system
CN110830256A (en) File signature method and device, electronic equipment and readable storage medium
CN110830257A (en) File signature method and device, electronic equipment and readable storage medium
WO2020062233A1 (en) Method and apparatus for processing and deploying application program, and computer-readable medium
CN106372523B (en) Modem file security protection method and system
JP2005293109A (en) Software execution management device, software execution management method, and control program
CN115550060B (en) Trusted certificate verification method, device, equipment and medium based on block chain
CN110826034B (en) File signature method and device, electronic equipment and readable storage medium
CN116561734A (en) Verification method, verification device, computer and computer configuration system
WO2020231413A1 (en) Methodology for trustworthy software build

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18935729

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18935729

Country of ref document: EP

Kind code of ref document: A1