Is Signature.hashcode Referring To The Right Hashcode?

Does the following code (sign.hashCode()) gives me the hashCode of my signature or the hash of the object in the memory? try { PackageInfo packageInfo = getPackageManager().get

Solution 1:

While the other answers are technically correct, they are otherwise dangerously false:

Yes, Signature.hashCode()is overwritten and does indeed calculate some weak 32-bit hash value over the signature's bytes, which makes it deterministic.

But, you should not use this value as the basis for any kind of trust decision, which you usually want to do if you retrieve the signature in the first place. This is because it is extremely easy to produce a fake signature with the same value for hashCode(): Simply generating 2^32 random signing certificates gives you a good chance of finding a collision and is very feasible.

Instead, you should use a cryptographically secure hash function, such as SHA-256 and e.g. convert the resulting hash to Base64:

MessageDigestdigest= MessageDigest.getInstance("SHA-256");
byte[] hashBytes = digest.digest(sign.toByteArray());
Stringhash= Base64.encodeToString(hashBytes, Base64.NO_WRAP);

Solution 2:

Signature.hashCode() is overwritten and in this case is calculated on the content of the signature byte array.

You can see the source code to solve your doubts http://grepcode.com/file/repository.grepcode.com/java/ext/com.google.android/android/5.1.1_r1/android/content/pm/Signature.java#Signature.hashCode%28%29