I need to get the package signature, and I currently get it using this code:
Signature[] sigs = c.getPackageManager() .getPackageInfo(c.getPackageName(), PackageManager.GET_SIGNATURES).signatures;However, Android Studio gives me this warning:
Reading app signatures from getPackageInfo: The app signatures could be exploited if not validated properly; see issue explanation for details.
Improper validation of app signatures could lead to issues where a malicious app submits itself to the Play Store with both its real certificate and a fake certificate and gains access to functionality or information it shouldn't have due to another application only checking for the fake certificate and ignoring the rest. Please make sure to validate all signatures returned by this method.
What does it mean to validate the signatures in this case? I'm going to check the signatures against a server to make sure they match - is that what they mean?
In a local test, all it outputs is a single negative integer, and not an array as the code would have it.