feat: implement signing fingerprint verification for auto-updates

- Add `signingFingerprint` column to the `installed_apps` table via Room migration 4 to 5
- Update `SystemPackageInfo` and `DeviceApp` domain models to include the signing fingerprint
- Implement SHA-256 signing certificate extraction in `AndroidPackageMonitor` for both legacy and modern Android versions
- Enhance `AutoUpdateWorker` to verify the APK's signing fingerprint against the installed version before proceeding with an update
- Update `AppsRepositoryImpl` to store and propagate signing fingerprints when linking or importing apps
- Refactor `ShizukuInstallerWrapper` and `AppsRepositoryImpl` for better code consistency and formatting

Author: rainxchzed

core/data/src/androidMain/kotlin/zed/rainxch/core/data/local/db/migrations/MIGRATION_4_5.kt

@@ -0,0 +1,11 @@
+package zed.rainxch.core.data.local.db.migrations
+
+import androidx.room.migration.Migration
+import androidx.sqlite.db.SupportSQLiteDatabase
+
+val MIGRATION_4_5 =
+    object : Migration(4, 5) {
+        override fun migrate(db: SupportSQLiteDatabase) {
+            db.execSQL("ALTER TABLE installed_apps ADD COLUMN signingFingerprint TEXT")
+        }
+    }

core/data/src/androidMain/kotlin/zed/rainxch/core/data/services/AndroidPackageMonitor.kt

@@ -3,12 +3,14 @@ package zed.rainxch.core.data.services
 import android.content.Context
 import android.content.pm.ApplicationInfo
 import android.content.pm.PackageManager
+import android.content.pm.PackageManager.GET_SIGNING_CERTIFICATES
 import android.os.Build
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.withContext
 import zed.rainxch.core.domain.model.DeviceApp
 import zed.rainxch.core.domain.model.SystemPackageInfo
 import zed.rainxch.core.domain.system.PackageMonitor
+import java.security.MessageDigest
 
 class AndroidPackageMonitor(
     context: Context,
@@ -20,12 +22,23 @@ class AndroidPackageMonitor(
     override suspend fun getInstalledPackageInfo(packageName: String): SystemPackageInfo? =
         withContext(Dispatchers.IO) {
             runCatching {
+                val flags =
+                    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
+                        GET_SIGNING_CERTIFICATES.toLong()
+                    } else {
+                        @Suppress("DEPRECATION")
+                        PackageManager.GET_SIGNATURES.toLong()
+                    }
+
                 val packageInfo =
                     if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
-                        packageManager.getPackageInfo(packageName, PackageManager.PackageInfoFlags.of(0L))
+                        packageManager.getPackageInfo(
+                            packageName,
+                            PackageManager.PackageInfoFlags.of(flags),
+                        )
                     } else {
                         @Suppress("DEPRECATION")
-                        packageManager.getPackageInfo(packageName, 0)
+                        packageManager.getPackageInfo(packageName, flags.toInt())
                     }
 
                 val versionCode =
@@ -36,11 +49,37 @@ class AndroidPackageMonitor(
                         packageInfo.versionCode.toLong()
                     }
 
+                val signingFingerprint: String? =
+                    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
+                        val sigInfo = packageInfo.signingInfo
+                        val certs =
+                            if (sigInfo?.hasMultipleSigners() == true) {
+                                sigInfo.apkContentsSigners
+                            } else {
+                                sigInfo?.signingCertificateHistory
+                            }
+                        certs?.firstOrNull()?.toByteArray()?.let { certBytes ->
+                            MessageDigest
+                                .getInstance("SHA-256")
+                                .digest(certBytes)
+                                .joinToString(":") { "%02X".format(it) }
+                        }
+                    } else {
+                        @Suppress("DEPRECATION")
+                        packageInfo.signatures?.firstOrNull()?.toByteArray()?.let { certBytes ->
+                            MessageDigest
+                                .getInstance("SHA-256")
+                                .digest(certBytes)
+                                .joinToString(":") { "%02X".format(it) }
+                        }
+                    }
+
                 SystemPackageInfo(
                     packageName = packageInfo.packageName,
                     versionName = packageInfo.versionName ?: "unknown",
                     versionCode = versionCode,
                     isInstalled = true,
+                    signingFingerprint = signingFingerprint,
                 )
             }.getOrNull()
         }
@@ -70,12 +109,10 @@ class AndroidPackageMonitor(
 
             packages
                 .filter { pkg ->
-                    // Exclude system apps (keep user-installed + updated system apps)
                     val isSystemApp = (pkg.applicationInfo?.flags ?: 0) and ApplicationInfo.FLAG_SYSTEM != 0
                     val isUpdatedSystem = (pkg.applicationInfo?.flags ?: 0) and ApplicationInfo.FLAG_UPDATED_SYSTEM_APP != 0
                     !isSystemApp || isUpdatedSystem
-                }
-                .map { pkg ->
+                }.map { pkg ->
                     val versionCode =
                         if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
                             pkg.longVersionCode
@@ -89,8 +126,8 @@ class AndroidPackageMonitor(
                         appName = pkg.applicationInfo?.loadLabel(packageManager)?.toString() ?: pkg.packageName,
                         versionName = pkg.versionName,
                         versionCode = versionCode,
+                        signingFingerprint = null,
                     )
-                }
-                .sortedBy { it.appName.lowercase() }
+                }.sortedBy { it.appName.lowercase() }
         }
 }

core/data/src/androidMain/kotlin/zed/rainxch/core/data/services/AutoUpdateWorker.kt

@@ -137,7 +137,7 @@ class AutoUpdateWorker(
                     file.delete()
                     Logger.d { "AutoUpdateWorker: Deleted mismatched existing file for ${app.appName}" }
                 }
-            } catch (e: Exception) {
+            } catch (_: Exception) {
                 file.delete()
                 Logger.d { "AutoUpdateWorker: Deleted unextractable existing file for ${app.appName}" }
             }
@@ -156,21 +156,20 @@ class AutoUpdateWorker(
 
         val currentApp = installedAppsRepository.getAppByPackage(app.packageName)
 
-        // TOFU: Block auto-update if signing key changed
-        if (currentApp != null &&
-            currentApp.signingFingerprint != null &&
-            apkInfo.signingFingerprint != null &&
-            currentApp.signingFingerprint != apkInfo.signingFingerprint
-        ) {
-            Logger.e {
-                "AutoUpdateWorker: Signing key mismatch for ${app.appName}! " +
-                    "Expected: ${currentApp.signingFingerprint}, got: ${apkInfo.signingFingerprint}. " +
-                    "Skipping auto-update."
+        if (currentApp?.signingFingerprint != null) {
+            val expected = currentApp.signingFingerprint!!.trim().uppercase()
+            val actual = apkInfo.signingFingerprint?.trim()?.uppercase()
+            if (actual == null || expected != actual) {
+                Logger.e {
+                    "AutoUpdateWorker: Signing key mismatch for ${app.appName}! " +
+                        "Expected: ${currentApp.signingFingerprint}, got: ${apkInfo.signingFingerprint}. " +
+                        "Skipping auto-update."
+                }
+                throw IllegalStateException(
+                    "Signing fingerprint verification failed for ${app.appName}, blocking auto-update",
+                )
             }
-            throw IllegalStateException("Signing key changed for ${app.appName}, blocking auto-update")
-        }
 
-        if (currentApp != null) {
             installedAppsRepository.updateApp(
                 currentApp.copy(
                     isPendingInstall = true,
@@ -181,17 +180,17 @@ class AutoUpdateWorker(
                     latestVersionCode = apkInfo.versionCode,
                 ),
             )
-        }
 
-        Logger.d { "AutoUpdateWorker: Installing ${app.appName} via Shizuku" }
-        try {
-            installer.install(filePath, ext)
-        } catch (e: Exception) {
-            installedAppsRepository.updatePendingStatus(app.packageName, false)
-            throw e
-        }
+            Logger.d { "AutoUpdateWorker: Installing ${app.appName} via Shizuku" }
+            try {
+                installer.install(filePath, ext)
+            } catch (e: Exception) {
+                installedAppsRepository.updatePendingStatus(app.packageName, false)
+                throw e
+            }
 
-        Logger.d { "AutoUpdateWorker: Install command completed for ${app.appName}, waiting for system confirmation via broadcast" }
+            Logger.d { "AutoUpdateWorker: Install command completed for ${app.appName}, waiting for system confirmation via broadcast" }
+        }
     }
 
     private fun createForegroundInfo(

core/data/src/androidMain/kotlin/zed/rainxch/core/data/services/shizuku/ShizukuInstallerWrapper.kt

@@ -6,6 +6,7 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.runBlocking
 import kotlinx.coroutines.withContext
+import zed.rainxch.core.data.services.shizuku.model.ShizukuStatus
 import zed.rainxch.core.domain.model.GithubAsset
 import zed.rainxch.core.domain.model.InstallerType
 import zed.rainxch.core.domain.model.SystemArchitecture
@@ -26,9 +27,8 @@ import zed.rainxch.core.domain.system.InstallerInfoExtractor
 class ShizukuInstallerWrapper(
     private val androidInstaller: Installer,
     private val shizukuServiceManager: ShizukuServiceManager,
-    private val themesRepository: ThemesRepository
+    private val themesRepository: ThemesRepository,
 ) : Installer {
-
     companion object {
         private const val TAG = "ShizukuInstaller"
     }
@@ -53,50 +53,39 @@ class ShizukuInstallerWrapper(
         }
     }
 
-    // ==================== Delegated methods (always go to AndroidInstaller) ====================
-
-    override suspend fun isSupported(extOrMime: String): Boolean =
-        androidInstaller.isSupported(extOrMime)
+    override suspend fun isSupported(extOrMime: String): Boolean = androidInstaller.isSupported(extOrMime)
 
-    override fun isAssetInstallable(assetName: String): Boolean =
-        androidInstaller.isAssetInstallable(assetName)
+    override fun isAssetInstallable(assetName: String): Boolean = androidInstaller.isAssetInstallable(assetName)
 
-    override fun choosePrimaryAsset(assets: List<GithubAsset>): GithubAsset? =
-        androidInstaller.choosePrimaryAsset(assets)
+    override fun choosePrimaryAsset(assets: List<GithubAsset>): GithubAsset? = androidInstaller.choosePrimaryAsset(assets)
 
-    override fun detectSystemArchitecture(): SystemArchitecture =
-        androidInstaller.detectSystemArchitecture()
+    override fun detectSystemArchitecture(): SystemArchitecture = androidInstaller.detectSystemArchitecture()
 
-    override fun isObtainiumInstalled(): Boolean =
-        androidInstaller.isObtainiumInstalled()
+    override fun isObtainiumInstalled(): Boolean = androidInstaller.isObtainiumInstalled()
 
     override fun openInObtainium(
         repoOwner: String,
         repoName: String,
-        onOpenInstaller: () -> Unit
+        onOpenInstaller: () -> Unit,
     ) = androidInstaller.openInObtainium(repoOwner, repoName, onOpenInstaller)
 
-    override fun isAppManagerInstalled(): Boolean =
-        androidInstaller.isAppManagerInstalled()
+    override fun isAppManagerInstalled(): Boolean = androidInstaller.isAppManagerInstalled()
 
     override fun openInAppManager(
         filePath: String,
-        onOpenInstaller: () -> Unit
+        onOpenInstaller: () -> Unit,
     ) = androidInstaller.openInAppManager(filePath, onOpenInstaller)
 
-    override fun getApkInfoExtractor(): InstallerInfoExtractor =
-        androidInstaller.getApkInfoExtractor()
-
-    override fun openApp(packageName: String): Boolean =
-        androidInstaller.openApp(packageName)
+    override fun getApkInfoExtractor(): InstallerInfoExtractor = androidInstaller.getApkInfoExtractor()
 
-    override fun openWithExternalInstaller(filePath: String) =
-        androidInstaller.openWithExternalInstaller(filePath)
+    override fun openApp(packageName: String): Boolean = androidInstaller.openApp(packageName)
 
-    // ==================== Overridden methods (may use Shizuku) ====================
+    override fun openWithExternalInstaller(filePath: String) = androidInstaller.openWithExternalInstaller(filePath)
 
     override suspend fun ensurePermissionsOrThrow(extOrMime: String) {
-        Logger.d(TAG) { "ensurePermissionsOrThrow() — extOrMime=$extOrMime, cachedType=$cachedInstallerType, status=${shizukuServiceManager.status.value}" }
+        Logger.d(TAG) {
+            "ensurePermissionsOrThrow() — extOrMime=$extOrMime, cachedType=$cachedInstallerType, status=${shizukuServiceManager.status.value}"
+        }
         if (shouldUseShizuku()) {
             Logger.d(TAG) { "Shizuku active — skipping unknown sources permission check" }
             return
@@ -105,7 +94,10 @@ class ShizukuInstallerWrapper(
         androidInstaller.ensurePermissionsOrThrow(extOrMime)
     }
 
-    override suspend fun install(filePath: String, extOrMime: String) {
+    override suspend fun install(
+        filePath: String,
+        extOrMime: String,
+    ) {
         Logger.d(TAG) { "install() called — filePath=$filePath, extOrMime=$extOrMime" }
         Logger.d(TAG) { "cachedInstallerType=$cachedInstallerType, shizukuStatus=${shizukuServiceManager.status.value}" }
 
@@ -114,18 +106,19 @@ class ShizukuInstallerWrapper(
             try {
                 val service = shizukuServiceManager.getService()
                 if (service != null) {
-                    // Run the blocking AIDL call on IO dispatcher to avoid ANR
-                    val result = withContext(Dispatchers.IO) {
-                        val file = java.io.File(filePath)
-                        val pfd = android.os.ParcelFileDescriptor.open(
-                            file,
-                            android.os.ParcelFileDescriptor.MODE_READ_ONLY
-                        )
-                        pfd.use {
-                            Logger.d(TAG) { "Got Shizuku service, calling installPackage($filePath, size=${file.length()})..." }
-                            service.installPackage(it, file.length())
+                    val result =
+                        withContext(Dispatchers.IO) {
+                            val file = java.io.File(filePath)
+                            val pfd =
+                                android.os.ParcelFileDescriptor.open(
+                                    file,
+                                    android.os.ParcelFileDescriptor.MODE_READ_ONLY,
+                                )
+                            pfd.use {
+                                Logger.d(TAG) { "Got Shizuku service, calling installPackage($filePath, size=${file.length()})..." }
+                                service.installPackage(it, file.length())
+                            }
                         }
-                    }
                     Logger.d(TAG) { "Shizuku installPackage() returned: $result" }
                     if (result == 0) {
                         Logger.d(TAG) { "Shizuku install SUCCEEDED for: $filePath" }
@@ -142,7 +135,6 @@ class ShizukuInstallerWrapper(
             Logger.d(TAG) { "Not using Shizuku (enabled=${isShizukuEnabled()}, status=${shizukuServiceManager.status.value})" }
         }
 
-        // Fallback: ensure permissions then use standard installer
         Logger.d(TAG) { "Using standard AndroidInstaller for: $filePath" }
         androidInstaller.ensurePermissionsOrThrow(extOrMime)
         androidInstaller.install(filePath, extOrMime)
@@ -154,10 +146,8 @@ class ShizukuInstallerWrapper(
 
         if (isShizukuEnabled() && shizukuServiceManager.status.value == ShizukuStatus.READY) {
             Logger.d(TAG) { "Attempting Shizuku uninstall..." }
-            // Fire on background thread — callers don't await result for standard uninstall either
             Thread {
                 try {
-                    // Bind/get service on this background thread (getService is suspend)
                     val service = runBlocking { shizukuServiceManager.getService() }
                     if (service != null) {
                         Logger.d(TAG) { "Got service, calling uninstallPackage($packageName)..." }
@@ -185,13 +175,7 @@ class ShizukuInstallerWrapper(
         androidInstaller.uninstall(packageName)
     }
 
-    // ==================== Internal helpers ====================
-
-    private suspend fun shouldUseShizuku(): Boolean {
-        return isShizukuEnabled() && shizukuServiceManager.status.value == ShizukuStatus.READY
-    }
+    private suspend fun shouldUseShizuku(): Boolean = isShizukuEnabled() && shizukuServiceManager.status.value == ShizukuStatus.READY
 
-    private fun isShizukuEnabled(): Boolean {
-        return cachedInstallerType == InstallerType.SHIZUKU
-    }
+    private fun isShizukuEnabled(): Boolean = cachedInstallerType == InstallerType.SHIZUKU
 }

core/domain/src/commonMain/kotlin/zed/rainxch/core/domain/model/DeviceApp.kt

@@ -5,4 +5,5 @@ data class DeviceApp(
     val appName: String,
     val versionName: String?,
     val versionCode: Long,
+    val signingFingerprint: String?,
 )

core/domain/src/commonMain/kotlin/zed/rainxch/core/domain/model/SystemPackageInfo.kt

@@ -5,4 +5,5 @@ data class SystemPackageInfo(
     val versionName: String,
     val versionCode: Long,
     val isInstalled: Boolean,
+    val signingFingerprint: String?,
 )