Verifying Integrity of an App SDK Package

Function

Check the integrity of downloaded SDK packages, that is, check whether the packages are tampered with or packets are lost during download.

Starting from 100.12.5, the digital signature CMS file is used for integrity verification. In earlier versions, SHA-256 values are still used.

Verifying a Digital Signature CMS File

1. Obtain the download path of the Android/iOS/Windows/macOS/Electron UI SDK package from Downloading an App SDK.

2. Download the SDK package to your device.

3. Download the following root CA certificate and CRLs from the Huawei support website:

Root CA certificate: Huawei Software Integrity Protection Root CA.der

CRLs: HuaweiRootCA.crl, HuaweiCodeSigningCA.crl, HuaweiCodeSigningCA 2.crl, and HuaweiCodeSigningCA 3.crl

4. Convert the formats of the CA certificate and CRLs from DER to PEM.

For CRLs:

openssl crl -inform DER -in "HuaweiRootCA.crl" -out HuaweiRootCaCrl.pem

openssl crl -inform DER -in "HuaweiCodeSigningCA 3.crl" -out HuaweiCodeSigningCA3.pem

openssl crl -inform DER -in "HuaweiCodeSigningCA 2.crl" -out HuaweiCodeSigningCA2.pem

openssl crl -inform DER -in HuaweiCodeSigningCA.crl -out HuaweiCodeSigningCA.pem

For CA certificate:

openssl x509 -inform DER -in "Huawei Software Integrity Protection Root CA.der" -out HuaweiRootCA.pem

5. Use Notepad to open the files obtained in step 4. Copy and paste the content of HuaweiRootCaCrl.pem, HuaweiCodeSigningCA3.pem, HuaweiCodeSigningCA2.pem, and HuaweiCodeSigningCA.pem sequentially to the end of the content of HuaweiRootCA.pem.

6. Perform CMS verification.

openssl cms -verify -inform DER -crl_check_all -in hmwsdk-win-demo-win32.zip.cms -content hmwsdk-win-demo-win32.zip -CAfile HuaweiRootCA.pem -out cmsVerifiedData -binary -purpose any -certsout tmpCertChain.pem

If a message similar to the following is displayed, the verification is successful:

CMS Verification successful

Comparing SHA-256 Values

1. Obtain the download path of the Android/iOS/Windows/macOS/Electron UI SDK package from Downloading an App SDK.

2. Download the SDK package to your device.

3. Open the CLI and run the following command to generate the SHA-256 value of the downloaded SDK package. In the command, D:\hwmsdk-win-80.12.7.zip indicates the local path for storing the SDK package and the SDK package name. Replace it with the actual value.

certutil -hashfile D:\hwmsdk-win-80.12.7.zip SHA256

The following is an example of the command output:

SHA256 D:\hwmsdk-win-80.12.7.zip hash:
85a691c46a56572ea092945e9565f7927e6c1b4c612b35d01b1c8a9524f8c498 
CertUtil: -hashfile Command executed

Compare the generated SHA-256 value with that listed in the package download path table. If they are the same, no tampering or packet loss occurred during download.