I have built an android application that is providing to the users the ability to purchase an items, and the google purchase dialog is return payment successfully, but on activity result the application failed in Security.java verify method always return false "sig.verify(Based64.decode(signature))".
any help why it's happening and what I have to do. I have published the app to the play store and I do not use the android.test.* sku I have my own skus
Did you initialize it correctly?
Get public key:
public PublicKey getAPKKey(String keyFactoryAlgorithm) throws Exception{
byte[] decodedKey = Base64.decode("...your google play public key...", Base64.DEFAULT);
KeyFactory keyFactory = KeyFactory.getInstance(keyFactoryAlgorithm);
return keyFactory.generatePublic(new X509EncodedKeySpec(decodedKey));
}
You can find your public key in the Google Play Developer Console.
Then verify the signature:
// get purchase data
Bundle ownedItems = ... query purchases
String purchaseData = ownedItems.getStringArrayList("INAPP_PURCHASE_DATA_LIST").get(0); // just index 0 for demonstration
String signature = ownedItems.getStringArrayList("INAPP_DATA_SIGNATURE_LIST").get(0); // just index 0 for demonstration
PublicKey pkey = getAPKKey("RSA");
Signature sig = Signature.getInstance("SHA1withRSA");
sig.initVerify(pkey);
sig.update(purchaseData.getBytes());
if(sig.verify(Base64.decode(signature, Base64.DEFAULT))) {
// ok
} else {
// not ok
}