Android In-App Billing : Security.java says "Signature Verification Failed"

15
votes

I have implemented a test app with Android's In-App Billing. I have filled in my Public Key in the Security.java file. Everything works, but when I submit the payment, the app crashes. I receive an error in LogCat that says "Signature Verification Failed", which corresponds to this bit of code:

if (!sig.verify(Base64.decode(signature))) {
                Log.e(TAG, "Signature verification failed.");
                return false;
}

If I change that bit to return true instead of return false, then everything works properly - I can submit payment and safely return to the app - but I am assuming that something else is wrong, since I probably should change that to return true.

Any ideas about what could be causing this?

5
androidsecuritysignatureverificationin-app-billing

5 Answers

27
votes

That signature verification error can be caused by:

1.- A wrong public key. Maybe you've forgotten to copy some character. It happens :)

2.- The .apk must be signed. You can't use the debug.keystore, if you do your signature string will be empty.

And remember, for testing In-app billing:

  • Add Android Market public key to Security.java (String base64EncodedPublicKey = "your public key here")

  • Build in release mode and sign it (If you are using Eclipse, you can use the Export Wizard).

  • Upload the release version to Android Market, do not publish it, and create the product list.

  • Install the application onto your device ( adb -d install myapp.apk ) and make a test account primary on your device.

21
votes

In my case there was a well hidden problem.

When I first set up in-app billing I tried static responses and bought android.test.purchased item. When I switched to production items and tried to query the inventory, that fake product caused all my troubles.

So, in this case, the solution was to remove the fake product from my owned item.

Just add in the IABHelper.java file this snippet:

                Purchase p = new Purchase(itemType, purchaseData, signature);
                try {
                    consume(p);
                } catch (IabException e) {
                    e.printStackTrace();
                }

in the else statement of the method having this signature:

int queryPurchases(Inventory inv, String itemType) throws JSONException, RemoteException

Once cleaned up your own items, revert back to the original the helper java file. Of course, this is only for development phase.

2
votes

In my case, I pasted a wrong public key which has a same prefix and suffix. Just make 100% sure that it's correct.

0
votes

My Answer may be helpful to someone in future

Make sure that you have a correct base64EncodedPublicKey in your application.

-1
votes

As said before, I was using the wrong base64EncodedPublicKey.

You can find it in the Google Play Console, under your app tab, go to the Monetization Setup Tab and the you can copy it.