Embodiments of this application disclose a software integrity protection method and apparatus. A first device obtains a first software package, where the first software package includes a first signature made by a first party for a second software package by using a first private key; and the first device performs a signing operation on the first software package by using a second private key, to obtain a third software package including a second signature, where the first private key is controlled by the first party, and the second private key is controlled by a second party. The first device sends the third software package to a second device. The second device verifies the first signature and the second signature in the third software package respectively based on a first public key and a second public key that are prestored, to obtain a verification result.