On Fri, Mar 27, 2009 at 3:38 PM, ejx...@email.mot.com <ejx...@gmail.com>wrote:
> 1)I know jar signer support multiple signatures in one jar file. If an > APK file has two valid signatures, does that mean this APK can access > signature level permission provided by both signers? In theory, something is done with multiple signatures, but nobody has ever used this so it probably doesn't work. This also has the side-effect (if it does work) of aliasing the two signatures to the same thing since they presumably come from the same owner, which is likely not what you want. So basically, please don't do this. :) > 2)Another question is about sharedUserID. If there APK try to use same > sharedUserID, and the signing keys are: > > APK-1 signed by key A > APK-2 signed by key B > APK-3 signed by both A and B > > What would happen? Something. Maybe something good, maybe something not so good. :} > 3)I found out if I use two different hash algorithms in manifest file, > javasigner -verify would fail because Manifest entry is changed when > adding 2nd hash line. Is there a way to add two hash line to manifest > first, and then generated two SF files and .RSA files? Sorry I can't help with this one (not like I helped much with the others). Are these all crazy questions ;-) At this point, a bit. :) Generally I would strongly recommend not straying outside of the standard way of doing things on this. You'll be immediately in uncharted territory, with unknown consequences. The package manager is very conservative about what it does with these things, so ultimately you should only be able to break yourself, but you probably don't want to do that. ;) -- Dianne Hackborn Android framework engineer hack...@android.com Note: please don't send private questions to me, as I don't have time to provide private support. All such questions should be posted on public forums, where I and others can see and answer them.
