On Fri, May 13, 2011 at 5:33 PM, Kostya Vasilyev <[email protected]> wrote: > 13.05.2011 9:07, Nikolay Elenkov пишет: >> >> I see. In the sense that it identifies the publisher, it is indeed a >> 'signature'. > > Hmm, are we talking about the same thing here?
You got me :) > > Isn't the key that the .apk is signed with (which is generated by the > developer, and is specific to a particular package) different from the > public key under the developer account (which is the same for all > applications for a particular developer)? > > And aren't the LVL & in-app billing responses signed with the latter? You are, of course, right. So the getting the public key (signature) from the PackageManager is only good for checking the package integrity. Unless they use the script you mention below. > >> Is this guaranteed across versions? If so, using the PackageManager >> to get it could be an alternative to embedding your public key in the APK >> for LVL/in-app billing signature verification. > > The PackageManager GET_SIGNATURES call can be hooked to return the original > signature even if the package has been hacked and re-signed. There is a > script somewhere on the 'net that does this automatically. > I'd like to see that, too, so if you have a link handy, please share. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
