Looking at the javadoc on Signature.verify(), it looks like it has fixed one bug and introduced another:
"Indicates whether the given signature can be verified using the public key or a certificate of the signer. This Signature instance is reset to the state of its last initialization for verifying and thus can be used to verify another signature of the same signer." In 4.0 and below, the signature instance wasn't being reset correctly and was still valid and simply returned false if you tried to call verify() again. Now you have to update() it again before calling the verify() - otherwise you get a NullPointer. So I guess they have effectively fixed a previous bug and possibly caused a different bug. I'll see if I can get a text app coded and raise it as a bug - it should throw something like a SecurityException instead. On Thursday, July 5, 2012 2:04:29 PM UTC+1, Nikolay Elenkov wrote: > > On Thu, Jul 5, 2012 at 9:55 PM, H <[email protected]> wrote: > > Cheers Nikolay - thanks for the quick update, I'll try your suggestion > and > > see if that cures it. > > > > Do you know if this has been reported on b.android.com - I've been > checking > > it as normal but not noticed anything that sounds similar to this..? > > I don't know, haven't checked, but probably not. If you can come up with a > simple test case that reproduces this reliably, do report it. (calling > verify > two/multiple times in a row with the same Signature instance?) > > > > > I presume bouncycastle implementation might go completely in a later > release > > of Android..? > > Probably not, but don't take my word for it. OpenSSL is not without > its flaws and > re-implementing everything on top of it is a pain. > > > > > [ But I haven't downloaded the Jelly Bean image yet as I need to upgrade > adt > > and that is always a major headache - I might just have to mail an > updated > > version to some users and ask them to check it works for me. ] > > > > If you don't want to change your dev environment, simply create a new > Eclipse > installation, and use that for testing ADT 20, JB, etc. > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
