Actually, the package manager would be able to check using the API. The only thing that was at question was whether the byte sequence included anything beyond the certificate or not. We know the API doesn't. Actually, what I'd like to know is whether it includes the certificate, or just the public key from the certificate!
You've effectively answered the first question, at least for now. But since the API doesn't say -- you can't really depend on the bytes anyway. All you can really do with them is the comparison. The issues around being able to keep secrets within an application are pretty deep. Let's just say it's never been made practical and robust. On Apr 5, 11:20 am, ko5tik <[email protected]> wrote: > On Apr 5, 6:09 pm, Bob Kerns <[email protected]> wrote: > > > Hashcode would not be secure. That is, you can construct an alternate > > app+signature that would produce the same hash code. That may be good > > enough for you, but I would discourage such a technique. However, you > > could construct a secure SHA-1 hash of the value! > > The problem is, that every other application can also read this > signature > and produce hash out of it... > > > Unfortunately, the contract given for PackageManager does not even > > guarantee that you'd get the same 979-character string consistently, > > even for the same version of the same application. I'd be quite > > surprised if you didn't. A more relevant question is if you get the > > same value for two different versions of your app. If they include the > > hash portion of the signature, and its encrypted counterpart, then the > > answer is no. > > I checked - it was the same. Otherwise market app/installer would be > unable to > check whether you are upgrading existing application. > > > or user, yes, but application, no. Nothing in a .apk can be regarded > > as secret. > > ... It would be cool feature request for android. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en To unsubscribe, reply using "remove me" as the subject.
