OK, converting to base64 (using your link), formatting it as a
certificate file, and using openssl to parse the result, we get to see
the actual content:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1269799100 (0x4baf98bc)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Android, CN=Android Debug
Validity
Not Before: Mar 28 17:58:20 2010 GMT
Not After : Mar 28 17:58:20 2011 GMT
Subject: C=US, O=Android, CN=Android Debug
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c5:71:d5:da:04:aa:ce:c8:83:13:4f:20:a2:7b:
9f:e7:3a:7f:ab:49:a3:14:43:88:5d:4d:dd:97:9f:
a6:10:84:bb:54:11:0d:59:78:57:cd:1c:80:42:9c:
cb:3d:8d:ac:ef:70:2e:5c:00:68:56:39:9d:dd:5b:
61:63:0b:59:c6:63:2d:c5:af:86:98:a5:fe:4d:d5:
79:5b:93:bc:41:81:4a:df:92:bb:81:86:7b:bf:69:
f9:f0:51:32:58:62:65:1d:ae:28:f9:48:3f:dd:ed:
97:8e:5d:44:97:da:36:5f:8c:f9:cb:eb:50:dd:67:
ab:11:4b:e0:85:87:34:7f:ad
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
af:92:d2:bf:20:aa:eb:e8:37:61:bb:73:d4:e3:cd:24:0b:2e:
96:f2:3d:43:d4:cb:c3:3d:b5:d8:e1:09:0d:bd:5f:bb:43:ae:
45:92:4d:bd:a6:f9:61:b2:f0:6b:00:30:4c:39:ed:68:c3:82:
13:4a:50:71:01:a9:ea:a2:3f:48:0c:ac:75:63:aa:54:fb:50:
7b:df:94:33:a2:f5:e0:15:a9:a2:3d:bb:6d:e1:a0:a7:c8:f2:
f8:f6:a2:ee:52:2f:aa:ff:4c:73:76:7b:22:58:15:72:e5:5c:
40:72:6f:2c:41:b2:1b:31:cd:30:9d:5b:ed:9b:4a:56:8c:df:
26:65
I'm curious as to whether these are always the same, or generated for
us and unique to each SDK install, but I'm not going to look just now.
The other interesting thing to know would be whether the comparison
compares the entire value, or just the public key.
On Apr 10, 12:49 am, mendhak <[email protected]> wrote:
> Hi, thanks for responding.
>
> I had a look, and yes, the bytes were the same as the 979 character
> string (hex) - they contained the certificate itself. I should post
> it here anyways, since it is the debug certificate in this case.
> Well, here it is:
>
> --------------------------
> 308201e53082014ea00302010202044baf98bc300d06092a864886f70d01010505003037310
> b30090603550406130255533110300e060355040a1307416e64726f69643116301406035504
> 03130d416e64726f6964204465627567301e170d3130303332383137353832305a170d31313
> 03332383137353832305a3037310b30090603550406130255533110300e060355040a130741
> 6e64726f6964311630140603550403130d416e64726f696420446562756730819f300d06092
> a864886f70d010101050003818d0030818902818100c571d5da04aacec883134f20a27b9fe7
> 3a7fab49a31443885d4ddd979fa61084bb54110d597857cd1c80429ccb3d8dacef702e5c006
> 856399ddd5b61630b59c6632dc5af8698a5fe4dd5795b93bc41814adf92bb81867bbf69f9f0
> 51325862651dae28f9483fdded978e5d4497da365f8cf9cbeb50dd67ab114be08587347fad0
> 203010001300d06092a864886f70d010105050003818100af92d2bf20aaebe83761bb73d4e3
> cd240b2e96f23d43d4cbc33db5d8e1090dbd5fbb43ae45924dbda6f961b2f06b00304c39ed6
> 8c382134a507101a9eaa23f480cac7563aa54fb507bdf9433a2f5e015a9a23dbb6de1a0a7c8
> f2f8f6a2ee522faaff4c73767b22581572e55c40726f2c41b21b31cd309d5bed9b4a568cdf2
> 665
> --------------------------
>
> If you run it through a tool like this:http://home2.paulschou.net/tools/xlate/
>
> You'll see gibberish interspersed with words like Android and Debug.
> That definitely looks like the certificate to me, not that I'm a
> certificate expert.
>
> I'm still wondering how the maps API does it. If it's something that
> they're keeping secret, fair enough I guess, would've been nice. But
> still an interesting problem.
>
> On Apr 6, 12:10 am, Bob Kerns <[email protected]> wrote:
>
>
>
> > Actually, the package manager would be able to check using the API.
> > The only thing that was at question was whether the byte sequence
> > included anything beyond the certificate or not. We know the API
> > doesn't. Actually, what I'd like to know is whether it includes the
> > certificate, or just the public key from the certificate!
>
> > You've effectively answered the first question, at least for now. But
> > since the API doesn't say -- you can't really depend on the bytes
> > anyway. All you can really do with them is the comparison.
>
> > The issues around being able to keep secrets within an application are
> > pretty deep. Let's just say it's never been made practical and
> > robust.
>
> > On Apr 5, 11:20 am, ko5tik <[email protected]> wrote:
>
> > > On Apr 5, 6:09 pm, Bob Kerns <[email protected]> wrote:
>
> > > > Hashcode would not be secure. That is, you can construct an alternate
> > > > app+signature that would produce the same hash code. That may be good
> > > > enough for you, but I would discourage such a technique. However, you
> > > > could construct a secure SHA-1 hash of the value!
>
> > > The problem is, that every other application can also read this
> > > signature
> > > and produce hash out of it...
>
> > > > Unfortunately, the contract given for PackageManager does not even
> > > > guarantee that you'd get the same 979-character string consistently,
> > > > even for the same version of the same application. I'd be quite
> > > > surprised if you didn't. A more relevant question is if you get the
> > > > same value for two different versions of your app. If they include the
> > > > hash portion of the signature, and its encrypted counterpart, then the
> > > > answer is no.
>
> > > I checked - it was the same. Otherwise market app/installer would be
> > > unable to
> > > check whether you are upgrading existing application.
>
> > > > or user, yes, but application, no. Nothing in a .apk can be regarded
> > > > as secret.
>
> > > ... It would be cool feature request for android.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
To unsubscribe, reply using "remove me" as the subject.
