When looking through the PackageManagerService source I'm finding it difficult to see where signatures on packages are actually being cryptographically verified. I see memory compares being performed on signatures between two packages, but isn't it necessary to hash the package and then do a RSA_Verify on it to ensure that the package hasn't been modified by someone without the private key? Maybe it's there but I'm just not seeing it.
Thanks, Dirk
