The .apk's signature is retrieved and checked on install, so that it doesn't need to be verified again (which can take a long time). So you'll find the actual validation stuff along the install path, and it's just calling the standard Java APIs for doing this.
On Mon, Dec 8, 2008 at 3:07 PM, Dirk Sigurdson <[EMAIL PROTECTED]> wrote: > > When looking through the PackageManagerService source I'm finding it > difficult to see where signatures on packages are actually being > cryptographically verified. I see memory compares being performed on > signatures between two packages, but isn't it necessary to hash the > package and then do a RSA_Verify on it to ensure that the package > hasn't been modified by someone without the private key? Maybe it's > there but I'm just not seeing it. > > Thanks, > > Dirk > -- Dianne Hackborn Android framework engineer [EMAIL PROTECTED] Note: please don't send private questions to me, as I don't have time to provide private support. All such questions should be posted on public forums, where I and others can see and answer them.
