That's the path I was following: PackageManagerService.installPackage (). There's a verifySignaturesLP method in there, but it doesn't look like it's doing an RSA verify.
On Dec 8, 4:05 pm, "Dianne Hackborn" <[EMAIL PROTECTED]> wrote: > The .apk's signature is retrieved and checked on install, so that it doesn't > need to be verified again (which can take a long time). So you'll find the > actual validation stuff along the install path, and it's just calling the > standard Java APIs for doing this. > > On Mon, Dec 8, 2008 at 3:07 PM, Dirk Sigurdson <[EMAIL PROTECTED]> wrote: > > > When looking through the PackageManagerService source I'm finding it > > difficult to see where signatures on packages are actually being > > cryptographically verified. I see memory compares being performed on > > signatures between two packages, but isn't it necessary to hash the > > package and then do a RSA_Verify on it to ensure that the package > > hasn't been modified by someone without the private key? Maybe it's > > there but I'm just not seeing it. > > > Thanks, > > > Dirk > > -- > Dianne Hackborn > Android framework engineer > [EMAIL PROTECTED] > > Note: please don't send private questions to me, as I don't have time to > provide private support. All such questions should be posted on public > forums, where I and others can see and answer them.
