That function is just comparing certificates after they have been retrieved. It is in PackageParser.collectCertificates() where the signature checking happens.
On Mon, Dec 8, 2008 at 4:27 PM, Dirk Sigurdson <[EMAIL PROTECTED]> wrote: > > That's the path I was following: PackageManagerService.installPackage > (). There's a verifySignaturesLP method in there, but it doesn't look > like it's doing an RSA verify. > > > > On Dec 8, 4:05 pm, "Dianne Hackborn" <[EMAIL PROTECTED]> wrote: > > The .apk's signature is retrieved and checked on install, so that it > doesn't > > need to be verified again (which can take a long time). So you'll find > the > > actual validation stuff along the install path, and it's just calling the > > standard Java APIs for doing this. > > > > On Mon, Dec 8, 2008 at 3:07 PM, Dirk Sigurdson <[EMAIL PROTECTED]> > wrote: > > > > > When looking through the PackageManagerService source I'm finding it > > > difficult to see where signatures on packages are actually being > > > cryptographically verified. I see memory compares being performed on > > > signatures between two packages, but isn't it necessary to hash the > > > package and then do a RSA_Verify on it to ensure that the package > > > hasn't been modified by someone without the private key? Maybe it's > > > there but I'm just not seeing it. > > > > > Thanks, > > > > > Dirk > > > > -- > > Dianne Hackborn > > Android framework engineer > > [EMAIL PROTECTED] > > > > Note: please don't send private questions to me, as I don't have time to > > provide private support. All such questions should be posted on public > > forums, where I and others can see and answer them. > -- Dianne Hackborn Android framework engineer [EMAIL PROTECTED] Note: please don't send private questions to me, as I don't have time to provide private support. All such questions should be posted on public forums, where I and others can see and answer them.
