Got it. I see where it's using the java.util.jar.JarFile class which does the verification automatically. Thanks.
On Dec 8, 4:46 pm, "Dianne Hackborn" <[EMAIL PROTECTED]> wrote: > That function is just comparing certificates after they have been > retrieved. It is in PackageParser.collectCertificates() where the signature > checking happens. > > > > On Mon, Dec 8, 2008 at 4:27 PM, Dirk Sigurdson <[EMAIL PROTECTED]> wrote: > > > That's the path I was following: PackageManagerService.installPackage > > (). There's a verifySignaturesLP method in there, but it doesn't look > > like it's doing an RSA verify. > > > On Dec 8, 4:05 pm, "Dianne Hackborn" <[EMAIL PROTECTED]> wrote: > > > The .apk's signature is retrieved and checked on install, so that it > > doesn't > > > need to be verified again (which can take a long time). So you'll find > > the > > > actual validation stuff along the install path, and it's just calling the > > > standard Java APIs for doing this. > > > > On Mon, Dec 8, 2008 at 3:07 PM, Dirk Sigurdson <[EMAIL PROTECTED]> > > wrote: > > > > > When looking through the PackageManagerService source I'm finding it > > > > difficult to see where signatures on packages are actually being > > > > cryptographically verified. I see memory compares being performed on > > > > signatures between two packages, but isn't it necessary to hash the > > > > package and then do a RSA_Verify on it to ensure that the package > > > > hasn't been modified by someone without the private key? Maybe it's > > > > there but I'm just not seeing it. > > > > > Thanks, > > > > > Dirk > > > > -- > > > Dianne Hackborn > > > Android framework engineer > > > [EMAIL PROTECTED] > > > > Note: please don't send private questions to me, as I don't have time to > > > provide private support. All such questions should be posted on public > > > forums, where I and others can see and answer them. > > -- > Dianne Hackborn > Android framework engineer > [EMAIL PROTECTED] > > Note: please don't send private questions to me, as I don't have time to > provide private support. All such questions should be posted on public > forums, where I and others can see and answer them.
