Dianne Hackborn wrote: > On Mon, Mar 16, 2009 at 10:29 AM, Guillaume Leterrier < > [email protected]> wrote: > > > - For permissions protected by signature or signatureOrSystem, what key is > > used for such protection verification? OEM/system key ? > > > I don't understand the question. This protection level just means "same as > signature, but also allow anyone installed in /system to be granted the > permission." >
To rephrase and extend my previous question, signatureOrSystem protection level: "A permission that the system is to grant only to packages in the Android system image or that are signed with the same certificates." Could someone really clarify what is called the "system image". Could someone list or clarify what encompasses the term system image for this protection? Is it only packages that are located under directory / system/ or more? The Framework core package is installed under /System/, and /frameworks/base/core/res/AndroidManifest.xml includes API that are either protected by signature or SignatureorSystem. So, for the framework protected APIs, a Signature and SignatureorSystem protection make no protection difference? Indeed, as far as I understood, all packages under /system are all currently signed by the same key? I guess the OEM must be the authority controlling this key and what gets installed under /system? The distinction Signature and SignatureorSystem would only become effective, if some package stored under /system/ are not signed by the same key as the framework package? In such case, these packages may be granted system permissions, but not to the framework API protected by the only "signature" scheme.
