I verified it with jarsigner which returned a "jar verified" message and the Android package installer also succeeds after an " adb install xxx.apk".
Perhaps Dianne, could you clarify this: After an .apk is signed, the META-INF with .RSA and .SF are created. What does the .RSA contain?? The .SF file seems to consist of all the component files of the .apk with their individual digests. If I modify one of the files given here and then recompute the SHA1 digest(base 64 encoded) then typically the apk would get signed however, the verification would fail. Is that right? On Tue, Nov 16, 2010 at 7:07 PM, Dianne Hackborn <[email protected]>wrote: > What do you mean "it gets jar verified"? > > On Tue, Nov 16, 2010 at 6:31 AM, tera tellence <[email protected]>wrote: > >> Could you explain what you mean "outside of it" here?? >> >> Oh btw I tried hexediting the .apk(this time not touching the header ares) >> and each time it gets jar verified :( :( >> >> >> >> On Tue, Nov 16, 2010 at 9:32 AM, tera tellence >> <[email protected]>wrote: >> >>> Is there a way to show that when an APK is modified without tampering >>> with the signature so that the verification fails (due to signature >>> mismatch)?? >>> >>> >>> >>> On Mon, Nov 15, 2010 at 11:45 PM, Yuliy Pisetsky < >>> [email protected]> wrote: >>> >>>> A first guess is that you happened to modify a part of the headers >>>> which pointed to the certificates so that it could not detect a valid >>>> certificate or signature in the APK, and thus gave that error. In >>>> general I wouldn't expect predictable results by randomly modifying >>>> the APK, outside of it no longer being a valid signed APK. >>>> >>>> On Mon, Nov 15, 2010 at 4:22 PM, tera tellence <[email protected]> >>>> wrote: >>>> > Dear All, >>>> > I was trying to see when the android package installer allows/rejects >>>> .apk. >>>> > My first attempt was to simply "hexedit" on a .apk and see what >>>> happens >>>> > during : >>>> > adb install xxx.apk >>>> > I get this error: INSTALL_PARSE_FAILED_NO_CERTIFICATES >>>> > which surprises me. I thought it would fail at the verification of >>>> JAR.. >>>> > So I would like somebody throw light on the whole process: >>>> > A JAR file of the .apk(the App) creates an archive file which is then >>>> signed >>>> > with the private key of the creator of JAR and the signature of the >>>> JAR is >>>> > verified with the public key. >>>> > The certificate is a statement from the owner of the private key that >>>> the >>>> > public key in the pair has a particular value so the person using the >>>> public >>>> > key can be assured the public key is authentic. >>>> > How is changing a hex value on the apk ( I would assume as >>>> manipulating the >>>> > apk, and therefore would not be verified well) giving such an error as >>>> > above? >>>> > >>>> > Thanks in advance >>>> > >>>> > -- >>>> > You received this message because you are subscribed to the Google >>>> Groups >>>> > "Android Security Discussions" group. >>>> > To post to this group, send email to >>>> > [email protected]. >>>> > To unsubscribe from this group, send email to >>>> > [email protected]<android-security-discuss%[email protected]> >>>> . >>>> > For more options, visit this group at >>>> > http://groups.google.com/group/android-security-discuss?hl=en. >>>> > >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Android Security Discussions" group. >>>> To post to this group, send email to >>>> [email protected]. >>>> To unsubscribe from this group, send email to >>>> [email protected]<android-security-discuss%[email protected]> >>>> . >>>> For more options, visit this group at >>>> http://groups.google.com/group/android-security-discuss?hl=en. >>>> >>>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To post to this group, send email to >> [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<android-security-discuss%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/android-security-discuss?hl=en. >> > > > > -- > Dianne Hackborn > Android framework engineer > [email protected] > > Note: please don't send private questions to me, as I don't have time to > provide private support, and so won't reply to such e-mails. All such > questions should be posted on public forums, where I and others can see and > answer them. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]<android-security-discuss%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
