The .RSA contains the signature in the PKCS#7 format. It also includes the public key and some other stuff. Refer to (line 288ff)
http://android.git.kernel.org/?p=platform/build.git;a=blob;f=tools/signapk/SignApk.java;hb=HEAD for more details. Yves On 16.11.2010 22:48, tera tellence wrote: > I verified it with jarsigner which returned a "jar verified" message > and the Android package installer also succeeds after an " adb install > xxx.apk". > > > Perhaps Dianne, could you clarify this: > > After an .apk is signed, the META-INF with .RSA and .SF are created. > > What does the .RSA contain?? > > The .SF file seems to consist of all the component files of the .apk > with their individual digests. > > If I modify one of the files given here and then recompute the SHA1 > digest(base 64 encoded) then typically the apk would get signed however, > the verification would fail. > > Is that right? > > On Tue, Nov 16, 2010 at 7:07 PM, Dianne Hackborn <[email protected] > <mailto:[email protected]>> wrote: > > What do you mean "it gets jar verified"? > > On Tue, Nov 16, 2010 at 6:31 AM, tera tellence > <[email protected] <mailto:[email protected]>> wrote: > > Could you explain what you mean "outside of it" here?? > > Oh btw I tried hexediting the .apk(this time not touching the > header ares) and each time it gets jar verified :( :( > > > > On Tue, Nov 16, 2010 at 9:32 AM, tera tellence > <[email protected] <mailto:[email protected]>> wrote: > > Is there a way to show that when an APK is modified without > tampering with the signature so that the verification fails > (due to signature mismatch)?? > > > > On Mon, Nov 15, 2010 at 11:45 PM, Yuliy Pisetsky > <[email protected] <mailto:[email protected]>> > wrote: > > A first guess is that you happened to modify a part of > the headers > which pointed to the certificates so that it could not > detect a valid > certificate or signature in the APK, and thus gave that > error. In > general I wouldn't expect predictable results by > randomly modifying > the APK, outside of it no longer being a valid signed APK. > > On Mon, Nov 15, 2010 at 4:22 PM, tera tellence > <[email protected] > <mailto:[email protected]>> wrote: > > Dear All, > > I was trying to see when the android package installer > allows/rejects .apk. > > My first attempt was to simply "hexedit" on a .apk and > see what happens > > during : > > adb install xxx.apk > > I get this error: INSTALL_PARSE_FAILED_NO_CERTIFICATES > > which surprises me. I thought it would fail at the > verification of JAR.. > > So I would like somebody throw light on the whole process: > > A JAR file of the .apk(the App) creates an archive > file which is then signed > > with the private key of the creator of JAR and the > signature of the JAR is > > verified with the public key. > > The certificate is a statement from the owner of the > private key that the > > public key in the pair has a particular value so the > person using the public > > key can be assured the public key is authentic. > > How is changing a hex value on the apk ( I would > assume as manipulating the > > apk, and therefore would not be verified well) giving > such an error as > > above? > > > > Thanks in advance > > > > -- > > You received this message because you are subscribed > to the Google Groups > > "Android Security Discussions" group. > > To post to this group, send email to > > [email protected] > <mailto:[email protected]>. > > To unsubscribe from this group, send email to > > [email protected] > > <mailto:android-security-discuss%[email protected]>. > > For more options, visit this group at > > > http://groups.google.com/group/android-security-discuss?hl=en. > > > > -- > You received this message because you are subscribed to > the Google Groups "Android Security Discussions" group. > To post to this group, send email to > [email protected] > <mailto:[email protected]>. > To unsubscribe from this group, send email to > [email protected] > > <mailto:android-security-discuss%[email protected]>. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > > > -- > You received this message because you are subscribed to the > Google Groups "Android Security Discussions" group. > To post to this group, send email to > [email protected] > <mailto:[email protected]>. > To unsubscribe from this group, send email to > [email protected] > <mailto:android-security-discuss%[email protected]>. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > > > > -- > Dianne Hackborn > Android framework engineer > [email protected] <mailto:[email protected]> > > Note: please don't send private questions to me, as I don't have > time to provide private support, and so won't reply to such > e-mails. All such questions should be posted on public forums, > where I and others can see and answer them. > > -- > You received this message because you are subscribed to the Google > Groups "Android Security Discussions" group. > To post to this group, send email to > [email protected] > <mailto:[email protected]>. > To unsubscribe from this group, send email to > [email protected] > <mailto:android-security-discuss%[email protected]>. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > > -- > You received this message because you are subscribed to the Google > Groups "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en.
smime.p7s
Description: S/MIME Cryptographic Signature
