META-INF Files - Digests, Signature and Certificate - android

http://www.herongyang.com/Android/Project-META-INF-Files-Digest-Signature-and-Certificate.html

This section describes META-INF files in an .apk package file: MANIFEST.MF - manifest file, CERT.SF - signature file and CERT.RSA - the real signature file with certificate.

In the previous tutorial, we learned that the debug package of an Android application is automatically signed by a debug key in the "ant debug" build process.Now I am interested to how signatures are stored in package file.

1. Copy the .apk file to a .zip file:

C:\herong\HelloAndroid>copy bin\HelloAndroid-debug.apk package.zip        1 file(s) copied.

2. Unzip "package.zip" to \herong\package folder.

3. Open the manifest file, META-INF\MANIFEST.MF, in the package folder in a text editor. You will see a list of all files in the package with their SHA1 digests (Base64 encoded strings):

Manifest-Version: 1.0Created-By: 1.0 (Android)Name: res/layout/main.xmlSHA1-Digest: NXEzfMpms988J98yXEUXqh9u9ug=Name: AndroidManifest.xmlSHA1-Digest: 0f22NLU8EbmlkrUUO0GjGIIl4zU=Name: res/drawable-mdpi/ic_launcher.pngSHA1-Digest: 7Ft/Rirt+l/JRX2KjDREScdbCZk=Name: res/drawable-hdpi/ic_launcher.pngSHA1-Digest: Vj/qhxk8ic8FE0/kT6E3vgRJ4mE=Name: resources.arscSHA1-Digest: 5kllfCdPWbdy9w3CYz9lXYfN1Do=Name: classes.dexSHA1-Digest: ostS2N/xSK7OaaQ4m2rCAq8iD0k=Name: res/drawable-ldpi/ic_launcher.pngSHA1-Digest: i7vxaosoiS+9HzKB7ZgIsXMYRLY=

4. Open the signature file, META-INF\CERT.SF, in the package folder in a text editor. You will see a list of all files in the package again with their SHA1 digests again.But this time, each digest is the digest of the 3-line entry of that file in the Manifest file.

Signature-Version: 1.0Created-By: 1.0 (Android)SHA1-Digest-Manifest: UOE6fu4Pq1ddGXiJC5iAOkOtDVI=Name: res/layout/main.xmlSHA1-Digest: +IKkn6R+Vr90Oy+4cVnVwXvkqXw=Name: AndroidManifest.xmlSHA1-Digest: 8GD9vp78dBfzFq7uRbunWZs2XjU=Name: res/drawable-mdpi/ic_launcher.pngSHA1-Digest: zSBo0hBNc4K46aIFvlD4ZmQBHcg=Name: res/drawable-hdpi/ic_launcher.pngSHA1-Digest: YuN8HjuH/csIGA1V8jxQw62DV0A=Name: resources.arscSHA1-Digest: lU1eIHhOCyd3E+nBCgPiv27Vb+M=Name: classes.dexSHA1-Digest: k/Tdh4GY0wZKoL/g28iE7z3uGLI=Name: res/layout/main_original.xmlSHA1-Digest: dD4LMOZORFmtPpAZwc0R48/FAik=Name: res/drawable-ldpi/ic_launcher.pngSHA1-Digest: edY5GhthxxpZN3rJpWsoorrticI=

5. The real signature of the package is actually stored in the META-INF\CERT.RSA file in the package folder. The CERT.RSA also contains the certificate of the public key for you to verify the signature.

6. You can use the "keytool" command to view the certificate:

C:\herong\HelloAndroid>\Progra~1\Java\jdk1.7.0_03\bin\keytool \   -printcert -file package\META-INF\CERT.RSAOwner: CN=Android Debug, O=Android, C=USIssuer: CN=Android Debug, O=Android, C=USSerial number: 4427b9dbValid from: Sun Apr 01 14:43:33 EDT 2012 until: \   Tue Mar 25 14:43:33 EDT 2042Certificate fingerprints:         MD5:  47:F7:5B:83:5E:F0:19:08:15:7D:1B:80:67:96:9A:03         SHA1: CA:59:3A:44:F5:08:D7:43:96:E2:EE:2C:10:91:0F:86:3C:...         SHA256: BE:29:82:5E:4A:F6:81:D4:AA:E7:2E:D8:AB:66:B4:E2:7...94:81:08:62:D9:AE:38:66:F9:66:1F         Signature algorithm name: SHA256withRSA         Version: 3Extensions:#1: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: B4 41 2F 4A 00 AF 4B E1   2A A8 C6 E8 DA 55 13 FB  .A/J..K.*...0010: 02 64 48 87                                        .dH.]]

As I expected, this certificate is a self-signed certificate, which can not be verified by any root certificate authorities.I guess for debugging purpose, this is good enough.

META-INF Files - Digests, Signature and Certificate

更多相关文章

随机推荐