/libcore/luni/src/main/java/java/util/jar/JarVerifier.java
Here is steps for verifying package with it's signature at META-INF in Android system.
- Find files ends with '.RSA', '.DSA' or '.EC'(Certification file) and then find '.SF' file(Signature File) that has same basename.
(In case of Android, 'CERT.RSA' and 'CERT.SF' file)
- Verifying Signature File by using Certification file => Signature File is verified.
- Read '-Digest' values from CERT.SF file. => Valid hash value for files are read.
- Then, when parsing package(Apk), all file entries except for files in 'META-INF' directory, are scanned and compared with corresponding hash value in CERT.SF.
Interesting point is, in Android, verification is processed based on file entries in APK.
That is, removing some entries from APK doesn't make any problem in terms of signature verification. :)
'Domain > Android' 카테고리의 다른 글
[Android] signing verification (0) | 2015.02.11 |
---|---|
[Android] 죽지않는 service 만들기. (0) | 2015.02.11 |
Multiple ABI and 64bit on Lolipop (2) | 2014.11.08 |
[Android] WindowManager & Display Area (0) | 2014.08.08 |
[Android] Loading & Resolving classes by ClassLoader for APK. (0) | 2014.07.18 |