apk It's all... In essence zip package , The over decompression tool opens apk file , There will be one META-INF Catalog , There are 3 File MANIFEST.MF、CERT.SF、CERT.RSA, this 3 Files are generated after signing , Obviously related to signature .

1.  File content analysis

1.1 MANIFEST.MF

Manifest-Version: 1.0
Created-By: 1.8.0_92 (Oracle Corporation)

Name: res/drawable-hdpi-v4/abc_list_longpressed_holo.9.png
SHA1-Digest: KQunCQh0E4bP0utgN0cHdQr9OwA=

Name: res/drawable-xxhdpi-v4/abc_ic_star_half_black_16dp.png
SHA1-Digest: EikVyBT5I7pmbJO2k8qF0V5hUc0=

This document lists apk All files in , And their summaries , The digest string is passed through base64 Coded , adopt shasum res/drawable-hdpi-v4/abc_list_longpressed_holo.9.png Calculation sha1 value , Calculated sha1 The value is after 16 Coded , And turn it into base64 Coding is KQunCQh0E4bP0utgN0cHdQr9OwA=, It can be converted through online tools ：tomeko.net.

1.2 CERT.SF

Signature-Version: 1.0
SHA1-Digest-Manifest: odZIAbrTVCfKGy6HEd5+gdBHw0I=
Created-By: 1.8.0_92 (Oracle Corporation)

Name: res/drawable-hdpi-v4/abc_list_longpressed_holo.9.png
SHA1-Digest: xcQ0bHWRc+R9tuxQ3wgY1a2eY0k=

Name: res/drawable-xxhdpi-v4/abc_ic_star_half_black_16dp.png
SHA1-Digest: pj+V2r2pJOgJwGGNpeqxnykl0Nc=

......

SF The contents of the document and MF More similar , It also includes apk Summary of all documents , The difference is ：

1. SF The file records the whole... In the main attribute MF A summary of the document （SHA1-Digest-Manifest）
2. SF The rest of the document records MF Summary of corresponding entries , That's right MF The corresponding entries in the document are summarized again .

So notice here ,.MF Files are separated by blank lines . Calculation .MF You need to add a line break when summarizing each item , Because the blank line also has a line break （ For details, please refer to apksigner Source code ). We put abc_list_longpressed_holo.9.png The entry is saved to a new file , First calculate the item sha1 value , Calculated sha1 The value is after 16 Coded , And turn it into base64 Coding is xcQ0bHWRc+R9tuxQ3wgY1a2eY0k=

1.3 CERT.RSA

cert.rsa The content in is the second progress , It stores the signer's certificate information , And right cert.sf Signature of the document . The specific contents of the certificate have been in Android System security — 5.0-APK Principle of signature mechanism It is explained in , I won't repeat it here .

2. Signature process

The specific process can be referred to apksigner Source code

public static void main(String[] args) {
    ......
    // Generate MANIFEST.MF file , Traverse apk All files for , Calculate Division META-INF In the catalog 
    //.SF/.RSA/.DSA A summary of all documents outside the document .
    JarEntry je;
    Manifest manifest = addDigestsToManifest(inputJar);
    // MANIFEST.MF
    je = new JarEntry(JarFile.MANIFEST_NAME);
    je.setTime(timestamp);
    outputJar.putNextEntry(je);
    manifest.write(outputJar);

    //  Generate CERT.SF file 
    je = new JarEntry(CERT_SF_NAME);
    je.setTime(timestamp);
    outputJar.putNextEntry(je);
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    // Calculation MF Summary of documents , And MF Summary of corresponding entries 
    writeSignatureFile(manifest, baos);
    // Calculation SF A summary of the document 
    byte[] signedData = baos.toByteArray();
    outputJar.write(signedData);

    //  Generate CERT.RSA
    //  Yes SF A summary of the document (signedData) To sign , Write the certificate information together RSA In file 
    je = new JarEntry(CERT_RSA_NAME);
    je.setTime(timestamp);
    outputJar.putNextEntry(je);
    writeSignatureBlock(new CMSProcessableByteArray(signedData),
    publicKey, privateKey, outputJar);
    outputJar.close();
    ......
}

 3. Installation and calibration process

install apk The entrance of is in frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java Of installPackageLI Method .（ notes ： The reference here is 10 Version of the source ）

private void installPackagesLI(List<InstallRequest> requests) {
	try {
		Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "installPackagesLI");
		for (InstallRequest request : requests) {
			// TODO(b/109941548): remove this once we've pulled everything from it and into
			//                    scan, reconcile or commit.
			final PrepareResult prepareResult;
			try {
				Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "preparePackage");
				prepareResult = preparePackageLI(request.args, request.installResult);
			} catch (PrepareFailure prepareFailure) {
				request.installResult.setError(prepareFailure.error,
						prepareFailure.getMessage());
				request.installResult.origPackage = prepareFailure.conflictingPackage;
				request.installResult.origPermission = prepareFailure.conflictingPermission;
				return;
			} finally {
				Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
			}

	}
}

check apk Of the documents in hash and .mf、.sf、.rsa Detailed process of relevant documents , Those who are interested can trace code analysis .

4. JAR V1 Disadvantages of signature mechanism

• Signature verification is slow

During the verification process, you need to check apk Summary calculation of all documents in , stay apk A lot of resources 、 Signature verification on machines with poor performance will take a long time , Resulting in slow installation speed ;

• The integrity guarantee is not enough

META-INF The directory is used to store signatures , Naturally, the directory itself is not included in the signature verification process , You can add files to this directory at will , For example, some quick batch packaging schemes choose to add channel files to this directory .

therefore , from android7.0 It's starting to work V2 Signature .

notes :  This is the essence summarized by referring to relevant documents , If there is infringement , Please contact me immediately to delete this document