Android Tutorials - Herong's Tutorial Examples - v3.03, by Herong Yang
META-INF Files - Digests, Signature and Certificate
This section describes META-INF files in an .apk package file: MANIFEST.MF - manifest file, CERT.SF - signature file and CERT.RSA - the real signature file with certificate.
In the previous tutorial, we learned that the debug package of an Android application is automatically signed by a debug key in the "ant debug" build process. Now I am interested to how signatures are stored in package file.
1. Copy the .apk file to a .zip file:
C:\herong\HelloAndroid>copy bin\HelloAndroid-debug.apk package.zip 1 file(s) copied.
2. Unzip "package.zip" to \herong\package folder.
3. Open the manifest file, META-INF\MANIFEST.MF, in the package folder in a text editor. You will see a list of all files in the package with their SHA1 digests (Base64 encoded strings):
Manifest-Version: 1.0 Created-By: 1.0 (Android) Name: res/layout/main.xml SHA1-Digest: NXEzfMpms988J98yXEUXqh9u9ug= Name: AndroidManifest.xml SHA1-Digest: 0f22NLU8EbmlkrUUO0GjGIIl4zU= Name: res/drawable-mdpi/ic_launcher.png SHA1-Digest: 7Ft/Rirt+l/JRX2KjDREScdbCZk= Name: res/drawable-hdpi/ic_launcher.png SHA1-Digest: Vj/qhxk8ic8FE0/kT6E3vgRJ4mE= Name: resources.arsc SHA1-Digest: 5kllfCdPWbdy9w3CYz9lXYfN1Do= Name: classes.dex SHA1-Digest: ostS2N/xSK7OaaQ4m2rCAq8iD0k= Name: res/drawable-ldpi/ic_launcher.png SHA1-Digest: i7vxaosoiS+9HzKB7ZgIsXMYRLY=
4. Open the signature file, META-INF\CERT.SF, in the package folder in a text editor. You will see a list of all files in the package again with their SHA1 digests again. But this time, each digest is the digest of the 3-line entry of that file in the Manifest file.
Signature-Version: 1.0 Created-By: 1.0 (Android) SHA1-Digest-Manifest: UOE6fu4Pq1ddGXiJC5iAOkOtDVI= Name: res/layout/main.xml SHA1-Digest: +IKkn6R+Vr90Oy+4cVnVwXvkqXw= Name: AndroidManifest.xml SHA1-Digest: 8GD9vp78dBfzFq7uRbunWZs2XjU= Name: res/drawable-mdpi/ic_launcher.png SHA1-Digest: zSBo0hBNc4K46aIFvlD4ZmQBHcg= Name: res/drawable-hdpi/ic_launcher.png SHA1-Digest: YuN8HjuH/csIGA1V8jxQw62DV0A= Name: resources.arsc SHA1-Digest: lU1eIHhOCyd3E+nBCgPiv27Vb+M= Name: classes.dex SHA1-Digest: k/Tdh4GY0wZKoL/g28iE7z3uGLI= Name: res/layout/main_original.xml SHA1-Digest: dD4LMOZORFmtPpAZwc0R48/FAik= Name: res/drawable-ldpi/ic_launcher.png SHA1-Digest: edY5GhthxxpZN3rJpWsoorrticI=
5. The real signature of the package is actually stored in the META-INF\CERT.RSA file in the package folder. The CERT.RSA also contains the certificate of the public key for you to verify the signature.
6. You can use the "keytool" command to view the certificate:
C:\herong\HelloAndroid>\Progra~1\Java\jdk1.7.0_03\bin\keytool \ -printcert -file package\META-INF\CERT.RSA Owner: CN=Android Debug, O=Android, C=US Issuer: CN=Android Debug, O=Android, C=US Serial number: 4427b9db Valid from: Sun Mar 01 14:43:33 EDT 2012 until: \ Tue Mar 25 14:43:33 EDT 2042 Certificate fingerprints: MD5: 47:F7:5B:83:5E:F0:19:08:15:7D:1B:80:67:96:9A:03 SHA1: CA:59:3A:44:F5:08:D7:43:96:E2:EE:2C:10:91:0F:86:3C:... SHA256: BE:29:82:5E:4A:F6:81:D4:AA:E7:2E:D8:AB:66:B4:E2:7... 94:81:08:62:D9:AE:38:66:F9:66:1F Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 126.96.36.199 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: B4 41 2F 4A 00 AF 4B E1 2A A8 C6 E8 DA 55 13 FB .A/J..K.*... 0010: 02 64 48 87 .dH. ] ]
As I expected, this certificate is a self-signed certificate, which can not be verified by any root certificate authorities. I guess for debugging purpose, this is good enough.
Table of Contents