expoter
expoter

Reputation: 1640

Why CERT.SF file is need to verify an apk in android?

As we all know, MANIFEST.MF contains sha1-digest encoded in base64 for all the files in apk, CERT.SF contains sha1-digest of file MANIFEST.MF and all items in it, and CERT.RSA contains signature for file CERT.SF and a certification.

Here is the question: Why not just sign MANIFEST.MF and save the signature in CERT.RSA directly?

Upvotes: 3

Views: 6170

Answers (1)

user3560691
user3560691

Reputation: 31

The apk protection chain is .(RSA|DSA|EC) -> .SF -> MANIFEST.MF -> contents of each integrity-protected JAR entry.

As per official android page [website][1]

.SF file contains a whole-file digest of the META-INF/MANIFEST.MF and digests of each section of META-INF/MANIFEST.MF. The whole-file digest of the MANIFEST.MF is verified. If that fails, the digest of each MANIFEST.MF section is verified instead.

Thus, CERT.SF is added to provide fallback mechanism for signature verification.

Upvotes: 3

Related Questions