Reputation: 1640
Why CERT.SF file is need to verify an apk in android?
As we all know, MANIFEST.MF contains sha1-digest encoded in base64 for all the files in apk, CERT.SF contains sha1-digest of file MANIFEST.MF and all items in it, and CERT.RSA contains signature for file CERT.SF and a certification.
Here is the question: Why not just sign MANIFEST.MF and save the signature in CERT.RSA directly?
Upvotes: 3
Views: 6170
Answers (1)
Reputation: 31
The apk protection chain is .(RSA|DSA|EC) -> .SF -> MANIFEST.MF -> contents of each integrity-protected JAR entry.
As per official android page [website][1]
.SF file contains a whole-file digest of the META-INF/MANIFEST.MF and digests of each section of META-INF/MANIFEST.MF. The whole-file digest of the MANIFEST.MF is verified. If that fails, the digest of each MANIFEST.MF section is verified instead.
Thus, CERT.SF is added to provide fallback mechanism for signature verification.
Upvotes: 3
Related Questions
- How can I close/hide the Android soft keyboard programmatically?
- How to stop EditText from gaining focus when an activity starts in Android?
- Proper use cases for Android UserManager.isUserAGoat()?
- Install an apk file from command prompt?
- How do you install an APK file in the Android emulator?
- How to avoid reverse engineering of an APK file
- Is there a way to get the source code from an APK file?
- Why is the Android emulator so slow? How can we speed up the Android emulator?
- Is there a unique Android device ID?
- "Debug certificate expired" error in Eclipse Android plugins