Reputation: 71
Where does Android get the public key to validate an APK signature?
I see in internet sources that the APK contains the signature, but I see nothing about the public key needed to validate the signature. Does the Play Store download the public key (or certificate) along with the APK? Does Android have to ask the Play Store for the public key when needed? Am I missing something and the APK itself contains both the signature and the public key (which seems like a security problem)?
I realize that the Play Store will have the public key, either because it generated the key pair or because the developer uploaded the public key.
Note that I am not asking about the licensing key or upload key.
Upvotes: 1
Views: 1648
Answers (1)
Reputation: 42575
You don't need a separate public key because it is included in the signing certificate and the signing certificate is included in the signature.
Therefore you just need the APK files for verifying it's signature. Of course a verified signature does not get you any information about it's authenticity as nearly all APK signatures are created by self-signed certificates.
Upvotes: 1
Related Questions
- How does Android's app/signature verification work?
- how does the android apk signing work private key public key
- How to find out which signature verison an APK file has?
- Android - access the public key of its own in app runtime? Which the key-pair was used to sign the apk
- Self-checking an APK's signature
- Android APK Digital Signature
- How does Android devices get developers' public keys?
- Verify Android app signature with public key?
- How to authenticate signed android .apk?
- How does an .apk files get signed