1

My question is somewhat a follow up of this one: Can I specify digest algorithm apksigner uses?

I'm signign an APK with apksigner and following reccomandations on above post, I raised the minSDK to 18+. As expected the resulting MANIFEST.MF and ANDROID.SF digest report SHA-256 digest hashes for the files in the packages instead of SHA-1 digest hashes.

Android-minSDK18.SF excerpt Android-minSDK18.SF excerpt

Android-minSDK16.SF excerpt Android-minSDK16.SF excerpt

However printing the .RSA certificate with keytool -printcert -file "ANDROID - minSDK18.RSA" or keytool -printcert -file "ANDROID - minSDK16.RSA" gives the same result specifing a SHA1withRSA Signature algorythm. enter image description here

That is probably because SHA1withRSA is the Signature algorythm embedded in the certificate: enter image description here

My question is to know if the signature algorythm of the certifiicate used to sign an APK has an impact related to the SHA-1 collision problems even when the APK is signed with SHA-256 algorythm.

gbaccetta
  • 4,449
  • 2
  • 20
  • 30

1 Answers1

1

No, the signature algorithm inside the app signing certificate -- the algorithm used by certificate Issuer to sign the certificate -- has no impact on the security of your Android app. The reason is that Android does not verify this cryptographic signature inside the app signing certificate.

For more background, all that matters to Android in an app signing certificate is that:

  1. it parses,
  2. it declares that its public key can be used for digital signatures,
  3. (only when updating an already installed app) it is identical to the app signing certificate of the currently installed version of the app.
Alex Klyubin
  • 5,554
  • 2
  • 29
  • 24
  • Thank you for your answer. That is what I was thinking but I really wanted someone more expert than me achieving the same conclusion. – gbaccetta Sep 19 '17 at 17:37