4

Why there are multiple signatures in this value? Are these values the public key of the package?

Can I uniquely identify a package using this signature instead of reading the files under META-INF, or calculating an MD5 on the whole APK file?

bhh
  • 105
  • 2
  • 5
  • I am wondering what the underlying problem might be, i.e. what you are trying to achieve and for what reason. – sstn Apr 06 '11 at 10:49

1 Answers1

3

According to @hackbod, this is all the public keys the APK was signed with

Despite its name, the contents of PackageInfo.signatures is the public keys your app is signed with. This absolutely, positively does not change between builds. This is the pure identify of the developer of the app.

Reference: https://groups.google.com/d/msg/android-developers/fPtdt6zDzns/MDqie6k7qo0J

Rupert Rawnsley
  • 2,622
  • 1
  • 29
  • 40
  • Is this spoofable? Can somebody decompile and repackage my app, such that the repackaged app produces the same value? – Arash Motamedi Jan 25 '15 at 04:32
  • 1
    @Arash No. It's an asymmetric cypher, so they would have to possess the private key you used to sign it, which you should never share. In theory and with enough computer power, they could find this key, but it's impractical. – Rupert Rawnsley Jan 30 '15 at 11:12
  • @RupertRawnsley At which location of apk we will find this signature ? – Sorry IwontTell Oct 18 '20 at 17:08
  • 1
    @SorryIwontTell In the APK file itself [this answer](https://stackoverflow.com/a/11331951/671393) might be informative, but in the Android SDK you can [find it here](https://developer.android.com/reference/android/content/pm/PackageInfo#signatures). Both of these things are of course deprecated because Android. – Rupert Rawnsley Oct 19 '20 at 12:37