I am researching Android security and have identified a current application that makes use of the deprecated getPackageInfo(<apk>, GET_SIGNATURES). To fully understand how this application is using this deprecated function I wish to create a proof-of-concept APK that results in multiple signatures being returned.
So far I have created a basic APK in Android Studio, created a CA certificate and a leaf certificate signed by my CA certificate. I then package both these into a PKCS12 file and then convert that to a Java Keystore. I then use the tool apksigner to sign my APK with this Java Keystore and install the signed app. I then verify that both certs are associated with the installed apk by pulling it off the phone and using keytool -printcert -jarfile poc.apk. This shows both certificates (CA and leaf) listed.
However, when running getPackageInfo(<apk>, GET_SIGNATURES) on my proof of concept APK only one result is returned? Why is this? What am I missing to get multiple signatures returned?
I have looked at the Android documentation for when the deprecated GET_SIGNATURES is passed to getPackageInfo but it is not very clear what the expected result should be. I am basing my expectation that a signature for each cert in the chain is returned based on this presentation: https://www.blackhat.com/docs/us-14/materials/us-14-Forristal-Android-FakeID-Vulnerability-Walkthrough.pdf.
This stackoverflow post states that the user had app installed on his phone from Verizon that had multiple signatures: Why is the PackageInfo.signatures field an array, and when would there be anything other than one value here?. Likewise, the AOSP code has code to account for multiple signatures in multiple places.
