http://www.herongyang.com/Android/Project-META-INF-Files-Digest-Signature-and-Certificate.html
This section describes META-INF files in an .apk package file: MANIFEST.MF - manifest file, CERT.SF - signature file and CERT.RSA - the real signature file with certificate.
In the previous tutorial, we learned that the debug package of an Android application is automatically signed by a debug key in the "ant debug" build process.Now I am interested to how signatures are stored in package file.
1. Copy the .apk file to a .zip file:
C:\herong\HelloAndroid>copy bin\HelloAndroid-debug.apk package.zip
1 file(s) copied.
2. Unzip "package.zip" to \herong\package folder.
3. Open the manifest file, META-INF\MANIFEST.MF, in the package folder in a text editor. You will see a list of all files in the package with their SHA1 digests (Base64 encoded strings):
Manifest-Version: 1.0
Created-By: 1.0 (Android)
Name: res/layout/main.xml
SHA1-Digest: NXEzfMpms988J98yXEUXqh9u9ug=
Name: AndroidManifest.xml
SHA1-Digest: 0f22NLU8EbmlkrUUO0GjGIIl4zU=
Name: res/drawable-mdpi/ic_launcher.png
SHA1-Digest: 7Ft/Rirt+l/JRX2KjDREScdbCZk=
Name: res/drawable-hdpi/ic_launcher.png
SHA1-Digest: Vj/qhxk8ic8FE0/kT6E3vgRJ4mE=
Name: resources.arsc
SHA1-Digest: 5kllfCdPWbdy9w3CYz9lXYfN1Do=
Name: classes.dex
SHA1-Digest: ostS2N/xSK7OaaQ4m2rCAq8iD0k=
Name: res/drawable-ldpi/ic_launcher.png
SHA1-Digest: i7vxaosoiS+9HzKB7ZgIsXMYRLY=
4. Open the signature file, META-INF\CERT.SF, in the package folder in a text editor. You will see a list of all files in the package again with their SHA1 digests again.But this time, each digest is the digest of the 3-line entry of that file in the Manifest file.
Signature-Version: 1.0
Created-By: 1.0 (Android)
SHA1-Digest-Manifest: UOE6fu4Pq1ddGXiJC5iAOkOtDVI=
Name: res/layout/main.xml
SHA1-Digest: +IKkn6R+Vr90Oy+4cVnVwXvkqXw=
Name: AndroidManifest.xml
SHA1-Digest: 8GD9vp78dBfzFq7uRbunWZs2XjU=
Name: res/drawable-mdpi/ic_launcher.png
SHA1-Digest: zSBo0hBNc4K46aIFvlD4ZmQBHcg=
Name: res/drawable-hdpi/ic_launcher.png
SHA1-Digest: YuN8HjuH/csIGA1V8jxQw62DV0A=
Name: resources.arsc
SHA1-Digest: lU1eIHhOCyd3E+nBCgPiv27Vb+M=
Name: classes.dex
SHA1-Digest: k/Tdh4GY0wZKoL/g28iE7z3uGLI=
Name: res/layout/main_original.xml
SHA1-Digest: dD4LMOZORFmtPpAZwc0R48/FAik=
Name: res/drawable-ldpi/ic_launcher.png
SHA1-Digest: edY5GhthxxpZN3rJpWsoorrticI=
5. The real signature of the package is actually stored in the META-INF\CERT.RSA file in the package folder. The CERT.RSA also contains the certificate of the public key for you to verify the signature.
6. You can use the "keytool" command to view the certificate:
C:\herong\HelloAndroid>\Progra~1\Java\jdk1.7.0_03\bin\keytool \
-printcert -file package\META-INF\CERT.RSA
Owner: CN=Android Debug, O=Android, C=US
Issuer: CN=Android Debug, O=Android, C=US
Serial number: 4427b9db
Valid from: Sun Apr 01 14:43:33 EDT 2012 until: \
Tue Mar 25 14:43:33 EDT 2042
Certificate fingerprints:
MD5: 47:F7:5B:83:5E:F0:19:08:15:7D:1B:80:67:96:9A:03
SHA1: CA:59:3A:44:F5:08:D7:43:96:E2:EE:2C:10:91:0F:86:3C:...
SHA256: BE:29:82:5E:4A:F6:81:D4:AA:E7:2E:D8:AB:66:B4:E2:7...
94:81:08:62:D9:AE:38:66:F9:66:1F
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B4 41 2F 4A 00 AF 4B E1 2A A8 C6 E8 DA 55 13 FB .A/J..K.*...
0010: 02 64 48 87 .dH.
]
]
As I expected, this certificate is a self-signed certificate, which can not be verified by any root certificate authorities.I guess for debugging purpose, this is good enough.