I’m participating in nuggets Creators Camp # 4, click here to learn more and learn together!
Introduction to the
Most developers still know apK v2, apK V3 and APK V4 very little, and most of the articles on the Internet are vague, so we reorganize them according to the official website.
Apk signature from APK V1 to APK V2 changes greatly, is subversive, and APK V3 is only an upgrade of APK V2, APK V4 is a supplement.
This article mainly refer to the Android versions changes: developer. The Android. Google. Cn/about/versi…
APK v1
File manifest.mf, cert. SF, and cert. RSA in meta-INF directory.
MANIFEST.MF
In the manifest.mf is the apK name for each file and the digest SHA1 (or SHA256), or only the name if it is a directory
CERT.SF
Cert. SF is a summary of manifest.mf, including three parts:
- Sha1-digest-manifest-main-attributes: Do SHA1 (or SHA256) to the block in the manifest. MF header and then Base64 encoding
- Sha1-digest-manifest: SHA1 (or SHA256) is applied to the entire manifest. MF file and then Base64 encoding is applied
- Sha1-digest: The manifest.MF entries are SHA1 (or SHA256) and then Base64 encoded
CERT.RSA
Cert. RSA is to sign cert. SF with the private key, and then save the signature and the digital certificate containing the public key information in cert. RSA
These three levels of validation are used to ensure that every file in apK is not changed.
APK v2
The official explanation: source. The android. Google. Cn/security/ap…
APK signature scheme V2 was introduced in Android 7.0 (Nougat). To make APK installable on Android 6.0 (Marshmallow) and later devices, you should sign the APK using the JAR signature feature, and then sign it using the V2 scheme.
The disadvantage of APK V1 is that the files in the meta-INF directory are not in the verification scope, so the previous multi-channel packaging was implemented by adding files to this directory.
APK signature scheme V2 is a full file signature scheme that can help speed up validation and enhance integrity assurance by discovering all changes made to the protected part of APK.
When signing with APK signature scheme V2, an APK signature block is inserted into the APK file before and immediately adjacent to the “ZIP Central Directory” section. In APK signature Block, v2 signatures and signer identity information are stored in APK signature scheme block V2.
In common terms, the signature information is no longer stored as a file, but is converted into binary data directly written in the APK file, thus avoiding the meta-INF directory of APK V1.
In Android 7.0 and later, APK can be verified against APK signature scheme V2 + or JAR signature (v1 scheme). Lower versions of the platform ignore v2 signatures and only validate v1 signatures.
APK v3
The official explanation: source. The android. Google. Cn/security/ap…
The APK signature scheme V3 was introduced in Android 9.
Android 9 supports APK key rotation, which enables applications to change their signing keys during APK updates. To achieve rotation, APK must indicate the level of trust between the old and new signing keys. To support key rotation, we updated the APK signature scheme from V2 to V3 to allow the use of old and new keys. V3 adds information about supported SDK versions and proof-of-rotation structures to the APK signature block.
To put it simply, APK V3 is for the APK key rotation function of Andorid9. It is to add two data blocks on the basis of V2 to store some information required by APK key rotation, so it can be regarded as an upgrade of V2. The specific structure can be seen in the official website.
APK key rotation function can refer to: developer. The android, Google. Cn/about/versi…
APK signature scheme with key rotation
Android 9 has added support for APK Signature Scheme V3. The architecture provides the option to add a rotating evidence record for each signing certificate in its signature block. With this feature, an application can sign an application with a new signing certificate by linking the APK file’s past signing certificate to the certificate now used to sign the application.
Developer. The android. Google. Cn/about/versi…
Note: Devices running Android 8.1 (API level 27) or lower do not support changing the signing certificate. If the application has minSdkVersion 27 or lower, the application can be signed with the old signing certificate in addition to the new signature.
Details about how to use apksigner rotary key reference: developer. The android, Google. Cn/studio/comm…
In Android 9 and later, APK can be verified against THE APK signature scheme V3, V2, or V1. Older platforms would ignore the V3 signature and try to validate the V2 signature, and then try to validate the V1 signature.
APK v4
The official explanation: source. The android. Google. Cn/security/ap…
The APK signature scheme V4 was introduced in Android 11.
Android 11 supports streaming compatible signature schemes through APK signature scheme V4. The V4 signature is based on a Merkle hash tree computed from all the bytes of APK. It follows exactly the structure of the FS-Verity hash tree (zero fill for the salt, for example, and zero fill for the last partition). Android 11 stores the signature in a separate.apk.idsig file. V4 signatures require v2 or V3 signatures as supplements.
APK v4 is also for new features, this new feature is the ADB incremental APK installation, you can refer to Android11 function and an overview of the API: developer. The android, Google. Cn/about/versi…
ADB incremental APK installation
Installing a large (2GB +) APK on a device can take a long time, even if the application is only slightly changed. An ADB (Android Debug Bridge) incremental APK installation speeds up the process by installing enough APK to start the application while streaming the rest of the data in the background. Adb Install automatically uses this feature if the device supports it and you have the latest SDK platform tools installed. If no, the system automatically uses the default installation method.
Developer. The android. Google. Cn/about/versi…
Run the following ADB command to use this feature. If the device does not support incremental installation, the command will fail with a detailed explanation.
adb install –incremental
Before running the ADB incremental APK installation, you must first sign the APK and create an APK signature scheme V4 file. The V4 signature file must be placed next to APK for this function to work properly.
Developer. The android. Google. Cn/about/versi…
Because need streaming, so need to file block, signature in order to check for each piece using way Merkle hash tree (www.kernel.org/doc/html/la… That’s what V4 does. Therefore, APK V4 and APK V2 or APK V3 can be considered parallel, so APK V4 signature also needs to be supplemented by v2 or V3 signature.
When you run adb install –incremental, adb requires that the.apk.idsig file exist next to the.apk file (so the apK V4 signature file.apk.idsig is not packaged into the APK file)
By default, it also attempts an incremental install using the.idsig file; If this file is missing or invalid, the command falls back to regular installation.
conclusion
In summary, it can be seen that APK V4 is oriented to ADB development and debugging, and APK V3 can be ignored if there is no requirement of signature change. Therefore, most of China still stays at APK V2 at present.