An overview of the
Android currently supports the following four application signature schemes:
- V1: JAR based signature
- V2: Introduced in Android 7
- V3: introduced in Android 9
- V4: introduced in Android 11
To maximize compatibility, use all schemes in the sequence of V1, v2, and V3 to sign applications. Applications signed by v2+ can be installed on Android 7.0 and later devices faster than those signed by v1 only. Later versions of Android ignore v2+ signatures, which requires the application to include v1 signatures.
Message digest/digital certificate
Message digest: Execute a one-way Hash function on the message data to generate a fixed-length Hash value, which is the message digest. Digital certificate: Ensures the security and reliability of public keys
Digital Signature = Message digest + Asymmetric encryption (Digital certificate)
Now that we know what it is, let’s look at the pros and cons of each version.
The disadvantage of v1
- You need to decompress it during the validation process because. The summary information of the MF file is based on the original uncompressed file content. Therefore, the decompression of the original data is time-consuming.
- The integrity check of APK packages is not strong enough. Here we can see that if we make changes to the data blocks in the APK package that do not refer to the contents of the original file after the APK signature, this verification mechanism will fail.
What does v2 do
In simple terms, v2 signature mode adds a new block (signature block) to the original APK block, which stores signatures, digests, signature algorithms, certificate chains, and some additional attributes. This block has a specific format. As shown in the figure below
// There should be a graph here
Therefore, V2 is able to discover all changes made to the protected part of APK, helping to speed up validation and enhance integrity assurance.
The emergence of the v3
Why do we have v3 when v2 is so good? Let’s see.
In signing scheme V3, rotating verification of certificates is added, that is, the signing key can be changed during the application of updates. For details, see Android P V3 Signature features
Until the v4
The appearance of V3 has been so intrepency, V4 in the end what extraordinary place?
V4 isn’t that different from V2V3, but is mostly an incremental install that saves time when installing large apps.
It is worth noting that the V4 signature requires a v2 or V3 signature as a complement.
Reference links:
Google-APK signature scheme V4
Android P V3 signature is new
Introduction of Meituan Multi-channel packaging-V2 scheme
Knight-apk packaging process