This is not a question about how to sign an .apk file. I want to know what does signing actually means and how it is implemented.
Inside the .apk file there is META-INF folder and inside that there are two files.
First one is CERT.SF contains SHA1 hashes for various components and looks like this:
Name: res/layout/main.xml
SHA1-Digest: Cox/T8fN1X9Hv4VqjH9YKqc/MsM=
Name: AndroidManifest.xml
SHA1-Digest: wZ418H9Aix1LNch3ci7c+cHyuZc=
Name: resources.arsc
SHA1-Digest: P+uoRrpFyVW6P3Wf+4vuR2ZSuXY=
Name: classes.dex
SHA1-Digest: cN3zXtGii9zuTOkBqDTLymeMZQI=
There is also a file called CERT.RSA. I assume it is the public key to verify the signature.
My question is, where is the signature for the whole .apk file is stored? And what is actually signed? It could be either
- .apk file used as a single binary object and this is signed
- or CERT.SF is signed which contains individual hashes for different components
It would be also much better if you can point me to the documentation of the detailed signing and verification process.