Login/Register
What are the purposes of files in META-INF folder of an APK file?
Asked Answered
Solved androidapkandroid-manifestdigital-signaturemanifest.mf
I

1

18

What are the purposes of MANIFEST.MF, CERT.SF and CERT.RSA file in the META-INF folder in an android APK.

Inmost answered 3/9, 2016 at 4:58 Comment(0)
F
17

An android APK file is actually a jar file (java archive), it is just a plain zip file with or without compression. Jar files are used by all types of java applications, they have a specific structure - the META-INF folder contains the manifest information and other metadata about the java package carried by the jar file.

The purposes of these files are as follows:

  1. MANIFEST.MF: It contains various information used by the java run-time environment when loading the jar file, such as which is the main class to be run from the jar file, version of package, build number, creator of the package, security policies/permissions of java applets and java webstart packages, the list of file names in the jar along with their SHA1 digests, etc.
  2. CERT.SF: This contains the list of all files along with their SHA-1 digest.
  3. CERT.RSA: This contains the signed contents of the CERT.SF file along with the certificate chain of the public key used for signing the contents.

As an example, Refer to a sample apk file here. If you download and expand this file using a file decompression program like 7zip to your desktop, you can see a sample of these files.

In the extracted directory, go to sub-directory META-INF and view the contents of the files manifest.mf and *.sf files. Here are the first few lines of these files:

File MANIFEST.SF:

Manifest-Version: 1.0
Created-By: 1.7.0_60 (Oracle Corporation)

Name: res/drawable-xxhdpi-v4/common_plus_signin_btn_text_dark_pressed.9.png
SHA1-Digest: Db3E0/I85K9Aik2yJ4X1dDP3Wq0=

Name: res/drawable-xhdpi-v4/opt_more_item_close_press.9.png
SHA1-Digest: Xxm9cr4gDbEEnnYvxRWfzcIXBEM=

Name: res/anim/accessibility_guide_translate_out.xml
SHA1-Digest: dp8PyrXMy2IBxgTz19x7DATpqz8=

The file MCTN.SF contains the digests of the file listings in MANIFEST.MF along with an empty line:

Signature-Version: 1.0
SHA1-Digest-Manifest-Main-Attributes: Sen4TNWb3NQLczkzN1idKh81Rjc=
Created-By: 1.7.0_60 (Oracle Corporation)
SHA1-Digest-Manifest: NAWTDC05HK+hfNtQ91J4AoL9F7s=

Name: res/drawable-xxhdpi-v4/common_plus_signin_btn_text_dark_pressed.9.png
SHA1-Digest: pvIZkdVTEuilCdx8UkrlY6ufPlw=

Name: res/anim/accessibility_guide_translate_out.xml
SHA1-Digest: XeX9Q2w41PRm3KiZ5p07x3CY6hc=

The file MCTN.RSA contains the signature in base64 encoding generated over file MCTN.SF.

See this reference for details on how to verify the signatures of APK packages - http://theether.net/kb/100207

Filemon answered 3/9, 2016 at 5:58 Comment(4)
You mentioned that CERT.SF contains has of the digests. Isn't digest itself a hash value?Inmost
Edited to clarify your question.Filemon
yeah, didn't know about that.Inmost
I think you are confusing AndroidManifest.xml and MANIFEST.MF; The only job of MANIFEST.MF is to list the relative paths of files and their hashes. The other stuff is the job of AndroidManifest (as I understand it).Lafontaine

© 2022 - 2024 — McMap. All rights reserved.