为什么PackageInfo.signatures字段是一个数组,什么时候这里除了一个值之外还有什么? [英] Why is the PackageInfo.signatures field an array, and when would there be anything other than one value here?
问题描述
我正在相互检查软件包签名,以确定它们是否不兼容(针对不同的密钥库进行编译).我注意到 PackageInfo.signatures 几乎总是一个包含单个条目的集合,这对我来说很有意义.我使用调试或生产密钥库构建应用程序,并确定程序包的签名(这是我目前对apk签名过程的简单理解).我知道如果我不专门询问此信息(通过传递 PackageManager.GET_SIGNATURES 标志),则该属性为null,但是我不太了解这种情况是否会超过一个.
I'm checking package signatures against each other to determine if they are incompatible (compiled against different keystores). I noticed that PackageInfo.signatures is almost always a collection containing a single entry, which makes sense to me. I build my app with either a debug or production keystore, and that determines the signature of the package (that is my simplistic understanding of the apk signing process at this point). I know that this will be null if I don't specifically ask for this information (by passing the PackageManager.GET_SIGNATURES flag), but I don't quite understand the case in which there would be more than one.
我写了一些调试代码,并在我的个人Android手机上运行了它.在我的手机上安装的300多个软件包中,除了似乎来自我的服务提供商(com.verizon.*名称空间)的一些软件包之外,其他所有东西都只有一个签名.
I wrote some debug code and ran it on my personal Android phone. Of the 300+ packages installed on my phone, everything had exactly one signature except for a few packages that seemed to be from my service provider (com.verizon.* namespaces).
我认为用例(程序包管理)可以认为应用程序包具有单个签名是可以接受的,但是我想确保自己没有遗漏可能引起边缘错误的东西.
I feel like it's acceptable for my use case (package management) to consider that app packages will have a single signature, but I want to make sure that I'm not missing something that could introduce an edge case bug.
推荐答案
出于您的目的,假定Android应用程序具有单个签名似乎是完全可以接受的.Android APK 可以使用多个签名进行编译,但是既不推荐也不对其进行广泛测试.(为什么Verizon这么做?谁知道.)
For your purposes, it seems completely acceptable to assume that an Android application has a single signature. An Android APK can be compiled with multiple signatures, but it is neither recommended nor extensively tested. (Why is Verizon doing it? Who knows.)
我发现此归档文件来自黛安·哈克伯恩(Dianne Hackborn),是Android开发中的常客:
I found this archive from Dianne Hackborn, the go-to lady on Android development:
Q :我知道jar签名者在一个jar文件中支持多个签名.如果一个APK文件具有两个有效签名,这是否意味着该APK可以访问两个签名者提供的签名级别权限?
Q: I know jar signer support multiple signatures in one jar file. If an APK file has two valid signatures, does that mean this APK can access signature level permission provided by both signers?
A :从理论上讲,有多个签名可以完成某些工作,但是从来没有人签名过用了这个,所以它可能不起作用.这也有副作用(如果有的话确实有效),因为两个签名对相同的事物具有别名大概来自同一所有者,这可能不是您想要的.
A: In theory, something is done with multiple signatures, but nobody has ever used this so it probably doesn't work. This also has the side-effect (if it does work) of aliasing the two signatures to the same thing since they presumably come from the same owner, which is likely not what you want.
黛安(Dianne)的
另一位(请注意使用它"而不是它们"和证书"代替证书"):
Another bit from Dianne (note the use of "it", not "they", and "certificate" instead of "certificates"):
问:PackageInfo.signatures:返回什么?
Q: PackageInfo.signatures: What does it return?
A :这是用于签署.apk的证书.
A: It is the certificate that was used to sign the .apk.
但是.值得注意的是,我在Android源Git中找到了对多个签名的测试参考:测试程序包签名的测试(错误4596332).此外, Android BackupManagerService 代码(和
However. It is noteworthy that I found a test reference to multiple signatures in the Android source Git: Test for Checking Package Signatures (Bug 4596332). Additionally, Android BackupManagerService code (and other Android source code) ensures that it checks for multiple signatures.
因此,这是我的结论:除非担心在特定软件包的安全性和编译很重要的情况下进行编码,否则您不必担心多个签名.(但是,如果有必要,在容纳多个签名时似乎也不会有太大问题.)
So, here is my conclusion: You needn't worry about multiple signatures, unless you are coding in such a situation where the security and compilation of the specific packages was important. (However, it also seems that you wouldn't have much of a problem accomodating multiple signatures if necessary.)
希望至少令人满意.
这篇关于为什么PackageInfo.signatures字段是一个数组,什么时候这里除了一个值之外还有什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
