I would assume that the signature is valid, if not the package would not be installed.
So a hacked Android version could break this assumption. But then the API to access the public key or even the package file could be hacked as well.... Friedger On Mar 25, 12:11 pm, Lutz Schönemann <lutz.schoenem...@sit.fraunhofer.de> wrote: > Well there is a PackageParser class inside the core which reads the > Certificates. But there seems to be no interface to get them via the > standard API. Do I have to let my app parse the package it self? > > Am 23.03.2009 um 18:09 schrieb Lutz Schönemann: > > > > > Hi, > > > I'm looking for a way to get the certificates from a package that are > > used to sign it. Using the PackageInfo class it is possible to get the > > signatures. But what can I do with signatures if I don't get the > > public keys to verify these. > > > The next question I have where does the PackageInstaller verify the > > signed APK file? The PackageParser class loads the APK file into a > > JarFile object but does this automatically verify the signature? > > > Thanks for help > > Lutz > > > > > > > smime.p7s > 4KViewDownload --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
