Android currently fails to install APKs when they are signed using SHA256withRSA (as the jarsigner sigalg) or with SHA-256 used (as the jarsigner digestalg) for the individual manifest entries. (However, if the certificate itself is signed using SHA256withRSA that appears to work OK.)
I just posted a bug about it here: http://code.google.com/p/android/issues/detail?id=38321 On Friday, 5 October 2012 17:14:18 UTC-4, Jeffrey Walton wrote: > > On Thu, Oct 4, 2012 at 2:23 PM, Jakob Bohm <[email protected]<javascript:>> > wrote: > > In the official guide at > > http://developer.android.com/tools/publishing/app-signing.html it is > > strongly recommended that developers use self-signed certificates valid > > until the year 2034, but using cryptographic algorithms that are not > even > > secure for use in the year 2012, specifically that page strongly > recommends > > (almost insists) that signing should be done with a combination of MD5 > > (completely broken!), SHA-1 (mostly broken, deprecated) and 2048 bit RSA > > (the minimum key length for use in 2012, way too weak for 2033). > > > > This raises two obvious questions: > > > > 1. Why hasn't that page been updated to reflect the "current" state of > the > > art? > > > > 2. What are the maximum key and algorithm strengths supported by the apk > > verification code in different Android versions (For instance an apk > that is > > supposed to be compatible with Android 2.1 devices is limited to > whatever > > strength Android 2.1 can verify, but another apk that has a minimum > system > > requirement of Android 3.0 anyway is only limited by whatever Android > 3.0 > > and later can verify)? > There's a bug report for that: "Keytool and Default Keysize for > Signing Apps," https://code.google.com/p/android/issues/detail?id=35327. > > A while back I tested a 3072 modulus on an HTC EVO 4G running Android > 4.0 or 4.1 (all OK). I did not test on older versions. > > Jeff > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/BlydlFwsuD8J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
