Gitiles
Code Review Sign In
review.blissroms.org / platform_frameworks_base / 2f2ced93e3176d71dbd23e7f71a3d78b6dc09830
commit2f2ced93e3176d71dbd23e7f71a3d78b6dc09830[log] [tgz]
authorVictor Hsieh <victorhsieh@google.com>Fri Apr 20 15:45:37 2018 -0700
committerVictor Hsieh <victorhsieh@google.com>Fri Apr 20 15:45:37 2018 -0700
tree328d722e6c3a790875cdd829ac0f293e606ccbd5
parent4cdf6e58ed13aa14cac6c126b3ca6c94217c6f93 [diff]
Verify best signature algorithms of all signers

The previous implementation does not verify signature algorithms of all
signers.  It's possible that the attacker can take an old apk (with
digest and signature of old algorithm) and add their own signer block
with new/P digest and signature.  In this case, the old implementation
only verifies the attacker's signature, thus the attacker can change apk
content easily.

The solution here is to verify digests of all best signature algorithms
by all signers.

It is expected to increase verification time, if the apk does have
multiple signers with different type of digests.

Test: apks still install
Bug: 78359754
Change-Id: I607edf219c25a2a7adfa27a21a94e9bfefbb6cec
1 file changed
tree: 328d722e6c3a790875cdd829ac0f293e606ccbd5
  1. apct-tests/
  2. api/
  3. cmds/
  4. config/
  5. core/
  6. data/
  7. docs/
  8. drm/
  9. graphics/
  10. keystore/
  11. libs/
  12. location/
  13. lowpan/
  14. media/
  15. native/
  16. nfc-extras/
  17. obex/
  18. opengl/
  19. packages/
  20. proto/
  21. rs/
  22. samples/
  23. sax/
  24. services/
  25. telecomm/
  26. telephony/
  27. test-base/
  28. test-legacy/
  29. test-mock/
  30. test-runner/
  31. tests/
  32. tools/
  33. vr/
  34. wifi/
  35. Android.bp
  36. Android.mk
  37. CleanSpec.mk
  38. MODULE_LICENSE_APACHE2
  39. NOTICE
  40. pathmap.mk
  41. PREUPLOAD.cfg