"Turn" Pro Android Learning Note (83): Understanding Package (2): Packet signing process

Directory (?) [-]

1. analogy example
2. Digital signatures

　　

The articles reproduced can only be used for non-commercial nature, and can not be accompanied by virtual currency, points, registration and other additional conditions. Reprint must indicate the source: http://blog.csdn.net/flowingflying/

Installing Apps on Windows and other operating systems doesn't require authorization, why is Android needed? The package installed on the device has a unique package name, and if you try to install an app that already has a package name, it will not be allowed unless you remove the previous package. In order to allow package upgrades, you must make sure that you are the same app publisher, which requires a digital signature.

analogy example

Wine collectors found that each wine has a unique color, if the same color, must come from the same wine manufacturers, can not be imitated. Color can be used as the symbol of wine manufacturers. The only difference between this example and the application signature is that the color does not write the name and address of the manufacturer, and the information about the wine manufacturers is not disclosed, but also the input of the relevant information when we study the signature process.

We go abroad to turn on the radio, hear different singers sing, we know each of them differently, but do not know their names, this is the singer through the Voice of self-signature. If a friend tells you about a singer you hear, this is similar to a third-party signature. Singers can simulate other people to confuse, but the digital signature is guaranteed by the algorithm not to be used.

When we talk about someone signing a jar file, which belongs to the self-signed jar file, these jar files have a unique "color" that distinguishes it from other jar files, but no additional source developers or companies are authenticated. In the previous study of the signature, it belongs to self-signed, their own name and company, if willing, can be written to the CIA, is not properly recognized by the authorities. If the "Red color" from company A is given by a third-party authority, when we see the "Red color", we know the source company A, which is the third-party-issued jar file.

Digital signatures

The digital signature adopts the public/private key encryption, which is an asymmetric encryption algorithm, which is encrypted by the private key and can only be decrypted by the public key. Although the public key is known, it is impossible to forge data that can be decrypted by the public key because the private key is not known.

A signature is also known as a public Key infrastructure (INFRASTRUCTURE,PKI) certificate that is issued with a KPI certificate jar,dll or applied. Each package name can have only one PKI certificate, and a PKI certificate can be checked to support multiple packages. Through the previous learning Keytool and Jarsinger commands, the private key is protected by a password (keypass). I think there is a loophole, the public key algorithm is assumed to be very safe, if the password to protect the private key, you can take this certificate to sign. This becomes a question of how to protect this password, and whether the pervasive NSA can decipher this protection password.

RELATED Links: My Android development related articles

"Turn" Pro Android Learning Note (83): Understanding Package (2): Packet signing process