Which RSA certificate is used in signed APK in Eclipse?
Under Eclipse during debugging (and in the absence of another key), you will sign with the default Android debug key.
Eclipse creates it if its not present. The key is added to debug.keystore
, with a store and key password of android. See Signing in Debug Mode at Android's Signing Your Application.
You can sign with a few tools, including keytool
or jarsigner
. But I believe you need to use another tool to examine the certificate in the APK.
You can use OpenSSL to dump the relevant bits since its PKCS #7, but you need manually extract the relevant files from the APK.
For signing, I use jarsigner
when working from the command line. For example, on Windows with the Debug key:
jarsigner -verbose -keystore C:Users<user>.androiddebug.keystore
-storepass android -keypass android -digestalg SHA1
-sigalg SHA1withRSA <package name>.apk androiddebugkey
Eclipse performs similar for you under the IDE.
You can't use jarsigner
to dump the information. For example, the following will print the distinguished name, but it will not print the subjectPublicKeyInfo
block:
$ jarsigner -verbose -certs -verify Test.apk
Similarly, you can't use keytool
because it does not print the subjectPublicKeyInfo
block either:
$ keytool -printcert -file META-INF/CERT.RSA
To determine the certificate in the APK, you need to look at a couple of files. The files of interest are in the META_INF
directory of the APK. The signatures are in an .SF
file along with a .RSA
file (or .DSA
file) for each signer. The signer's .RSA
file (or .DSA
file) are just PKCS #7 format.
I say "the signatures are in..." because individual elements of the APK are signed, and not the entire APK. So classes.dex
gets signed, AndroidManifest.xml
gets signed, each icon in res/
gets signed, etc.
Note: while jarsigner
supports multiple signatures, Android only supports one signer (if I recall correctly).
Here's an example with an APK called CrackMe.apk using OpenSSL.
$ mkdir APK-test
$ mv CrackMe.apk APK-test
$ cd APK-test
Next unpack the APK. Its just a ZIP file with additional metadata in META-INF/
.
$ unzip -a CrackMe.apk
$ ls
AndroidManifest.xml META-INF res
CrackMe.apk classes.dex resources.arsc
Next, take a look in the META-INF
directory.
$ cd META-INF/
$ ls
CERT.RSA CERT.SF MANIFEST.MF
The signatures are in CERT.SF
, and the signer is in CERT.RSA
.
Finally, use OpenSSL to parse CERT.RSA
.
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1346030704 (0x503acc70)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Validity
Not Before: Aug 27 01:25:04 2012 GMT
Not After : Dec 5 01:25:04 2035 GMT
Subject: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:8d:a8:9a:34:84:d5:72:4f:e8:e7:69:78:e4:17:
13:93:e8:c5:23:a0:93:a7:f8:6c:58:3d:f0:ed:30:
...
c1:2d:5e:9f:a4:79:56:19:7d:26:4d:27:6a:3e:26:
c0:fd:6a:ed:24:e9:62:80:73:8d
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
80:c0:ac:a5:65:13:f3:2d:dd:d5:71:82:7c:2e:72:63:72:cf:
76:49:4b:09:3c:12:e7:d6:9b:3d:53:8b:d4:e0:9c:ff:f2:d6:
...
80:4d:9b:15:3f:82:1a:72:b2:4b:fd:05:2b:e7:36:f0:43:98:
80:b7:8f:6c:fd:64
You can also use -pubkey
when utilizing x509
to extract the public key PEM format:
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -noout -pubkey
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAjaiaNITVck/o52l45BcT
k+jFI6CTp/hsWD3w7TAoGMA4RyH1pNcLD3ZZLXqdCPGKzKf107YhmiSp9K3DALG+
AHorHroKsnmGJFXglIEOLAq7gBVrfxOiBAxr0HW4MLXXGMvr2Asq4AkJAbFFmApU
5I3bGv3DCApHBbH6B10V5gTT0VzbkxHAejqNJVIHBmi6ueKLKh5ytJeRZufgD3ZX
+uEszGfJrD48woXkqSlCOyxHSi4PWyHLm95OXYkvlBSudNt5q9yDuy+KkJgrSHLC
jwxISkM2JzEoWYhqNqRgosBv6pg16+97YPeE6tHoG6dHazjCClhr5oZxw/7t6969
8rZ8m/fcLf3cOtcApqOFhCViq0ddADrOxMD2Qsp/xHx1kUg7eprE6dOEvQKr4oT5
oBiJkOStnAQFWRw/GDFTqpvDsYSOKn64/1cJ/+NEeLw4y+HCTMcNAsPknBQlXxNc
hzX0zSqrJ+vBLV6fpHlWGX0mTSdqPibA/WrtJOligHONAgMBAAE=
-----END PUBLIC KEY-----
If interested in the Android APK validation code, see collectCertificates
from PackageParser.java
.