1page.title=APK Signature Scheme v2 2@jd:body 3 4<!-- 5 Copyright 2016 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18--> 19<div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25</div> 26 27<p> 28APK Signature Scheme v2 is a whole-file signature scheme that increases 29verification speed and <a 30href="#integrity-protected-contents">strengthens integrity guarantees</a> by 31detecting any changes to the protected parts of the APK. 32</p> 33 34<p> 35Signing using APK Signature Scheme v2 inserts an <a 36href="#apk-signing-block">APK Signing Block</a> into the APK file immediately 37before the ZIP Central Directory section. Inside the APK Signing Block, v2 38signatures and signer identity information are stored in an <a 39href="#apk-signature-scheme-v2-block">APK Signature Scheme v2 Block</a>. 40</p> 41 42<p> 43 <img src="../images/apk-before-after-signing.png" alt="APK before and after signing" id="figure1" /> 44</p> 45<p class="img-caption"><strong>Figure 1.</strong> APK before and after signing</p> 46 47<p> 48APK Signature Scheme v2 was introduced in Android 7.0 (Nougat). To make 49a APK installable on Android 6.0 (Marshmallow) and older devices, the 50APK should be signed using <a href="index.html#v1">JAR signing</a> before being 51signed with the v2 scheme. 52</p> 53 54 55<h2 id="apk-signing-block">APK Signing Block</h2> 56<p> 57To maintain backward-compatibility with the current APK format, v2 and newer APK 58signatures are stored inside an APK Signing Block, a new container introduced to 59support APK Signature Scheme v2. In an APK file, the APK Signing Block is located 60immediately before the ZIP Central Directory, which is located at the end of the file. 61</p> 62 63<p> 64The block contains ID-value pairs wrapped in a way that makes it easier to 65locate the block in the APK. The v2 signature of the APK is stored as an ID-value 66pair with ID 0x7109871a. 67</p> 68 69<h3 id="apk-signing-block-format">Format</h3> 70<p> 71The format of the APK Signing Block is as follows (all numeric fields are 72little-endian): 73</p> 74 75<ul> 76 <li><code>size of block</code> in bytes (excluding this field) (uint64)</li> 77 <li>Sequence of uint64-length-prefixed ID-value pairs: 78 <ul> 79 <li><code>ID</code> (uint32)</li> 80 <li><code>value</code> (variable-length: length of the pair - 4 bytes)</li> 81 </ul> 82 </li> 83 <li><code>size of block</code> in bytes—same as the very first field (uint64)</li> 84 <li><code>magic</code> “APK Sig Block 42” (16 bytes)</li> 85</ul> 86 87<p> 88APK is parsed by first finding the start of the ZIP Central Directory (by 89finding the ZIP End of Central Directory record at the end of the file, then 90reading the start offset of the Central Directory from the record). The 91<code>magic</code> value provides a quick way to establish that what precedes 92Central Directory is likely the APK Signing Block. The <code>size of 93block</code> value then efficiently points to the start of the block in the 94file. 95</p> 96 97<p> 98ID-value pairs with unknown IDs should be ignored when interpreting the 99block. 100</p> 101 102 103<h2 id="apk-signature-scheme-v2-block">APK Signature Scheme v2 Block</h2> 104<p> 105APK is signed by one or more signers/identities, each represented by a signing 106key. This information is stored as an APK Signature Scheme v2 Block. For each 107signer, the following information is stored: 108</p> 109 110<ul> 111 <li>(signature algorithm, digest, signature) tuples. The digest is stored to 112decouple signature verification from integrity checking of the APK’s contents.</li> 113 <li>X.509 certificate chain representing the signer’s identity.</li> 114 <li>Additional attributes as key-value pairs.</li> 115</ul> 116 117<p> 118For each signer, the APK is verified using a supported signature from the 119provided list. Signatures with unknown signature algorithms are ignored. It is 120up to each implementation to choose which signature to use when multiple 121supported signatures are encountered. This enables the introduction of stronger 122signing methods in the future in a backward-compatible way. The suggested 123approach is to verify the strongest signature. 124</p> 125 126<h3 id="apk-signature-scheme-v2-block-format">Format</h3> 127<p> 128APK Signature Scheme v2 Block is stored inside the APK Signing Block under ID 129<code>0x7109871a</code>. 130</p> 131 132<p> 133The format of the APK Signature Scheme v2 Block is as follows (all numeric 134values are little-endian, all length-prefixed fields use uint32 for length): 135</p> 136<ul> 137 <li>length-prefixed sequence of length-prefixed <code>signer</code>: 138 <ul> 139 <li>length-prefixed <code>signed data</code>: 140 <ul> 141 <li>length-prefixed sequence of length-prefixed <code>digests</code>: 142 <ul> 143 <li><code>signature algorithm ID</code> (uint32)</li> 144 <li>(length-prefixed) <code>digest</code>—see 145 <a href="#integrity-protected-contents">Integrity-protected Contents</a></li> 146 </ul> 147 </li> 148 <li>length-prefixed sequence of X.509 <code>certificates</code>: 149 <ul> 150 <li>length-prefixed X.509 <code>certificate</code> (ASN.1 DER form)</li> 151 </ul> 152 </li> 153 <li>length-prefixed sequence of length-prefixed <code>additional attributes</code>: 154 <ul> 155 <li><code>ID</code> (uint32)</li> 156 <li><code>value</code> (variable-length: length of the additional 157 attribute - 4 bytes)</li> 158 </ul> 159 </li> 160 </ul> 161 </li> 162 <li>length-prefixed sequence of length-prefixed <code>signatures</code>: 163 <ul> 164 <li><code>signature algorithm ID</code> (uint32)</li> 165 <li>length-prefixed <code>signature</code> over <code>signed data</code></li> 166 </ul> 167 </li> 168 <li>length-prefixed <code>public key</code> (SubjectPublicKeyInfo, ASN.1 DER form)</li> 169 </ul> 170 </li> 171</ul> 172 173<h4 id="signature-algorithm-ids">Signature Algorithm IDs</h4> 174<ul> 175 <li>0x0101—RSASSA-PSS with SHA2-256 digest, SHA2-256 MGF1, 32 bytes of salt, 176 trailer: 0xbc</li> 177 <li>0x0102—RSASSA-PSS with SHA2-512 digest, SHA2-512 MGF1, 64 bytes of salt, 178 trailer: 0xbc</li> 179 <li>0x0103—RSASSA-PKCS1-v1_5 with SHA2-256 digest. This is for build systems 180 which require deterministic signatures.</li> 181 <li>0x0104—RSASSA-PKCS1-v1_5 with SHA2-512 digest. This is for build systems 182 which require deterministic signatures.</li> 183 <li>0x0201—ECDSA with SHA2-256 digest</li> 184 <li>0x0202—ECDSA with SHA2-512 digest</li> 185 <li>0x0301—DSA with SHA2-256 digest</li> 186</ul> 187 188<p> 189All of the above signature algorithms are supported by the Android platform. 190Signing tools may support a subset of the algorithms. 191</p> 192 193<p> 194<strong>Supported keys sizes and EC curves:</strong> 195</p> 196 197<ul> 198 <li>RSA: 1024, 2048, 4096, 8192, 16384</li> 199 <li>EC: NIST P-256, P-384, P-521</li> 200 <li>DSA: 1024, 2048, 3072</li> 201</ul> 202 203<h2 id="integrity-protected-contents">Integrity-protected contents</h2> 204 205<p> 206For the purposes of protecting APK contents, an APK consists of four sections: 207</p> 208 209<ol> 210 <li>Contents of ZIP entries (from offset 0 until the start of APK Signing Block)</li> 211 <li>APK Signing Block</li> 212 <li>ZIP Central Directory</li> 213 <li>ZIP End of Central Directory</li> 214</ol> 215 216<p> 217 <img src="../images/apk-sections.png" alt="APK sections after signing" id="figure2" /> 218</p> 219<p class="img-caption"><strong>Figure 2.</strong> APK sections after signing</p> 220 221<p> 222APK Signature Scheme v2 protects the integrity of sections 1, 3, 4, and the 223<code>signed data</code> blocks of the APK Signature Scheme v2 Block contained 224inside section 2. 225</p> 226 227<p> 228The integrity of sections 1, 3, and 4 is protected by one or more digests of 229their contents stored in <code>signed data</code> blocks which are, in 230turn, protected by one or more signatures. 231</p> 232 233<p> 234The digest over sections 1, 3, and 4 is computed as follows, similar to a 235two-level <a href="https://en.wikipedia.org/wiki/Merkle_tree">Merkle tree</a>. 236Each section is split into consecutive 1 MB (2<sup>20</sup> bytes) chunks. The last chunk 237in each section may be shorter. The digest of each chunk is computed over the 238concatenation of byte <code>0xa5</code>, the chunk’s length in bytes 239(little-endian uint32), and the chunk’s contents. The top-level digest is 240computed over the concatenation of byte <code>0x5a</code>, the number of chunks 241(little-endian uint32), and the concatenation of digests of the chunks in the 242order the chunks appear in the APK. The digest is computed in chunked fashion to 243enable to speed up the computation by parallelizing it. 244</p> 245 246<p> 247 <img src="../images/apk-integrity-protection.png" alt="APK digest" id="figure3" /> 248</p> 249<p class="img-caption"><strong>Figure 3.</strong> APK digest</p> 250 251<p> 252Protection of section 4 (ZIP End of Central Directory) is complicated by the 253section containing the offset of ZIP Central Directory. The offset changes when 254the size of the APK Signing Block changes, for instance, when a new signature is 255added. Thus, when computing digest over the ZIP End of Central Directory, the 256field containing the offset of ZIP Central Directory must be treated as 257containing the offset of the APK Signing Block. 258</p> 259 260<h2 id="rollback-protections">Rollback Protections</h2> 261<p> 262An attacker could attempt to have a v2-signed APK verified as a v1-signed APK on 263Android platforms that support verifying v2-signed APK. To mitigate this attack, 264v2-signed APKs that are also v1-signed must contain an X-Android-APK-Signed 265attribute in the main section of their META-INF/*.SF files. The value of the 266attribute is a comma-separated set of APK signature scheme IDs (the ID of this 267scheme is 2). When verifying the v1 signature, APK verifier is required to 268reject APKs which do not have a signature for the APK signature scheme the 269verifier prefers from this set (e.g., v2 scheme). This protection relies on the 270fact that contents META-INF/*.SF files are protected by v1 signatures. See the 271section on 272<a href="#v1-verification">JAR signed APK verification</a>. 273</p> 274 275<p> 276An attacker could attempt to strip stronger signatures from the APK Signature 277Scheme v2 Block. To mitigate this attack, the list of signature algorithm IDs 278with which the APK was being signed is stored in the <code>signed data</code> 279block which is protected by each signature. 280</p> 281 282<h2 id="verification">Verification</h2> 283 284In Android 7.0, APKs can be verified according to the APK Signature Scheme v2 285(v2 scheme) or JAR signing (v1 scheme). Older platforms ignore v2 signatures 286and only verify v1 signatures. 287</p> 288 289<p> 290 <img src="../images/apk-validation-process.png" alt="APK signature verification process" id="figure4" /> 291</p> 292<p class="img-caption"><strong>Figure 4.</strong> APK signature verification 293process (new steps in red)</p> 294 295<h3 id="v2-verification">APK Signature Scheme v2 verification</h3> 296<ol> 297 <li>Locate the APK Signing Block and verify that: 298 <ol> 299 <li>Two size fields of APK Signing Block contain the same value.</li> 300 <li>ZIP Central Directory is immediately followed by ZIP End of Central 301 Directory record.</li> 302 <li>ZIP End of Central Directory is not followed by more data.</li> 303 </ol> 304 </li> 305 <li>Locate the first APK Signature Scheme v2 Block inside the APK Signing Block. 306 If the v2 Block if present, proceed to step 3. Otherwise, fall back to 307 verifying the APK 308 <a href="#v1-verification">using v1 scheme</a>.</li> 309 <li>For each <code>signer</code> in the APK Signature Scheme v2 Block: 310 <ol> 311 <li>Choose the strongest supported <code>signature algorithm ID</code> from 312 <code>signatures</code>. The strength ordering is up to each 313 implementation/platform version.</li> 314 <li>Verify the corresponding <code>signature</code> from 315 <code>signatures</code> against <code>signed data</code> using <code>public 316 key</code>. (It is now safe to parse <code>signed data</code>.)</li> 317 <li>Verify that the ordered list of signature algorithm IDs in 318 <code>digests</code> and <code>signatures</code> is identical. (This is to 319 prevent signature stripping/addition.)</li> 320 <li><a href="#integrity-protected-contents">Compute the digest of APK 321 contents</a> using the same digest algorithm as the digest algorithm used by the 322 signature algorithm.</li> 323 <li>Verify that the computed digest is identical to the corresponding 324 <code>digest</code> from <code>digests</code>.</li> 325 <li>Verify that SubjectPublicKeyInfo of the first <code>certificate</code> of 326 <code>certificates</code> is identical to <code>public key</code>.</li> 327 </ol> 328 </li> 329 <li>Verification succeeds if at least one <code>signer</code> was found and 330 step 3 succeeded for each found <code>signer</code>.</li> 331</ol> 332 333<p class="note"><strong>Note</strong>: APK must not be verified using 334the v1 scheme if a failure occurs in step 3 or 4. 335</p> 336 337<h3 id="v1-verification">JAR-signed APK verification (v1 scheme)</h3> 338<p> 339The JAR-signed APK is a 340<a href="https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File">standard 341signed JAR</a>, which must contain exactly the entries listed in 342META-INF/MANIFEST.MF and where all entries must be signed by the same set of 343signers. Its integrity is verified as follows: 344</p> 345 346<ol> 347 <li>Each signer is represented by a META-INF/<signer>.SF and 348 META-INF/<signer>.(RSA|DSA|EC) JAR entry.</li> 349 <li><signer>.(RSA|DSA|EC) is a 350 <a href="https://tools.ietf.org/html/rfc5652">PKCS #7 CMS ContentInfo 351 with SignedData structure</a> whose signature is verified over the 352 <signer>.SF file.</li> 353 <li><signer>.SF file contains a whole-file digest of the META-INF/MANIFEST.MF 354 and digests of each section of META-INF/MANIFEST.MF. The whole-file digest of 355 the MANIFEST.MF is verified. If that fails, the digest of each MANIFEST.MF 356 section is verified instead.</li> 357 <li>META-INF/MANIFEST.MF contains, for each integrity-protected JAR entry, a 358 correspondingly named section containing the digest of the entry’s uncompressed 359 contents. All these digests are verified.</li> 360 <li>APK verification fails if the APK contains JAR entries which are not listed 361 in the MANIFEST.MF and are not part of JAR signature.</li> 362</ol> 363 364<p> 365The protection chain is thus <signer>.(RSA|DSA|EC) -> <signer>.SF -> MANIFEST.MF 366-> contents of each integrity-protected JAR entry. 367</p> 368 369
