1 page.title=APK Signature Scheme v2 2 @jd:body 3 4 <!-- 5 Copyright 2016 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <p> 28 APK Signature Scheme v2 is a whole-file signature scheme that increases 29 verification speed and <a 30 href="#integrity-protected-contents">strengthens integrity guarantees</a> by 31 detecting any changes to the protected parts of the APK. 32 </p> 33 34 <p> 35 Signing using APK Signature Scheme v2 inserts an <a 36 href="#apk-signing-block">APK Signing Block</a> into the APK file immediately 37 before the ZIP Central Directory section. Inside the APK Signing Block, v2 38 signatures and signer identity information are stored in an <a 39 href="#apk-signature-scheme-v2-block">APK Signature Scheme v2 Block</a>. 40 </p> 41 42 <p> 43 <img src="../images/apk-before-after-signing.png" alt="APK before and after signing" id="figure1" /> 44 </p> 45 <p class="img-caption"><strong>Figure 1.</strong> APK before and after signing</p> 46 47 <p> 48 APK Signature Scheme v2 was introduced in Android 7.0 (Nougat). To make 49 a APK installable on Android 6.0 (Marshmallow) and older devices, the 50 APK should be signed using <a href="index.html#v1">JAR signing</a> before being 51 signed with the v2 scheme. 52 </p> 53 54 55 <h2 id="apk-signing-block">APK Signing Block</h2> 56 <p> 57 To maintain backward-compatibility with the current APK format, v2 and newer APK 58 signatures are stored inside an APK Signing Block, a new container introduced to 59 support APK Signature Scheme v2. In an APK file, the APK Signing Block is located 60 immediately before the ZIP Central Directory, which is located at the end of the file. 61 </p> 62 63 <p> 64 The block contains ID-value pairs wrapped in a way that makes it easier to 65 locate the block in the APK. The v2 signature of the APK is stored as an ID-value 66 pair with ID 0x7109871a. 67 </p> 68 69 <h3 id="apk-signing-block-format">Format</h3> 70 <p> 71 The format of the APK Signing Block is as follows (all numeric fields are 72 little-endian): 73 </p> 74 75 <ul> 76 <li><code>size of block</code> in bytes (excluding this field) (uint64)</li> 77 <li>Sequence of uint64-length-prefixed ID-value pairs: 78 <ul> 79 <li><code>ID</code> (uint32)</li> 80 <li><code>value</code> (variable-length: length of the pair - 4 bytes)</li> 81 </ul> 82 </li> 83 <li><code>size of block</code> in bytessame as the very first field (uint64)</li> 84 <li><code>magic</code> APK Sig Block 42 (16 bytes)</li> 85 </ul> 86 87 <p> 88 APK is parsed by first finding the start of the ZIP Central Directory (by 89 finding the ZIP End of Central Directory record at the end of the file, then 90 reading the start offset of the Central Directory from the record). The 91 <code>magic</code> value provides a quick way to establish that what precedes 92 Central Directory is likely the APK Signing Block. The <code>size of 93 block</code> value then efficiently points to the start of the block in the 94 file. 95 </p> 96 97 <p> 98 ID-value pairs with unknown IDs should be ignored when interpreting the 99 block. 100 </p> 101 102 103 <h2 id="apk-signature-scheme-v2-block">APK Signature Scheme v2 Block</h2> 104 <p> 105 APK is signed by one or more signers/identities, each represented by a signing 106 key. This information is stored as an APK Signature Scheme v2 Block. For each 107 signer, the following information is stored: 108 </p> 109 110 <ul> 111 <li>(signature algorithm, digest, signature) tuples. The digest is stored to 112 decouple signature verification from integrity checking of the APKs contents.</li> 113 <li>X.509 certificate chain representing the signers identity.</li> 114 <li>Additional attributes as key-value pairs.</li> 115 </ul> 116 117 <p> 118 For each signer, the APK is verified using a supported signature from the 119 provided list. Signatures with unknown signature algorithms are ignored. It is 120 up to each implementation to choose which signature to use when multiple 121 supported signatures are encountered. This enables the introduction of stronger 122 signing methods in the future in a backward-compatible way. The suggested 123 approach is to verify the strongest signature. 124 </p> 125 126 <h3 id="apk-signature-scheme-v2-block-format">Format</h3> 127 <p> 128 APK Signature Scheme v2 Block is stored inside the APK Signing Block under ID 129 <code>0x7109871a</code>. 130 </p> 131 132 <p> 133 The format of the APK Signature Scheme v2 Block is as follows (all numeric 134 values are little-endian, all length-prefixed fields use uint32 for length): 135 </p> 136 <ul> 137 <li>length-prefixed sequence of length-prefixed <code>signer</code>: 138 <ul> 139 <li>length-prefixed <code>signed data</code>: 140 <ul> 141 <li>length-prefixed sequence of length-prefixed <code>digests</code>: 142 <ul> 143 <li><code>signature algorithm ID</code> (uint32)</li> 144 <li>(length-prefixed) <code>digest</code>see 145 <a href="#integrity-protected-contents">Integrity-protected Contents</a></li> 146 </ul> 147 </li> 148 <li>length-prefixed sequence of X.509 <code>certificates</code>: 149 <ul> 150 <li>length-prefixed X.509 <code>certificate</code> (ASN.1 DER form)</li> 151 </ul> 152 </li> 153 <li>length-prefixed sequence of length-prefixed <code>additional attributes</code>: 154 <ul> 155 <li><code>ID</code> (uint32)</li> 156 <li><code>value</code> (variable-length: length of the additional 157 attribute - 4 bytes)</li> 158 </ul> 159 </li> 160 </ul> 161 </li> 162 <li>length-prefixed sequence of length-prefixed <code>signatures</code>: 163 <ul> 164 <li><code>signature algorithm ID</code> (uint32)</li> 165 <li>length-prefixed <code>signature</code> over <code>signed data</code></li> 166 </ul> 167 </li> 168 <li>length-prefixed <code>public key</code> (SubjectPublicKeyInfo, ASN.1 DER form)</li> 169 </ul> 170 </li> 171 </ul> 172 173 <h4 id="signature-algorithm-ids">Signature Algorithm IDs</h4> 174 <ul> 175 <li>0x0101RSASSA-PSS with SHA2-256 digest, SHA2-256 MGF1, 32 bytes of salt, 176 trailer: 0xbc</li> 177 <li>0x0102RSASSA-PSS with SHA2-512 digest, SHA2-512 MGF1, 64 bytes of salt, 178 trailer: 0xbc</li> 179 <li>0x0103RSASSA-PKCS1-v1_5 with SHA2-256 digest. This is for build systems 180 which require deterministic signatures.</li> 181 <li>0x0104RSASSA-PKCS1-v1_5 with SHA2-512 digest. This is for build systems 182 which require deterministic signatures.</li> 183 <li>0x0201ECDSA with SHA2-256 digest</li> 184 <li>0x0202ECDSA with SHA2-512 digest</li> 185 <li>0x0301DSA with SHA2-256 digest</li> 186 </ul> 187 188 <p> 189 All of the above signature algorithms are supported by the Android platform. 190 Signing tools may support a subset of the algorithms. 191 </p> 192 193 <p> 194 <strong>Supported keys sizes and EC curves:</strong> 195 </p> 196 197 <ul> 198 <li>RSA: 1024, 2048, 4096, 8192, 16384</li> 199 <li>EC: NIST P-256, P-384, P-521</li> 200 <li>DSA: 1024, 2048, 3072</li> 201 </ul> 202 203 <h2 id="integrity-protected-contents">Integrity-protected contents</h2> 204 205 <p> 206 For the purposes of protecting APK contents, an APK consists of four sections: 207 </p> 208 209 <ol> 210 <li>Contents of ZIP entries (from offset 0 until the start of APK Signing Block)</li> 211 <li>APK Signing Block</li> 212 <li>ZIP Central Directory</li> 213 <li>ZIP End of Central Directory</li> 214 </ol> 215 216 <p> 217 <img src="../images/apk-sections.png" alt="APK sections after signing" id="figure2" /> 218 </p> 219 <p class="img-caption"><strong>Figure 2.</strong> APK sections after signing</p> 220 221 <p> 222 APK Signature Scheme v2 protects the integrity of sections 1, 3, 4, and the 223 <code>signed data</code> blocks of the APK Signature Scheme v2 Block contained 224 inside section 2. 225 </p> 226 227 <p> 228 The integrity of sections 1, 3, and 4 is protected by one or more digests of 229 their contents stored in <code>signed data</code> blocks which are, in 230 turn, protected by one or more signatures. 231 </p> 232 233 <p> 234 The digest over sections 1, 3, and 4 is computed as follows, similar to a 235 two-level <a href="https://en.wikipedia.org/wiki/Merkle_tree">Merkle tree</a>. 236 Each section is split into consecutive 1 MB (2<sup>20</sup> bytes) chunks. The last chunk 237 in each section may be shorter. The digest of each chunk is computed over the 238 concatenation of byte <code>0xa5</code>, the chunks length in bytes 239 (little-endian uint32), and the chunks contents. The top-level digest is 240 computed over the concatenation of byte <code>0x5a</code>, the number of chunks 241 (little-endian uint32), and the concatenation of digests of the chunks in the 242 order the chunks appear in the APK. The digest is computed in chunked fashion to 243 enable to speed up the computation by parallelizing it. 244 </p> 245 246 <p> 247 <img src="../images/apk-integrity-protection.png" alt="APK digest" id="figure3" /> 248 </p> 249 <p class="img-caption"><strong>Figure 3.</strong> APK digest</p> 250 251 <p> 252 Protection of section 4 (ZIP End of Central Directory) is complicated by the 253 section containing the offset of ZIP Central Directory. The offset changes when 254 the size of the APK Signing Block changes, for instance, when a new signature is 255 added. Thus, when computing digest over the ZIP End of Central Directory, the 256 field containing the offset of ZIP Central Directory must be treated as 257 containing the offset of the APK Signing Block. 258 </p> 259 260 <h2 id="rollback-protections">Rollback Protections</h2> 261 <p> 262 An attacker could attempt to have a v2-signed APK verified as a v1-signed APK on 263 Android platforms that support verifying v2-signed APK. To mitigate this attack, 264 v2-signed APKs that are also v1-signed must contain an X-Android-APK-Signed 265 attribute in the main section of their META-INF/*.SF files. The value of the 266 attribute is a comma-separated set of APK signature scheme IDs (the ID of this 267 scheme is 2). When verifying the v1 signature, APK verifier is required to 268 reject APKs which do not have a signature for the APK signature scheme the 269 verifier prefers from this set (e.g., v2 scheme). This protection relies on the 270 fact that contents META-INF/*.SF files are protected by v1 signatures. See the 271 section on 272 <a href="#v1-verification">JAR signed APK verification</a>. 273 </p> 274 275 <p> 276 An attacker could attempt to strip stronger signatures from the APK Signature 277 Scheme v2 Block. To mitigate this attack, the list of signature algorithm IDs 278 with which the APK was being signed is stored in the <code>signed data</code> 279 block which is protected by each signature. 280 </p> 281 282 <h2 id="verification">Verification</h2> 283 284 In Android 7.0, APKs can be verified according to the APK Signature Scheme v2 285 (v2 scheme) or JAR signing (v1 scheme). Older platforms ignore v2 signatures 286 and only verify v1 signatures. 287 </p> 288 289 <p> 290 <img src="../images/apk-validation-process.png" alt="APK signature verification process" id="figure4" /> 291 </p> 292 <p class="img-caption"><strong>Figure 4.</strong> APK signature verification 293 process (new steps in red)</p> 294 295 <h3 id="v2-verification">APK Signature Scheme v2 verification</h3> 296 <ol> 297 <li>Locate the APK Signing Block and verify that: 298 <ol> 299 <li>Two size fields of APK Signing Block contain the same value.</li> 300 <li>ZIP Central Directory is immediately followed by ZIP End of Central 301 Directory record.</li> 302 <li>ZIP End of Central Directory is not followed by more data.</li> 303 </ol> 304 </li> 305 <li>Locate the first APK Signature Scheme v2 Block inside the APK Signing Block. 306 If the v2 Block if present, proceed to step 3. Otherwise, fall back to 307 verifying the APK 308 <a href="#v1-verification">using v1 scheme</a>.</li> 309 <li>For each <code>signer</code> in the APK Signature Scheme v2 Block: 310 <ol> 311 <li>Choose the strongest supported <code>signature algorithm ID</code> from 312 <code>signatures</code>. The strength ordering is up to each 313 implementation/platform version.</li> 314 <li>Verify the corresponding <code>signature</code> from 315 <code>signatures</code> against <code>signed data</code> using <code>public 316 key</code>. (It is now safe to parse <code>signed data</code>.)</li> 317 <li>Verify that the ordered list of signature algorithm IDs in 318 <code>digests</code> and <code>signatures</code> is identical. (This is to 319 prevent signature stripping/addition.)</li> 320 <li><a href="#integrity-protected-contents">Compute the digest of APK 321 contents</a> using the same digest algorithm as the digest algorithm used by the 322 signature algorithm.</li> 323 <li>Verify that the computed digest is identical to the corresponding 324 <code>digest</code> from <code>digests</code>.</li> 325 <li>Verify that SubjectPublicKeyInfo of the first <code>certificate</code> of 326 <code>certificates</code> is identical to <code>public key</code>.</li> 327 </ol> 328 </li> 329 <li>Verification succeeds if at least one <code>signer</code> was found and 330 step 3 succeeded for each found <code>signer</code>.</li> 331 </ol> 332 333 <p class="note"><strong>Note</strong>: APK must not be verified using 334 the v1 scheme if a failure occurs in step 3 or 4. 335 </p> 336 337 <h3 id="v1-verification">JAR-signed APK verification (v1 scheme)</h3> 338 <p> 339 The JAR-signed APK is a 340 <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File">standard 341 signed JAR</a>, which must contain exactly the entries listed in 342 META-INF/MANIFEST.MF and where all entries must be signed by the same set of 343 signers. Its integrity is verified as follows: 344 </p> 345 346 <ol> 347 <li>Each signer is represented by a META-INF/<signer>.SF and 348 META-INF/<signer>.(RSA|DSA|EC) JAR entry.</li> 349 <li><signer>.(RSA|DSA|EC) is a 350 <a href="https://tools.ietf.org/html/rfc5652">PKCS #7 CMS ContentInfo 351 with SignedData structure</a> whose signature is verified over the 352 <signer>.SF file.</li> 353 <li><signer>.SF file contains a whole-file digest of the META-INF/MANIFEST.MF 354 and digests of each section of META-INF/MANIFEST.MF. The whole-file digest of 355 the MANIFEST.MF is verified. If that fails, the digest of each MANIFEST.MF 356 section is verified instead.</li> 357 <li>META-INF/MANIFEST.MF contains, for each integrity-protected JAR entry, a 358 correspondingly named section containing the digest of the entrys uncompressed 359 contents. All these digests are verified.</li> 360 <li>APK verification fails if the APK contains JAR entries which are not listed 361 in the MANIFEST.MF and are not part of JAR signature.</li> 362 </ol> 363 364 <p> 365 The protection chain is thus <signer>.(RSA|DSA|EC) -> <signer>.SF -> MANIFEST.MF 366 -> contents of each integrity-protected JAR entry. 367 </p> 368 369
