Generate CERT.RSA for an APK without jarsigner / apksigner or any java tool

Question

I'm currently trying to package APK on the fly using this process :

• When the enduser asks for the download, I add a file in the APK
• I sign the APK (it's the same key that is used all along)
• I deliver the APK

The issue is that signing the APK with common tools (apksigner, jarsigner) can be time consuming for big APK (500M +)

My goal is to update the META-INF data and only generate the new CERT.RSA file (which is an encoding of CERT.SF if I'm not mistaken)

I have successfully found how to generate MANIFEST.MF and CERT.SF in the META-INF directory. I just can't find the algorithm, or any openssl command to generate the CERT.RSA from the CERT.SF.

Any clue ?

Answer 1

First off, make sure that your minSdkVersion < 24. If you have 24 or above, then these files are not necessary and you can sign only with APK Signature v2 scheme using apksig, which is going to be an order of magnitude faster to sign.

Now, assuming that you do need v1 signing and want to generate it manually, I would recommend that you look at the OpenJDK implementation of JarSigner. See in particular the Block class: https://github.com/openjdk-mirror/jdk7u-jdk/blob/master/src/share/classes/sun/security/tools/JarSigner.java#L2221-L2344

This is the content of the *.RSA file. As you can see, it's the signature of a combination of a few things. If you're only using an RSA key, you can probably simplify this code quite a bit and adapt it for your tool.