What are the purposes of files in META-INF folder of an APK file?

android apk digital-signature
Live Seven picture Live Seven · Sep 3, 2016 · Viewed 15.1k times · Source

What are the purposes of MANIFEST.MF, CERT.SF and CERT.RSA file in the META-INF folder in an android APK.

Answer

Sandeep S. Sandhu picture Sandeep S. Sandhu · Sep 3, 2016

An android APK file is actually a jar file (java archive), it is just a plain zip file with or without compression. Jar files are used by all types of java applications, they have a specific structure - the META-INF folder contains the manifest information and other metadata about the java package carried by the jar file.

The purposes of these files are as follows:

  1. MANIFEST.MF: It contains various information used by the java run-time environment when loading the jar file, such as which is the main class to be run from the jar file, version of package, build number, creator of the package, security policies/permissions of java applets and java webstart packages, the list of file names in the jar along with their SHA1 digests, etc.
  2. CERT.SF: This contains the list of all files along with their SHA-1 digest.
  3. CERT.RSA: This contains the signed contents of the CERT.SF file along with the certificate chain of the public key used for signing the contents.

As an example, Refer to a sample apk file here. If you download and expand this file using a file decompression program like 7zip to your desktop, you can see a sample of these files.

In the extracted directory, go to sub-directory META-INF and view the contents of the files manifest.mf and *.sf files. Here are the first few lines of these files:

File MANIFEST.SF:

Manifest-Version: 1.0
Created-By: 1.7.0_60 (Oracle Corporation)

Name: res/drawable-xxhdpi-v4/common_plus_signin_btn_text_dark_pressed.9.png
SHA1-Digest: Db3E0/I85K9Aik2yJ4X1dDP3Wq0=

Name: res/drawable-xhdpi-v4/opt_more_item_close_press.9.png
SHA1-Digest: Xxm9cr4gDbEEnnYvxRWfzcIXBEM=

Name: res/anim/accessibility_guide_translate_out.xml
SHA1-Digest: dp8PyrXMy2IBxgTz19x7DATpqz8=

The file MCTN.SF contains the digests of the file listings in MANIFEST.MF along with an empty line:

Signature-Version: 1.0
SHA1-Digest-Manifest-Main-Attributes: Sen4TNWb3NQLczkzN1idKh81Rjc=
Created-By: 1.7.0_60 (Oracle Corporation)
SHA1-Digest-Manifest: NAWTDC05HK+hfNtQ91J4AoL9F7s=

Name: res/drawable-xxhdpi-v4/common_plus_signin_btn_text_dark_pressed.9.png
SHA1-Digest: pvIZkdVTEuilCdx8UkrlY6ufPlw=

Name: res/anim/accessibility_guide_translate_out.xml
SHA1-Digest: XeX9Q2w41PRm3KiZ5p07x3CY6hc=

The file MCTN.RSA contains the signature in base64 encoding generated over file MCTN.SF.

See this reference for details on how to verify the signatures of APK packages - http://theether.net/kb/100207

Related questions

Is there a way to get the source code from an APK file?

The hard drive on my laptop just crashed and I lost all the source code for an app that I have been working on for the past two months. All I have is the APK file that is stored in …

Read More
Install an apk file from command prompt?

I want to install a file using the Windows command line. First I want to build after compiling all the .jar files to create an .apk file for an Android application without using Eclipse. Does anyone know how this can …

Read More
Build unsigned APK file with Android Studio

I'm developing an android app with the Android Developer Tool. Now I tried the new Android Studio, everything works fine if connect my smartphone with the pc and directly run the program in the Android Studio. But now I want …

Read More