# pkgsigverify

## Valid cases

APKs in this directory are used by `PkgInstallSignatureVerificationTest`.
See that class for additional information about their use.

In general, they are differently signed forms of the tinyapp APK and follow
the following naming scheme:

`${version}-with-${signing-algorithm}-${OID-params}-${keysize}-${extra_info}`

where some fields may not be present, but have the following meaning:

- version: denotes which APK Signature Scheme (v1, v2, and/or v3) was used
- signing-algorithm: indicates how the signature was generated
- OID-params: PKI object identifiers indicating how to use the provided key
  to generate the signature.  See, e.g. rfc3279 and rfc4055.
- keysize: the size of the key used for signing
- extra_info: additional notes to distinguish packages. Currently this denotes
  which test certificates were used to generate a proof-of-rotation object,
  if one exists, included in the signing block of the APK, as well as the
  capabilities of those certificates according to APK Signature Scheme v3.

Generation of these apks was performed using the `apksigner` command-line tool,
which lives at `tools/apksig/src/apksigner/java/com/android/apksigner/` in the
android source tree.  Please refer to the usage instructions there for how to
sign APKs using different keystores, providers, etc.  The generation commands
for some of the APKs are in `generate-apks.sh`.

## Invalid cases

Some of the APKs in this directory were generated by modifying the apksig library (see
README in tools/apksig/) to create invalid or unsupported outcomes (e.g. ag/11575267).