MuntashirAkon
Add support for v4 signature scheme
Android 11 introduced v4 signature scheme where <apk-file>.apk.idsig file is needed for the additional verification of the APK file (how this signature is stored isn't documented but it can be guessed that this will be stored in the /data/app along side the apk file(s)). It also requires v2 or v3 signature (depending on the min SDK version) as the fall back options. Due to this new addition, the users who are interested in installing an APK that has v4 signature scheme has to zip the apk files along with the idsig file and rename the zip file to APKS.
It also appears that APKS format needs a major upgrade. So, I'm thinking of releasing a version 3 of the APKS format specification which will be discussed in a separate issue before the final release.
As of today, v4 scheme is only available via hidden API. Looking at the way it is implemented, Google's probably thinking of implementing delta updates for APKs.
@MuntashirAkon can you now confirm that the signature files for the APKs signed with v4 are indeed stored in /data/app alongside the apk file(s)? Or is the <apk-file>.apk.idsig file only being used during incremental installation and can't be located anywhere afterwards?
can you now confirm that the signature files for the APKs signed with v4 are indeed stored in /data/app alongside the apk file(s)? Or is the
<apk-file>.apk.idsigfile only being used during incremental installation and can't be located anywhere afterwards?
Signatures are currently delivered as byte arrays during installation, the .idsig extension is used by ADB only. So, yes, they aren't used after the verification. They don't have to be incremental though, but it requires the com.android.permission.USE_INSTALLER_V2. According to the comment there, this v2 installer will be publicly available once it is stable. However, incremental installation support will be disabled for third-party apps.