Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to incrementally install and sign Android V4". The content is easy to understand and clear. I hope it can help you solve your doubts. Let the editor lead you to study and learn the article "how to incrementally install and sign Android V4".

Incremental installation technology is a streaming installation solution: once the core file transfer of the installation package is completed, the application can be started. Streaming installation means allowing priority transfer of core data to start the application and streaming the remaining data in the background.

For APK, its core data includes executable files and important resource files. Before the data transfer begins, ADB filters out the core file transfer priority of the installation package, and once the mobile device receives the core data blocks needed to launch the application, the application can be launched on the virtual file system.

In Android 11, Google implemented incremental filesystem support for incremental installation in the kernel. (see https://source.android.com/devices/architecture/kernel/incfs) for details

This allows Android os to stream APK over ADB. At the same time, Android 11 adds a new V4 signature scheme to accommodate incremental installation.

This scheme does not change the previous signature scheme but creates a new signature: the Merkle hash tree is calculated based on all the byte data of APK, and the root hash and salt value of the Merkle tree are used as signature data to verify the packet integrity. The new signature data is saved in the .idsig file and a corresponding V4 signature file must be created for APK before incremental installation.

This article will briefly introduce the basic principle of incremental installation and the V4 signature scheme based on Merkle tree.

/ tr. by Phil Newell) Chen Zhenming / Pan Yuchen / Wendi Eucalyptus

1-incremental installation

The figure above shows the basic framework for incremental installation [1].

ADB filters out the files that need to be transferred first, passes the data through the incremental file stream, and creates a transfer log during the transfer process and provides it to the developer.

The incremental file system kernel module on the mobile device is used to create incremental services in the operating system. The incremental service receives an incremental installation request from ADB, notifies the incremental file system kernel module and the package manager (Package Manager) to initiate the incremental installation and track the application installation process.

After receiving the incremental installation request, the incremental file system kernel module receives the APK core data from ADB and places it in the incremental file system.

The incremental file system is a virtual file system running on the device file system. After receiving the core data file of APK, it allocates space for the whole package and creates the virtual file of APK package for incremental installation.

After the core data is installed, the application icon and the directory where the application is located can be displayed on the device. After the user starts the application, ADB will continue to transfer the remaining APK packet data in the background.

The figure above shows ADB's preferred APK core file. ADB transmits APK data to mobile devices incrementally. Pre-transmitted data allows APK to start ahead of time. ADB tracks the data being transferred and creates log files that are made available to application developers.

2-Merkle tree

The signature and verification of Android V4 signature scheme is based on Merkle tree.

The Merkle tree is designed to solve the problem that a single Lamport key cannot sign multiple messages and the public key is too long under a large amount of information [2].

The Merkle tree essentially combines a series of Lamport public keys together and uses the hash function to calculate a unified public key, which is the root hash of the Merkle tree.

The following describes the process of using the Merkle tree to generate and verify the signature.

For the Merkle tree in the following figure:

● Block 1 ~ Block 4 has its own key pair (Xi,Yi)

The leaf node of the ● Merkle tree is the hash value calculated for the public key of each data block: hi=H (Yi).

The value of a ● non-leaf node is obtained by merging the values of its child nodes and calculating a hash.

Take the calculation of node a _ 1 ~ 0 as an example, a _ 1J _ 0 ~ H (a0 _ 0 | | a0 _ ~ 1).

And so on, the hash value of the root node can be calculated and the Merkle tree can be established, and the root node value can be used as the public key to verify the signature.

The signature of several blocks includes a key that encrypts the data block and a verification path of the key, wherein the verification path is the sibling node of all nodes on the path from the leaf node to the root node.

Verifying the signature of the Merkle tree requires first verifying the one-time signature of the data block, and then verifying the correctness of the public key.

Take data block 1 as an example, first verify whether the key pair (X0 ~ Y0) matches correctly.

If so, the correctness of Y0 is verified, according to the verification path and root hash of a0Person0.

The verification path of node a [0re0] includes a [0jue 1] and a [1pr 1].

The root node a [2jue 0] can be calculated by a [0re0] and a [0jue 1], which can be compared with the public key of the Merkle tree. If the signature is received unanimously, the root node a [2re0] can be calculated.

3-V4 signature

The V4 signature calculates the Merkle tree based on APK bytes for file verification.

The V4 signature is stored in the .idsig file with the following data structure, including the root hash used to verify the signature.

Struct V4Signature {int32 version; / / only version 2 is supported as of nowsized_bytes hashing_info;sized_bytes signing_info;sized_bytes merkle_tree; / / you can choose whether to save the complete merkle tree}

The structure of sized_bytes is as follows:

Template struct sized_bytes {SizeT size;byte bytes [size];}

Hashing_info holds information about the hash tree: hash algorithm (SHA256), block size (4KB), salt value, root hash. Hashing_info is defined as follows:

Public static class HashingInfo {public final int hashAlgorithm; public final byte log2BlockSize; public final byte [] salt;public final byte [] rawRootHash;.}

Signing_info holds the parameters used to verify the signature: data digest, signature data, public key, certificate, and so on. Signing_info is defined as follows:

Public static class SigningInfo {public final byte [] apkDigest; public final byte [] certificate; public final byte [] additionalData;public final byte [] publicKey;public final int signatureAlgorithmId;public final byte [] signature;}

Here's how to generate a V4 signature.

First, generate the Merkle tree in a bottom-up manner, as shown in the following figure:

First of all, we divide the source data of APK into blocks of multiple 4KB. If the last part of the source file is insufficient for 4KB, zero padding is used to make up for 4KB.

Then the data blocks of these 4KB are calculated by SHA256 to get the hash value of 32B, which constitutes the first layer of the Merkle tree.

For the second layer of the Merkle tree, the first layer needs to be combined. The combination method is to combine the 128hash values of the first layer into 4KB data blocks in turn, and zero fill if there is not enough 4KB. Finally, these 4KB blocks are calculated by SHA256 to get the second layer of the Merkle tree.

The following section and so on until the root hash of the Merkle number is calculated. The generated hash tree is saved in the .idsig file in the structure of V4Signature.

The Hashinfo structure is calculated from the root hash, and the V4 signature is generated based on the Hashinfo and APK digests.

When ADB requests an incremental installation, PMS gets the native signature from the .idsig file and encapsulates it in the V4Signature object. When verifying, the signature data and public key are obtained from V4Signature, and the verification process is similar to that of the previous generation signature scheme.

The above is all the contents of the article "how to incrementally install and sign with Android V4". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.