Android SHA256 signature algorythm with certificate having a SHA1 algorythm

Question

My question is somewhat a follow up of this one: Can I specify digest algorithm apksigner uses?

I'm signign an APK with apksigner and following reccomandations on above post, I raised the minSDK to 18+. As expected the resulting MANIFEST.MF and ANDROID.SF digest report SHA-256 digest hashes for the files in the packages instead of SHA-1 digest hashes.

Android-minSDK18.SF excerpt

Android-minSDK16.SF excerpt

However printing the .RSA certificate with keytool -printcert -file "ANDROID - minSDK18.RSA" or keytool -printcert -file "ANDROID - minSDK16.RSA" gives the same result specifing a SHA1withRSA Signature algorythm.

That is probably because SHA1withRSA is the Signature algorythm embedded in the certificate:

My question is to know if the signature algorythm of the certifiicate used to sign an APK has an impact related to the SHA-1 collision problems even when the APK is signed with SHA-256 algorythm.

Answer 1

No, the signature algorithm inside the app signing certificate -- the algorithm used by certificate Issuer to sign the certificate -- has no impact on the security of your Android app. The reason is that Android does not verify this cryptographic signature inside the app signing certificate.

For more background, all that matters to Android in an app signing certificate is that:

1. it parses,
2. it declares that its public key can be used for digital signatures,
3. (only when updating an already installed app) it is identical to the app signing certificate of the currently installed version of the app.