In a signed apk, there would be a META-INF/MANIFEST.MF file. And in this file, we can find the digests like these:
Name: res/layout/main.xml SHA1-Digest: NJ1YLN3mBEKTPibVXbFO8eRCAr8=
Name: AndroidManifest.xml SHA1-Digest: BlnC6ZBDtQYWeJNiespsQve82wY=
Name: res/drawable-mdpi/ic_launcher.png SHA1-Digest: 4ss2KZ3FzkmfE6HAAsVu0aJKx1U=
I've found a way to generate digest in java like this:
public static void main(String[] args) throws NoSuchAlgorithmException, Exception {
MessageDigest md = MessageDigest.getInstance("sha-1");
FileInputStream in = new FileInputStream("./ic_launcher.png");
int bytes = 0;
while ((bytes = in.read()) != -1) {
md.update((byte)bytes);
}
in.close();
byte[] thedigest = md.digest();
System.out.println(Base64Encoder.encode(thedigest));
}
For testing , I've used this simple code to generate some digests, which are mostly the same as digests of META-INF/MANIFEST.MF in apk, and still have a small number of exceptions. Like this Png file:
In apk the digest for this png file is 4ss2KZ3FzkmfE6HAAsVu0aJKx1U= , which is very different from sjmKOs4BYDXg7COdeTc8tIfPBR0= generated by my code above.
But how to explain that there're almost 20 digests generated by my code is the same as the digests in the apk, and Only this Png's digest is different?
Could you please tell me how SDK or ADT generates SHA1-Digest for Resources of Android application packages, or the differences from my code?
Many thanks!
The aapt Android tool that creates the APK files does some processing to its inputs. In addition to converting XML resources to binary form, it also optimizes PNG files. You are most likely taking the hash of the original PNG file, while the PNG file in APK has been somehow processed (compressed, etc.), and it's hash (digest) is different. If you unzip an exported APK and take the hash of the PNG inside the package, you should get the same hash value.