[Solved] What are the purposes of files in META-INF folder of an APK file?

What are the purposes of MANIFEST.MF, CERT.SF and CERT.RSA file in the META-INF folder in an android APK.

Solution #1:

An android APK file is actually a jar file (java archive), it is just a plain zip file with or without compression. Jar files are used by all types of java applications, they have a specific structure – the META-INF folder contains the manifest information and other metadata about the java package carried by the jar file.

The purposes of these files are as follows:

  1. MANIFEST.MF: It contains various information used by the java run-time environment when loading the jar file, such as which is the main class to be run from the jar file, version of package, build number, creator of the package, security policies/permissions of java applets and java webstart packages, the list of file names in the jar along with their SHA1 digests, etc.
  2. CERT.SF: This contains the list of all files along with their SHA-1 digest.
  3. CERT.RSA: This contains the signed contents of the CERT.SF file along with the certificate chain of the public key used for signing the contents.

As an example, Refer to a sample apk file here.
If you download and expand this file using a file decompression program like 7zip to your desktop, you can see a sample of these files.

In the extracted directory, go to sub-directory META-INF and view the contents of the files manifest.mf and *.sf files. Here are the first few lines of these files:


Manifest-Version: 1.0
Created-By: 1.7.0_60 (Oracle Corporation)

Name: res/drawable-xxhdpi-v4/common_plus_signin_btn_text_dark_pressed.9.png
SHA1-Digest: Db3E0/I85K9Aik2yJ4X1dDP3Wq0=

Name: res/drawable-xhdpi-v4/opt_more_item_close_press.9.png
SHA1-Digest: Xxm9cr4gDbEEnnYvxRWfzcIXBEM=

Name: res/anim/accessibility_guide_translate_out.xml
SHA1-Digest: dp8PyrXMy2IBxgTz19x7DATpqz8=

The file MCTN.SF contains the digests of the file listings in MANIFEST.MF along with an empty line:

Signature-Version: 1.0
SHA1-Digest-Manifest-Main-Attributes: Sen4TNWb3NQLczkzN1idKh81Rjc=
Created-By: 1.7.0_60 (Oracle Corporation)
SHA1-Digest-Manifest: NAWTDC05HK+hfNtQ91J4AoL9F7s=

Name: res/drawable-xxhdpi-v4/common_plus_signin_btn_text_dark_pressed.9.png
SHA1-Digest: pvIZkdVTEuilCdx8UkrlY6ufPlw=

Name: res/anim/accessibility_guide_translate_out.xml
SHA1-Digest: XeX9Q2w41PRm3KiZ5p07x3CY6hc=

The file MCTN.RSA contains the signature in base64 encoding generated over file MCTN.SF.

See this reference for details on how to verify the signatures of APK packages – http://theether.net/kb/100207

Respondent: Sandeep S. Sandhu

The answers/resolutions are collected from stackoverflow, are licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0 .

Leave a Reply

Your email address will not be published.