diff options
13 files changed, 95 insertions, 59 deletions
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java index 41ba1dc43926..4b579e7db9f8 100644 --- a/core/java/android/content/pm/PackageParser.java +++ b/core/java/android/content/pm/PackageParser.java @@ -1445,7 +1445,7 @@ public class PackageParser { verified.getPublicKeys(), verified.getPastSigningCertificates()); } else { - if (!Signature.areExactMatch(pkg.mSigningDetails.signatures, + if (!Signature.areExactArraysMatch(pkg.mSigningDetails.signatures, verified.getSignatures())) { throw new PackageParserException( INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES, @@ -6468,7 +6468,7 @@ public class PackageParser { } } } else { - return Signature.areEffectiveMatch(oldDetails.signatures, signatures); + return Signature.areEffectiveArraysMatch(oldDetails.signatures, signatures); } return false; } @@ -6616,7 +6616,7 @@ public class PackageParser { /** Returns true if the signatures in this and other match exactly. */ public boolean signaturesMatchExactly(SigningDetails other) { - return Signature.areExactMatch(this.signatures, other.signatures); + return Signature.areExactArraysMatch(this.signatures, other.signatures); } @Override @@ -6668,7 +6668,7 @@ public class PackageParser { SigningDetails that = (SigningDetails) o; if (signatureSchemeVersion != that.signatureSchemeVersion) return false; - if (!Signature.areExactMatch(signatures, that.signatures)) return false; + if (!Signature.areExactArraysMatch(signatures, that.signatures)) return false; if (publicKeys != null) { if (!publicKeys.equals((that.publicKeys))) { return false; @@ -6677,7 +6677,8 @@ public class PackageParser { return false; } - // can't use Signature.areExactMatch() because order matters with the past signing certs + // can't use Signature.areExactArraysMatch() because order matters with the past + // signing certs if (!Arrays.equals(pastSigningCertificates, that.pastSigningCertificates)) { return false; } diff --git a/core/java/android/content/pm/Signature.java b/core/java/android/content/pm/Signature.java index b04988050429..a69eee7991fa 100644 --- a/core/java/android/content/pm/Signature.java +++ b/core/java/android/content/pm/Signature.java @@ -307,11 +307,27 @@ public class Signature implements Parcelable { } /** + * Test if given {@link SigningDetails} are exactly equal. + * @hide + */ + public static boolean areExactMatch(SigningDetails ad, SigningDetails bd) { + return areExactArraysMatch(ad.getSignatures(), bd.getSignatures()); + } + + /** + * Test if given {@link SigningDetails} and {@link Signature} set are exactly equal. + * @hide + */ + public static boolean areExactMatch(SigningDetails ad, Signature[] b) { + return areExactArraysMatch(ad.getSignatures(), b); + } + + + /** * Test if given {@link Signature} sets are exactly equal. - * * @hide */ - public static boolean areExactMatch(Signature[] a, Signature[] b) { + static boolean areExactArraysMatch(Signature[] a, Signature[] b) { return (ArrayUtils.size(a) == ArrayUtils.size(b)) && ArrayUtils.containsAll(a, b) && ArrayUtils.containsAll(b, a); } @@ -329,7 +345,12 @@ public class Signature implements Parcelable { * substantially, usually a signal of something fishy going on. * @hide */ - public static boolean areEffectiveMatch(Signature[] a, Signature[] b) + public static boolean areEffectiveMatch(SigningDetails a, SigningDetails b) + throws CertificateException { + return areEffectiveArraysMatch(a.getSignatures(), b.getSignatures()); + } + + static boolean areEffectiveArraysMatch(Signature[] a, Signature[] b) throws CertificateException { final CertificateFactory cf = CertificateFactory.getInstance("X.509"); @@ -342,7 +363,7 @@ public class Signature implements Parcelable { bPrime[i] = bounce(cf, b[i]); } - return areExactMatch(aPrime, bPrime); + return areExactArraysMatch(aPrime, bPrime); } /** diff --git a/core/java/android/content/pm/SigningDetails.java b/core/java/android/content/pm/SigningDetails.java index af2649f3e4df..8c2197470a8b 100644 --- a/core/java/android/content/pm/SigningDetails.java +++ b/core/java/android/content/pm/SigningDetails.java @@ -656,7 +656,7 @@ public final class SigningDetails implements Parcelable { } } } else { - return Signature.areEffectiveMatch(oldDetails.mSignatures, mSignatures); + return Signature.areEffectiveMatch(oldDetails, this); } return false; } @@ -800,7 +800,7 @@ public final class SigningDetails implements Parcelable { /** Returns true if the signatures in this and other match exactly. */ public boolean signaturesMatchExactly(@NonNull SigningDetails other) { - return Signature.areExactMatch(mSignatures, other.mSignatures); + return Signature.areExactMatch(this, other); } @Override @@ -853,7 +853,7 @@ public final class SigningDetails implements Parcelable { final SigningDetails that = (SigningDetails) o; if (mSignatureSchemeVersion != that.mSignatureSchemeVersion) return false; - if (!Signature.areExactMatch(mSignatures, that.mSignatures)) return false; + if (!Signature.areExactMatch(this, that)) return false; if (mPublicKeys != null) { if (!mPublicKeys.equals((that.mPublicKeys))) { return false; diff --git a/core/java/android/content/pm/parsing/FrameworkParsingPackageUtils.java b/core/java/android/content/pm/parsing/FrameworkParsingPackageUtils.java index 3e1c5bb3d7ec..153dd9a93490 100644 --- a/core/java/android/content/pm/parsing/FrameworkParsingPackageUtils.java +++ b/core/java/android/content/pm/parsing/FrameworkParsingPackageUtils.java @@ -253,8 +253,8 @@ public class FrameworkParsingPackageUtils { if (existingSigningDetails == SigningDetails.UNKNOWN) { return verified; } else { - if (!Signature.areExactMatch(existingSigningDetails.getSignatures(), - verified.getResult().getSignatures())) { + if (!Signature.areExactMatch(existingSigningDetails, + verified.getResult())) { return input.error(INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES, baseCodePath + " has mismatched certificates"); } diff --git a/core/java/android/util/apk/ApkSignatureVerifier.java b/core/java/android/util/apk/ApkSignatureVerifier.java index d2a18dd84313..a6724da02bf2 100644 --- a/core/java/android/util/apk/ApkSignatureVerifier.java +++ b/core/java/android/util/apk/ApkSignatureVerifier.java @@ -48,6 +48,7 @@ import java.security.NoSuchAlgorithmException; import java.security.cert.Certificate; import java.security.cert.CertificateEncodingException; import java.util.ArrayList; +import java.util.Arrays; import java.util.Iterator; import java.util.List; import java.util.Map; @@ -428,7 +429,7 @@ public class ApkSignatureVerifier { // make sure all entries use the same signing certs final Signature[] entrySigs = convertToSignatures(entryCerts); - if (!Signature.areExactMatch(lastSigs, entrySigs)) { + if (!Arrays.equals(lastSigs, entrySigs)) { return input.error( INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES, "Package " + apkPath + " has mismatched certificates at entry " diff --git a/core/tests/coretests/src/android/content/pm/SignatureTest.java b/core/tests/coretests/src/android/content/pm/SignatureTest.java index fb0a4358d362..4dd7b40f4f24 100644 --- a/core/tests/coretests/src/android/content/pm/SignatureTest.java +++ b/core/tests/coretests/src/android/content/pm/SignatureTest.java @@ -33,28 +33,44 @@ public class SignatureTest extends TestCase { /** Cert B with valid syntax */ private static final Signature B = new Signature("308204a830820390a003020102020900a1573d0f45bea193300d06092a864886f70d0101050500308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d301e170d3131303931393138343232355a170d3339303230343138343232355a308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d30820120300d06092a864886f70d01010105000382010d00308201080282010100de1b51336afc909d8bcca5920fcdc8940578ec5c253898930e985481cfdea75ba6fc54b1f7bb492a03d98db471ab4200103a8314e60ee25fef6c8b83bc1b2b45b084874cffef148fa2001bb25c672b6beba50b7ac026b546da762ea223829a22b80ef286131f059d2c9b4ca71d54e515a8a3fd6bf5f12a2493dfc2619b337b032a7cf8bbd34b833f2b93aeab3d325549a93272093943bb59dfc0197ae4861ff514e019b73f5cf10023ad1a032adb4b9bbaeb4debecb4941d6a02381f1165e1ac884c1fca9525c5854dce2ad8ec839b8ce78442c16367efc07778a337d3ca2cdf9792ac722b95d67c345f1c00976ec372f02bfcbef0262cc512a6845e71cfea0d020103a381fc3081f9301d0603551d0e0416041478a0fc4517fb70ff52210df33c8d32290a44b2bb3081c90603551d230481c13081be801478a0fc4517fb70ff52210df33c8d32290a44b2bba1819aa48197308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d820900a1573d0f45bea193300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100977302dfbf668d7c61841c9c78d2563bcda1b199e95e6275a799939981416909722713531157f3cdcfea94eea7bb79ca3ca972bd8058a36ad1919291df42d7190678d4ea47a4b9552c9dfb260e6d0d9129b44615cd641c1080580e8a990dd768c6ab500c3b964e185874e4105109d94c5bd8c405deb3cf0f7960a563bfab58169a956372167a7e2674a04c4f80015d8f7869a7a4139aecbbdca2abc294144ee01e4109f0e47a518363cf6e9bf41f7560e94bdd4a5d085234796b05c7a1389adfd489feec2a107955129d7991daa49afb3d327dc0dc4fe959789372b093a89c8dbfa41554f771c18015a6cb242a17e04d19d55d3b4664eae12caf2a11cd2b836e"); + private boolean areExactMatch(Signature[] a, Signature[] b) throws Exception { + SigningDetails ad1 = new SigningDetails(a, + SigningDetails.SignatureSchemeVersion.SIGNING_BLOCK_V3); + SigningDetails bd1 = new SigningDetails(b, + SigningDetails.SignatureSchemeVersion.SIGNING_BLOCK_V3); + return Signature.areExactMatch(ad1, bd1); + } + public void testExactlyEqual() throws Exception { - assertTrue(Signature.areExactMatch(asArray(A), asArray(A))); - assertTrue(Signature.areExactMatch(asArray(M), asArray(M))); + assertTrue(areExactMatch(asArray(A), asArray(A))); + assertTrue(areExactMatch(asArray(M), asArray(M))); - assertFalse(Signature.areExactMatch(asArray(A), asArray(B))); - assertFalse(Signature.areExactMatch(asArray(A), asArray(M))); - assertFalse(Signature.areExactMatch(asArray(M), asArray(A))); + assertFalse(areExactMatch(asArray(A), asArray(B))); + assertFalse(areExactMatch(asArray(A), asArray(M))); + assertFalse(areExactMatch(asArray(M), asArray(A))); + + assertTrue(areExactMatch(asArray(A, M), asArray(M, A))); + } - assertTrue(Signature.areExactMatch(asArray(A, M), asArray(M, A))); + private boolean areEffectiveMatch(Signature[] a, Signature[] b) throws Exception { + SigningDetails ad1 = new SigningDetails(a, + SigningDetails.SignatureSchemeVersion.SIGNING_BLOCK_V3); + SigningDetails bd1 = new SigningDetails(b, + SigningDetails.SignatureSchemeVersion.SIGNING_BLOCK_V3); + return Signature.areEffectiveMatch(ad1, bd1); } public void testEffectiveMatch() throws Exception { - assertTrue(Signature.areEffectiveMatch(asArray(A), asArray(A))); - assertTrue(Signature.areEffectiveMatch(asArray(M), asArray(M))); + assertTrue(areEffectiveMatch(asArray(A), asArray(A))); + assertTrue(areEffectiveMatch(asArray(M), asArray(M))); - assertFalse(Signature.areEffectiveMatch(asArray(A), asArray(B))); - assertTrue(Signature.areEffectiveMatch(asArray(A), asArray(M))); - assertTrue(Signature.areEffectiveMatch(asArray(M), asArray(A))); + assertFalse(areEffectiveMatch(asArray(A), asArray(B))); + assertTrue(areEffectiveMatch(asArray(A), asArray(M))); + assertTrue(areEffectiveMatch(asArray(M), asArray(A))); - assertTrue(Signature.areEffectiveMatch(asArray(A, M), asArray(M, A))); - assertTrue(Signature.areEffectiveMatch(asArray(A, B), asArray(M, B))); - assertFalse(Signature.areEffectiveMatch(asArray(A, M), asArray(A, B))); + assertTrue(areEffectiveMatch(asArray(A, M), asArray(M, A))); + assertTrue(areEffectiveMatch(asArray(A, B), asArray(M, B))); + assertFalse(areEffectiveMatch(asArray(A, M), asArray(A, B))); } public void testHashCode_doesNotIncludeFlags() throws Exception { diff --git a/services/core/java/com/android/server/pm/ComputerEngine.java b/services/core/java/com/android/server/pm/ComputerEngine.java index 69a6c1357350..ffa2af1e2f81 100644 --- a/services/core/java/com/android/server/pm/ComputerEngine.java +++ b/services/core/java/com/android/server/pm/ComputerEngine.java @@ -58,6 +58,7 @@ import static com.android.server.pm.PackageManagerService.DEBUG_PREFERRED; import static com.android.server.pm.PackageManagerService.EMPTY_INT_ARRAY; import static com.android.server.pm.PackageManagerService.HIDE_EPHEMERAL_APIS; import static com.android.server.pm.PackageManagerService.TAG; +import static com.android.server.pm.PackageManagerServiceUtils.compareSignatureArrays; import static com.android.server.pm.PackageManagerServiceUtils.compareSignatures; import static com.android.server.pm.PackageManagerServiceUtils.isSystemOrRootOrShell; import static com.android.server.pm.resolution.ComponentResolver.RESOLVE_PRIORITY_SORTER; @@ -4215,8 +4216,7 @@ public class ComputerEngine implements Computer { if (p2SigningDetails == null) { return PackageManager.SIGNATURE_SECOND_NOT_SIGNED; } - int result = compareSignatures(p1SigningDetails.getSignatures(), - p2SigningDetails.getSignatures()); + int result = compareSignatures(p1SigningDetails, p2SigningDetails); if (result == PackageManager.SIGNATURE_MATCH) { return result; } @@ -4231,7 +4231,7 @@ public class ComputerEngine implements Computer { Signature[] p2Signatures = p2SigningDetails.hasPastSigningCertificates() ? new Signature[]{p2SigningDetails.getPastSigningCertificates()[0]} : p2SigningDetails.getSignatures(); - result = compareSignatures(p1Signatures, p2Signatures); + result = compareSignatureArrays(p1Signatures, p2Signatures); } return result; } diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java index d668146b04d4..468b3a705bf1 100644 --- a/services/core/java/com/android/server/pm/InstallPackageHelper.java +++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java @@ -4728,8 +4728,7 @@ final class InstallPackageHelper { synchronized (mPm.mLock) { platformPkgSetting = mPm.mSettings.getPackageLPr("android"); } - if (!comparePackageSignatures(platformPkgSetting, - pkg.getSigningDetails().getSignatures())) { + if (!comparePackageSignatures(platformPkgSetting, pkg.getSigningDetails())) { throw PackageManagerException.ofInternalError("Overlay " + pkg.getPackageName() + " must target Q or later, " @@ -4751,8 +4750,7 @@ final class InstallPackageHelper { targetPkgSetting = mPm.mSettings.getPackageLPr(pkg.getOverlayTarget()); } if (targetPkgSetting != null) { - if (!comparePackageSignatures(targetPkgSetting, - pkg.getSigningDetails().getSignatures())) { + if (!comparePackageSignatures(targetPkgSetting, pkg.getSigningDetails())) { // check reference signature if (mPm.mOverlayConfigSignaturePackage == null) { throw PackageManagerException.ofInternalError("Overlay " @@ -4767,8 +4765,7 @@ final class InstallPackageHelper { refPkgSetting = mPm.mSettings.getPackageLPr( mPm.mOverlayConfigSignaturePackage); } - if (!comparePackageSignatures(refPkgSetting, - pkg.getSigningDetails().getSignatures())) { + if (!comparePackageSignatures(refPkgSetting, pkg.getSigningDetails())) { throw PackageManagerException.ofInternalError("Overlay " + pkg.getPackageName() + " signed with a different " + "certificate than both the reference package and " @@ -4799,8 +4796,7 @@ final class InstallPackageHelper { synchronized (mPm.mLock) { platformPkgSetting = mPm.mSettings.getPackageLPr("android"); } - if (!comparePackageSignatures(platformPkgSetting, - pkg.getSigningDetails().getSignatures())) { + if (!comparePackageSignatures(platformPkgSetting, pkg.getSigningDetails())) { throw PackageManagerException.ofInternalError("Apps that share a user with a " + "privileged app must themselves be marked as privileged. " + pkg.getPackageName() + " shares privileged user " @@ -4839,10 +4835,8 @@ final class InstallPackageHelper { // to allowlist their privileged permissions just like other // priv-apps. PackageSetting platformPkgSetting = mPm.mSettings.getPackageLPr("android"); - if ((compareSignatures( - platformPkgSetting.getSigningDetails().getSignatures(), - pkg.getSigningDetails().getSignatures()) - != PackageManager.SIGNATURE_MATCH)) { + if ((compareSignatures(platformPkgSetting.getSigningDetails(), + pkg.getSigningDetails()) != PackageManager.SIGNATURE_MATCH)) { scanFlags |= SCAN_AS_PRIVILEGED; } } diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index e3ff6f6bd64a..d3b41485f3cf 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -5926,15 +5926,15 @@ public class PackageManagerService implements PackageSender, TestUtilityService } } - Signature[] callerSignature; + SigningDetails callerSigningDetails; final int appId = UserHandle.getAppId(callingUid); Pair<PackageStateInternal, SharedUserApi> either = snapshot.getPackageOrSharedUser(appId); if (either != null) { if (either.first != null) { - callerSignature = either.first.getSigningDetails().getSignatures(); + callerSigningDetails = either.first.getSigningDetails(); } else { - callerSignature = either.second.getSigningDetails().getSignatures(); + callerSigningDetails = either.second.getSigningDetails(); } } else { throw new SecurityException("Unknown calling UID: " + callingUid); @@ -5943,8 +5943,8 @@ public class PackageManagerService implements PackageSender, TestUtilityService // Verify: can't set installerPackageName to a package that is // not signed with the same cert as the caller. if (installerPackageState != null) { - if (compareSignatures(callerSignature, - installerPackageState.getSigningDetails().getSignatures()) + if (compareSignatures(callerSigningDetails, + installerPackageState.getSigningDetails()) != PackageManager.SIGNATURE_MATCH) { throw new SecurityException( "Caller does not have same cert as new installer package " @@ -5960,8 +5960,8 @@ public class PackageManagerService implements PackageSender, TestUtilityService ? null : snapshot.getPackageStateInternal(targetInstallerPackageName); if (targetInstallerPkgSetting != null) { - if (compareSignatures(callerSignature, - targetInstallerPkgSetting.getSigningDetails().getSignatures()) + if (compareSignatures(callerSigningDetails, + targetInstallerPkgSetting.getSigningDetails()) != PackageManager.SIGNATURE_MATCH) { throw new SecurityException( "Caller does not have same cert as old installer package " diff --git a/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java b/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java index 2028231ab36b..1679987211a8 100644 --- a/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java +++ b/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java @@ -403,7 +403,11 @@ public class PackageManagerServiceUtils { * <br /> * {@link PackageManager#SIGNATURE_NO_MATCH}: if the two signature sets differ. */ - public static int compareSignatures(Signature[] s1, Signature[] s2) { + public static int compareSignatures(SigningDetails sd1, SigningDetails sd2) { + return compareSignatureArrays(sd1.getSignatures(), sd2.getSignatures()); + } + + static int compareSignatureArrays(Signature[] s1, Signature[] s2) { if (s1 == null) { return s2 == null ? PackageManager.SIGNATURE_NEITHER_SIGNED @@ -445,10 +449,10 @@ public class PackageManagerServiceUtils { * set or if the signing details of the package are unknown. */ public static boolean comparePackageSignatures(PackageSetting pkgSetting, - Signature[] signatures) { + SigningDetails otherSigningDetails) { final SigningDetails signingDetails = pkgSetting.getSigningDetails(); return signingDetails == SigningDetails.UNKNOWN - || compareSignatures(signingDetails.getSignatures(), signatures) + || compareSignatures(signingDetails, otherSigningDetails) == PackageManager.SIGNATURE_MATCH; } diff --git a/services/core/java/com/android/server/pm/SELinuxMMAC.java b/services/core/java/com/android/server/pm/SELinuxMMAC.java index a8cdef4ec64c..cf5aa7b1eb02 100644 --- a/services/core/java/com/android/server/pm/SELinuxMMAC.java +++ b/services/core/java/com/android/server/pm/SELinuxMMAC.java @@ -605,7 +605,7 @@ final class Policy { // Check for exact signature matches across all certs. Signature[] certs = mCerts.toArray(new Signature[0]); if (pkg.getSigningDetails() != SigningDetails.UNKNOWN - && !Signature.areExactMatch(certs, pkg.getSigningDetails().getSignatures())) { + && !Signature.areExactMatch(pkg.getSigningDetails(), certs)) { // certs aren't exact match, but the package may have rotated from the known system cert if (certs.length > 1 || !pkg.getSigningDetails().hasCertificate(certs[0])) { diff --git a/services/core/java/com/android/server/pm/ScanPackageUtils.java b/services/core/java/com/android/server/pm/ScanPackageUtils.java index f4dca3fe064b..0cac790fd910 100644 --- a/services/core/java/com/android/server/pm/ScanPackageUtils.java +++ b/services/core/java/com/android/server/pm/ScanPackageUtils.java @@ -911,8 +911,8 @@ final class ScanPackageUtils { parsedPackage.setSignedWithPlatformKey( (PLATFORM_PACKAGE_NAME.equals(parsedPackage.getPackageName()) || (platformPkg != null && compareSignatures( - platformPkg.getSigningDetails().getSignatures(), - parsedPackage.getSigningDetails().getSignatures() + platformPkg.getSigningDetails(), + parsedPackage.getSigningDetails() ) == PackageManager.SIGNATURE_MATCH)) ); diff --git a/services/core/java/com/android/server/pm/pkg/parsing/ParsingPackageUtils.java b/services/core/java/com/android/server/pm/pkg/parsing/ParsingPackageUtils.java index 81c2f0760705..812e22833aba 100644 --- a/services/core/java/com/android/server/pm/pkg/parsing/ParsingPackageUtils.java +++ b/services/core/java/com/android/server/pm/pkg/parsing/ParsingPackageUtils.java @@ -3267,8 +3267,7 @@ public class ParsingPackageUtils { if (existingSigningDetails == SigningDetails.UNKNOWN) { return verified; } else { - if (!Signature.areExactMatch(existingSigningDetails.getSignatures(), - verified.getResult().getSignatures())) { + if (!Signature.areExactMatch(existingSigningDetails, verified.getResult())) { return input.error(INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES, baseCodePath + " has mismatched certificates"); } |