Info about fake-signature module

[ale5000-git]

@mar-v-in

Hi, I have some questions: 1) What happens to packages that are neither in signature_want_fake or signature_never_fake? 2) If it is signed with a different signature does also the real_signature inside signature.xml need to be replaced? 3) What does all the new meta-data inside AndroidManifest.xml mean?

[mar-v-in]

1. Packages not in signature_want_fake or signature_never_fake would follow the suggested value from the operating system (see https://github.com/microg/GmsCore/blob/master/fake-signature/src/main/aidl/com/huawei/signature/diff/ISignatureService.aidl#L13). The operating system suggests to not fake signature for certain internal packages or packages that it otherwise assumes should not receive a fake signature.
2. The real_signature right now is only relevant for the huawei differentiated signature system. This system does only work for apps signed using a key that requested access before, so for now it will always match. If someone else was to get permission from huawei to use that api for their fork, they'd need to adjust the real_signature field. The reason why we can't just request the real signature from the operating system is that in this function we are actually handling the signature to be returned from the operating system.
3. The meta-data other-signature together with the AAA meta-data is another signature spoofing system found on some devices sold in Malaysia. The AAA meta-data entries is an explicit list of apps that shall receive the spoofed signature. The value of those AAA* is sha256(<package name>)-sha256(<signing certificate>).

[ale5000-git]

Thanks :)

Is it possible to document the package names in the AAA* list and have some more info about these devices?