Meanining of PACKAGE_SIGNATURE in MSAL

Question

In the README of MSAL, a configuration file is discussed, containing what is referred to by "YOUR_BASE64_URL_ENCODED_PACKAGE_SIGNATURE".

They also advise the user to store this as a "raw" resource.

This is the template given:

{
  "client_id" : "<YOUR_CLIENT_ID>",
  "redirect_uri" : "msauth://<YOUR_PACKAGE_NAME>/<YOUR_BASE64_URL_ENCODED_PACKAGE_SIGNATURE>",
  "broker_redirect_uri_registered": true,
}

Won't the contents of this file affect the signature? How is it possible to have a static asset containing the signature?

I'm led to believe that this is not, as I thought, a cryptographic signature of the APK. I couldn't figure out what it is.

Answer 1

I think it makes sense, it shouldn't be static. You want Microsoft to be able to prove that it is authenticating against your real app and not a modified or different application. This is the signed application for release with apk.

You need to sign your app in order to be able to put it on the play store or to have it validate: https://developer.android.com/studio/publish/app-signing

Per the Microsoft documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-android#integrate-with-microsoft-authentication-library

it tells you how to generate the hash. in the portal when you set up the authentication on app reg it will give you a command like keytool -exportcert -alias SIGNATURE_ALIAS -keystore PATH_TO_KEYSTORE | openssl sha1 -binary | openssl base64 to generate the signature it just gets gets the signature of the android keystore keys.