Why is the PackageInfo.signatures field an array, and when would there be anything other than one value here?

Question

I'm checking package signatures against each other to determine if they are incompatible (compiled against different keystores). I noticed that PackageInfo.signatures is almost always a collection containing a single entry, which makes sense to me. I build my app with either a debug or production keystore, and that determines the signature of the package (that is my simplistic understanding of the apk signing process at this point). I know that this will be null if I don't specifically ask for this information (by passing the PackageManager.GET_SIGNATURES flag), but I don't quite understand the case in which there would be more than one.

I wrote some debug code and ran it on my personal Android phone. Of the 300+ packages installed on my phone, everything had exactly one signature except for a few packages that seemed to be from my service provider (com.verizon.* namespaces).

I feel like it's acceptable for my use case (package management) to consider that app packages will have a single signature, but I want to make sure that I'm not missing something that could introduce an edge case bug.

Answer 1

For your purposes, it seems completely acceptable to assume that an Android application has a single signature. An Android APK can be compiled with multiple signatures, but it is neither recommended nor extensively tested. (Why is Verizon doing it? Who knows.)

I found this archive from Dianne Hackborn, the go-to lady on Android development:

Q: I know jar signer support multiple signatures in one jar file. If an APK file has two valid signatures, does that mean this APK can access signature level permission provided by both signers?

A: In theory, something is done with multiple signatures, but nobody has ever used this so it probably doesn't work. This also has the side-effect (if it does work) of aliasing the two signatures to the same thing since they presumably come from the same owner, which is likely not what you want.

Another bit from Dianne (note the use of "it", not "they", and "certificate" instead of "certificates"):

Q: PackageInfo.signatures: What does it return?

A: It is the certificate that was used to sign the .apk.

However. It is noteworthy that I found a test reference to multiple signatures in the Android source Git: Test for Checking Package Signatures (Bug 4596332). Additionally, Android BackupManagerService code (and other Android source code) ensures that it checks for multiple signatures.

So, here is my conclusion: You needn't worry about multiple signatures, unless you are coding in such a situation where the security and compilation of the specific packages was important. (However, it also seems that you wouldn't have much of a problem accomodating multiple signatures if necessary.)

Hope that is at least somewhat satisfactory.