The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application's developer. How specifically does the public key be distributed to client Android devices? Is the public key contained in apk when developers release the app? If so, where is the key stored?
Or does Android market,e.g. Google play, hold a list of developer id coupled with corresponding public key and push the right key to client devices when an app is downloaded?
Is there any docs convey this information?
Thanks a lot for any inputs.
The public key is distributed within the apk file. If you unarchive an apk file you can find there a special folder called META-INF where all information about the signature is contained. Basically, you need to explore files with extensions *.RSA and *.DSA, which contain signature of the package along with public key.
You can read these two article (one, two) to understand the process