Suppose the following situation:
I have 2 apps: A1 & A2.
A1 defines a signature level permission, lets say "com.example.myapp.PERMISSION".
A2 claims the permission defined by A1.
I have 2 signing keys: K1 & K2.
A1 is signed with both K1 & K2. A2 is signed with only K1.
If A1 exposes a service that is protected by the "com.example.myapp.PERMISSION" permission, can A2 access that service? Do all signatures have to be present for both apps, or will it work as long as there is a match between any two?
Android treats all the signatures as Set - 2 applications must have the same Set of signatures to be considered equivalent. So in your example A2 would not be granted the permission since it's signature set does not equals A1's.
Here is the code from the source code
ArraySet<Signature> set1 = new ArraySet<Signature>();
for (Signature sig : s1) {
set1.add(sig);
}
ArraySet<Signature> set2 = new ArraySet<Signature>();
for (Signature sig : s2) {
set2.add(sig);
}
// Make sure s2 contains all signatures in s1.
if (set1.equals(set2)) {
return PackageManager.SIGNATURE_MATCH;
}
return PackageManager.SIGNATURE_NO_MATCH;
}