Difference between signature versions - V1 (Jar Signature) and V2 (Full APK Signature) while generating a signed APK in Android Studio?

Question

Please select at least one of the signature versions to use in Android Studio 2.3

Now while generating a signed APK in Android Studio, it\'s showing

Answer 1

I think this represents a good answer.

APK Signature Scheme v2 verification

1. Locate the APK Signing Block and verify that:
   1. Two size fields of APK Signing Block contain the same value.
   2. ZIP Central Directory is immediately followed by ZIP End of Central Directory record.
   3. ZIP End of Central Directory is not followed by more data.
2. Locate the first APK Signature Scheme v2 Block inside the APK Signing Block. If the v2 Block if present, proceed to step 3. Otherwise, fall back to verifying the APK using v1 scheme.
3. For each signer in the APK Signature Scheme v2 Block:
   1. Choose the strongest supported signature algorithm ID from signatures. The strength ordering is up to each implementation/platform version.
   2. Verify the corresponding signature from signatures against signed data using public key. (It is now safe to parse signed data.)
   3. Verify that the ordered list of signature algorithm IDs in digests and signatures is identical. (This is to prevent signature stripping/addition.)
   4. Compute the digest of APK contents using the same digest algorithm as the digest algorithm used by the signature algorithm.
   5. Verify that the computed digest is identical to the corresponding digest from digests.
   6. Verify that SubjectPublicKeyInfo of the first certificate of certificates is identical to public key.
4. Verification succeeds if at least one signer was found and step 3 succeeded for each found signer.

Note: APK must not be verified using the v1 scheme if a failure occurs in step 3 or 4.

JAR-signed APK verification (v1 scheme)

The JAR-signed APK is a standard signed JAR, which must contain exactly the entries listed in META-INF/MANIFEST.MF and where all entries must be signed by the same set of signers. Its integrity is verified as follows:

1. Each signer is represented by a META-INF/.SF and META-INF/.(RSA|DSA|EC) JAR entry.
2. .(RSA|DSA|EC) is a PKCS #7 CMS ContentInfo with SignedData structure whose signature is verified over the .SF file.
3. .SF file contains a whole-file digest of the META-INF/MANIFEST.MF and digests of each section of META-INF/MANIFEST.MF. The whole-file digest of the MANIFEST.MF is verified. If that fails, the digest of each MANIFEST.MF section is verified instead.
4. META-INF/MANIFEST.MF contains, for each integrity-protected JAR entry, a correspondingly named section containing the digest of the entry’s uncompressed contents. All these digests are verified.
5. APK verification fails if the APK contains JAR entries which are not listed in the MANIFEST.MF and are not part of JAR signature. The protection chain is thus .(RSA|DSA|EC) → .SF → MANIFEST.MF → contents of each integrity-protected JAR entry.