Why there are multiple signatures in this value? Are these values the public key of the package?
Can I uniquely identify a package using this signature instead of reading the files under META-INF, or calculating an MD5 on the whole APK file?
According to @hackbod, this is all the public keys the APK was signed with
Despite its name, the contents of PackageInfo.signatures is the public keys your app is signed with. This absolutely, positively does not change between builds. This is the pure identify of the developer of the app.
Reference: https://groups.google.com/d/msg/android-developers/fPtdt6zDzns/MDqie6k7qo0J
来源:https://stackoverflow.com/questions/5564953/what-does-packageinfo-signatures-return