Originally Posted by howetechnical
The signature changes, as specified, to what's in the auto sign, which you are correct in thinking is pulled from the testkey files. The java application does all of this for you. I haven't analyzed the .jar file, so I couldn't say what it's doing in detail, but it does work (if it didn't, I would have opened the .jar up...no pun intended
Hey - thanks for all the answers, they really helped. I'm still curious about this last point though. Couldn't this lead to a security flaw if we can now essentially re-sign a program (or fake sign a new one??) to do something malicious using another dev's key? Wouldn't this essentially fake the requested permissions the program wants the user to agree too?