[SOLVED] To what do the Android 'adb shell dumpsys package' hashes refer to?

To what do the Android 'adb shell dumpsys package' hashes refer to?

When I use the dumpsys debugging tool like

adb shell dumpsys package com.example.testapp.first

I get the result for the single package like this (Nexus 6P, 7.1.1):

Packages:
  Package [com.example.testapp.first] (2036fd1):
    userId=10225
    pkg=Package{42e7a36 com.example.testapp.first}
    codePath=/data/app/com.example.testapp.first-1
    resourcePath=/data/app/com.example.testapp.first-1
    legacyNativeLibraryDir=/data/app/com.example.testapp.first-1/lib
    primaryCpuAbi=null
    secondaryCpuAbi=null
    versionCode=1 minSdk=21 targetSdk=24
    versionName=1.0
    splits=[base]
    apkSigningVersion=1
    applicationInfo=ApplicationInfo{29cb2a4 com.example.testapp.first}
    flags=[ HAS_CODE ALLOW_CLEAR_USER_DATA ALLOW_BACKUP ]
    privateFlags=[ RESIZEABLE_ACTIVITIES ]
    dataDir=/data/user/0/com.example.testapp.first
    supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity]
    timeStamp=2016-11-03 01:12:08
    firstInstallTime=2016-11-03 01:12:09
    lastUpdateTime=2016-11-03 01:12:09
    signatures=PackageSignatures{9fe380d [53ea108d]}
    installPermissionsFixed=true installStatus=1
    pkgFlags=[ HAS_CODE ALLOW_CLEAR_USER_DATA ALLOW_BACKUP ]
    User 0: ceDataInode=474317 installed=true hidden=false suspended=false stopped=true notLaunched=true enabled=0
      runtime permissions:

In this log you can find several hashes (or at least the first x hex of the hashes) like:

Package [com.example.testapp.first] (2036fd1):
pkg=Package{42e7a36 com.example.testapp.first}
applicationInfo=ApplicationInfo{29cb2a4 com.example.testapp.first}
signatures=PackageSignatures{9fe380d [53ea108d]}

but I cannot find any reference as to how they are generated. The same app installed on 2 different devices do not match a single hash. I think my original question is: can I produce a checksum/hash with the apk that must match a hash presented in the dumpsys log? It seems that they do not match a md5sum or sha1sum of the apk.

Solution

All hashes are being generated with Integer.toHexString(System.identityHashCode(object)). But the objects whose hashes you are trying to match contain multiple fields (like various timestamps for example) which are not controlled by the apk content alone. So you can't create an apk which would produce the desired hash values when installed.