Is apk signing v1 is mandatory?

Question

I have signed an apk file with apksigner tool with flag v1-signing-enabled set to false

java -jar apksigner.jar sign --v1-signing-enabled false --key dsa-1024.pk8 --cert dsa-1024.x509.pem --in original.apk --out signed-original1.apk -v

It signs apk successfully.

But when I verify it, it fails

java -jar apksigner.jar verify --in signed-original1.apk -v

DOES NOT VERIFY ERROR: Missing META-INF/MANIFEST.MF

Is v1 signature(jar signing) is mandatory?

thanks

Answer 1

v1 signatures do not protect some parts of the APK, such as ZIP metadata. The APK verifier needs to process lots of untrusted (not yet verified) data structures and then discard data not covered by the signatures. This offers a sizeable attack surface. Moreover, the APK verifier must uncompress all compressed entries, consuming more time and memory. To address these issues, Android 7.0 introduced APK Signature Scheme v2.

Source: Look at Documentation Here