DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
	Claims 1-16 are pending.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-2, 5, 10-11, 14-16 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Goldman (PGPUB 2014/0040873).

Regarding Claim 10:
Goldman teaches an apparatus for signing an application installation package (paragraph 32-33, publisher creates application installer with signature and migration signature), comprising: 
a processor (paragraph 59, fig. 3A, computer platform 310 configured as application development and distribution platform; paragraph 60, computer platform 310 includes processor); and 
(paragraph 62, processor executes instructions from storage); 
wherein the processor is configured to: 
acquire the application installation package (paragraph 84, obtaining new version of application involves obtaining installation file corresponding to published application), wherein the application installation package includes an installation file, first signature information and a first public key (paragraph 84, installation file signed with package signature that covers the entire installation file and protects identity of application publisher; paragraph 52, example signed application installation package, including package signature and digital certificate; paragraph 53, certificate 230 includes public signing key used for decryption), wherein the first signature information is signature information of the application installation package (paragraph 84, installation file signed with package signature that covers the entire installation file), and the first public key is used for verifying the first signature information (paragraph 30, signing an application with a certificate refers to signing with a private key (e.g. encrypting hash of installation file with private key), where signature is associated with digital certificate including corresponding public key (for decryption) and confirming; paragraph 54, public key 232 corresponds to private key used to sign application); 
sign the first public key using a first private key to obtain second signature information (paragraph 30, (as above) signing with a certificate refers to signing with a private key, where signature is associated with digital certificate including corresponding public key (for decryption) and confirming; paragraph 55, application 210 additionally includes migration signature 250 associated with digital certificate 260, including public signing key 262; migration signature covers package signature 220 but is created using different certificate, i.e. migration public key certificate 260, comprising public key 262; paragraph 52, package signature 220 includes digital certificate 230; therefore, migration signature covers public signing key 232 corresponding to certificate 230; paragraph 85-86, process applies migration signature by assembling new version of application into installation package, signing package to create package signature 230 covering installation file; after package signature 230 is applied, migration signature applied covering package signature (including certificate 230)); and 
add the second signature information and a second public key to the application installation package to implement a signature of the application installation package (paragraph 52-55, fig. 2A, signed application installation package including application, package signature 220, certificate 230, migration signature 250 (over package signature 220 including certificate 230), and migration certificate 260; certificates include corresponding public keys within), wherein the second public key is used for verifying the second signature information (paragraph 30, signing an application with a certificate refers to signing with a private key (e.g. encrypting hash of installation file with private key), where signature is associated with digital certificate including corresponding public key (for decryption) and confirming; paragraph 47, to successfully validate the update, the migration signature matches or corresponds to the original signature associated with the published application; to match the original signature, the migration signature is associated with the same certificate as the original signature or associated with a certificate that has the same identity (e.g., identical information fields and the same certificate chain to the root certificate); for the signatures to match, the signatures have the same public keys (or public signing keys), shared keys and/or publisher identifiers; the public keys can be included in certificates, which can be sent with signed installation packages). 

Regarding Claim 11:
Goldman in view of Bygrave teaches the apparatus of claim 10.  In addition, Goldman teaches wherein the processor is configured to: 
(paragraph 55, application 210 additionally includes migration signature 250 associated with digital certificate 260, including public signing key 262; migration signature covers package signature 220 but is created using different public key; paragraph 52, package signature 220 includes digital certificate 230; therefore, migration signature covers public signing key 232 corresponding to certificate 230; paragraph 4, digital certificate includes information regarding identity of the certificate; certificate certifies publisher of digitally signed application; this can be seen as an application identification; therefore, the migration signature covers the first public key and the application identification); and 
determine signature information obtained after the signing as the second signature information (paragraph 52-55, fig. 2A, signed application installation package including application, package signature 220, certificate 230, migration signature 250 (over package signature 220 including certificate 230), and migration certificate 260; certificates include corresponding public keys within).

Regarding Claim 14:
Goldman teaches an apparatus for verifying an application installation package (paragraph 32-33, publisher creates application installer with signature and migration signature; paragraph 59, platform 315 configured as target installation computer), comprising: 
a processor (paragraph 60, hardware on computer platform 315 includes processor); and 
a memory for storing instructions executable by the processor (paragraph 62, processor executes instructions from storage); 
wherein the processor is configured to: 
download the application installation package from an application download platform (paragraph 89, process 400 then distributes 430 the new version for use on a target system; this can involve sending the dual-signature installation file from a developer system (e.g., platform 310) to an installer's computer (e.g., platform 315), where the application can be installed (e.g., decrypted and uncompressed) from the installation file), wherein the application installation package includes an installation file, first signature information, a first public key, second signature information, and a second public key (paragraph 84, installation file signed with package signature that covers the entire installation file and protects identity of application publisher; paragraph 52, example signed application installation package, including package signature and digital certificate; paragraph 53, certificate 230 includes public signing key used for decryption; paragraph 52-55, fig. 2A, signed application installation package including application, package signature 220, certificate 230, migration signature 250 (over package signature 220 including certificate 230), and migration certificate 260; certificates include corresponding public keys within); 
wherein the first signature information is signature information of the application installation package (paragraph 84, installation file signed with package signature that covers the entire installation file), the first public key is used for verifying the first signature information (paragraph 30, signing an application with a certificate refers to signing with a private key (e.g. encrypting hash of installation file with private key), where signature is associated with digital certificate including corresponding public key (for decryption) and confirming; paragraph 54, public key 232 corresponds to private key used to sign application), the second signature information is obtained via signing the first public key using a first private key by the application download platform (paragraph 30, (as above) signing with a certificate refers to signing with a private key, where signature is associated with digital certificate including corresponding public key (for decryption) and confirming; paragraph 55, application 210 additionally includes migration signature 250 associated with digital certificate 260, including public signing key 262; migration signature covers package signature 220 but is created using different certificate, i.e. migration public key certificate 260, comprising public key 262; paragraph 52, package signature 220 includes digital certificate 230; therefore, migration signature covers public signing key 232 corresponding to certificate 230; paragraph 85-86, process applies migration signature by assembling new version of application into installation package, signing package to create package signature 230 covering installation file; after package signature 230 is applied, migration signature applied covering package signature (including certificate 230)), and the second public key is used for verifying the second signature information (paragraph 30, signing an application with a certificate refers to signing with a private key (e.g. encrypting hash of installation file with private key), where signature is associated with digital certificate including corresponding public key (for decryption) and confirming; paragraph 47, to successfully validate the update, the migration signature matches or corresponds to the original signature associated with the published application; to match the original signature, the migration signature is associated with the same certificate as the original signature or associated with a certificate that has the same identity (e.g., identical information fields and the same certificate chain to the root certificate); for the signatures to match, the signatures have the same public keys (or public signing keys), shared keys and/or publisher identifiers; the public keys can be included in certificates, which can be sent with signed installation packages); and 
verify the application installation package based on the first signature information, the first public key, the second signature information, and the second public key (paragraph 84, obtained installation file can be signed with a package signature (e.g., package signature 230) that covers the entire installation file and protects the file from tampering and protects the identity of the application publisher (e.g., the developer); paragraph 93-94, process 500 then determines 520 whether the received installation file includes a migration signature; this involves determining whether the received file includes a digital signature that (1) covers the package signature and (2) matches the original signature associated with the software application already installed on the end-user system, in order to confirm that the received installation file includes a valid update to the installed software application; determining whether a migration signature matches the original signature can involve for example comparing public signing keys associated with the signatures; paragraph 105-107, process can receive an installation file having a package signature and a migration signature; the package signature can, for example, be associated with a CA-issued certificate, and it may cover the entire installation file; the migration signature can be applied after the package signature, and it can be created using a different certificate; the process computes publisher identifiers for the package signature and the migration signature; this can involve, for examples, processing (e.g., hashing) one or more portions of the certificates associated with the signatures (e.g., certificate owner names); process then determines if the publisher identifiers match the publisher identifiers of any installed applications; if there are matches, the process determines whether there is single match or more than one match; if only a single match is found, then the process can update the corresponding application having that identifier; paragraph 96, public key information combined with certificate owner names to form publisher identifier).

Regarding Claim 15:
Goldman teaches a non-transitory computer-readable storage medium having instructions stored thereon that, when executed by a processor (paragraph 59, fig. 3A, computer platform 310 configured as application development and distribution platform; paragraph 60, computer platform 310 includes processor; paragraph 62, processor executes instructions from storage), cause the processor to implement the method of claim 1 (as per claim 1).

Regarding Claim 16:
Goldman teaches a non-transitory computer-readable storage medium having stored thereon instructions that, when executed by a processor (paragraph 59, fig. 3A, computer platform 310 configured as application development and distribution platform; paragraph 60, computer platform 310 includes processor; paragraph 62, processor executes instructions from storage), cause the processor to implement the method of claim 5 (as per claim 5).

Regarding Claims 1, 2, 5:
	These are method claims corresponding to the apparatus of claims 10, 11, and 14 respectively, and are therefore rejected for corresponding reasons.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Goldman, and further in view of Bygrave et al (PGPUB 2019/0052456) and Farkas et al (PGPUB 2013/0159718).

Regarding Claim 6:
Goldman teaches the method of claim 5. 
Goldman does not explicitly teach the method, further comprising: 
verifying the second signature information based on the second public key; and
when verifying the second signature information fails, determining that the application installation package has been tampered with.
However, Bygrave teaches the concept of a method, comprising:
(paragraph 355, the signed first cryptographic certificate [CBLOB] K2ID priv is verified at the first security context 5; the first processor 17 in the first security context 5 is configured to verify the signed first cryptographic certificate [CBLOB] K2ID priv; the signed first cryptographic certificate [CBLOB] K2ID priv is verified using the public half of the identity key of the second security context, K2ID pub; the first processor 17 is configured to perform a signature verification algorithm that, given the signed message [CBLOB] K2ID priv and the public key K2ID pub either accepts or rejects the message's claim to authenticity; EXAMINER’S NOTE: in the event that a data package had been tampered with and re-signed with a different KBLOB pub, this method would determine this by failing public key signature verification); and
when verifying the second signature information fails, determining that a data package has been tampered with (paragraph 355, as above; EXAMINER’S NOTE: in the event that a data package had been tampered with and re-signed with a different KBLOB pub, this method would determine this by failing public key signature verification); and
Goldman teaches wherein the data package is an application installation package (paragraph 84, obtaining new version of application involves obtaining installation file corresponding to published application).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the verifying a public key signature teachings of Bygrave with the application installation package teachings of Goldman, in order to add an additional layer of public/private key signature verification to an authentication system, relying on well-known and proven cryptographic techniques to create a verifiable link between a public and private key using PKI, thereby reducing the likelihood that a malicious agent would be able to intercept and tamper with key data without being detected.

when verifying the first signature information fails, determining that the application installation package has been tampered with; and 
when verifying the first signature information is successful, determining that the application installation package has not been tampered with.
However, Farkas teaches the concept of when verifying second signature information is successful, verifying first signature information based on a first public key (paragraph 53-55, Fig. 4, operations performed during validation process; paragraph 53-55, Fig. 4, signature public key 210a is then used to decrypt digital signature 105a; framework also generates cryptographic digest 203 of assembly contents 104d; the result of decrypting digital signature 105a is compared to cryptographic digest 203; if they are equal, it is known that digital signature 105a was created using signature private key 210b thereby validating copy 204b of assembly 104); 
when verifying the first signature information fails, determining that an application package has been tampered with (paragraph 53-55, Fig. 4, verification of signature; paragraph 8, framework 111 will verify the identity of the strong named assembly (e.g. as a means to verify that the assembly has not been tampered with); this verification is done by extracting the identity public key from the identity of the assembly, using the identity public key to decrypt the digital signature of the digest, generating a cryptographic digest of the contents of the assembly, and comparing the decrypted digest to the generated digest; if the digests match, then it is known that the digital signature of the digest was generated using the identity private key, and the assembly will be loaded; therefore, failure indicates that assembly has been tampered with); and 
(paragraph 8, 53-55, Fig. 4, as above, successful signature verification verifies that assembly has not been tampered with); and
Goldman teaches wherein the application package is an application installation package (paragraph 84, obtaining new version of application involves obtaining installation file corresponding to published application).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the signature verification teachings of Farkas with the application installation package teachings of Goldman in view of Bygrave, in order to apply techniques of public/private key signature verification which are well known in the art, thereby securely determining the integrity of a received application/installer package using methods which are known to be cryptographically secure, such as multiple signature verification.

Claims 3, 7, 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Goldman, and further in view of Barrera et al (“Baton: Certificate Agility for Android’s Decentralized Signing Infrastructure”).

Regarding Claim 7:
Goldman teaches the method of claim 5.
Goldman does not explicitly teach the method, further comprising: 
downloading, from the application download platform, at least one sub installation package of a plurality of sub installation packages included in the application installation package; 
wherein for each sub installation package of the at least one sub installation packages, the sub installation package includes at least one installation file, signature information of the at least one installation file, the first public key, signature information of the sub installation package, and the 
However, Barrera teaches the concept of a method, comprising:
downloading, from the application download platform, at least one sub installation package of a plurality of sub installation packages included in the application installation package (page 4 section 3, MANIFEST.MF file contains list of every file name in archive, i.e. sub-installation packages comprising individual installation files; Android applications are packaged and distributed; updates downloaded; therefore, installation packages and corresponding sub-installation packages downloaded from distribution platform); 
wherein for each sub installation package of the at least one sub installation packages, the sub installation package includes at least one installation file, signature information of the at least one installation file, the first public key, signature information of the sub installation package, and the second public key, wherein the signature information of the sub installation package is obtained via signing the sub installation package using the first private key by the application download platform (page 4 section 3, MANIFEST.MF file contains list of every file name in archive, i.e. sub-installation packages comprising individual installation files; CERT.SF contains SHA1 hash of each entry in MANIFEST.MF; SHA1 hash can be seen as “signature information” of each installation file; CERT.RSA includes signature of CERT.SF file incorporating SHA1 hashes of each installation file and X.509 certificate of developer used for signing; page 5-6 section 4.2, delegation token includes set of previously active and currently active certificates, signed by holder of KeyA; APK update signed by currently valid certificate; page 5 section 4, delegation token embedded in package update; page 6 section 4.2, each delegation token includes encoding of each certificate in the previous certificate set as well as their fingerprints to allow for signature validation; full certificate is embedded).


Regarding Claim 12:
Goldman teaches the apparatus of claim 10.
Goldman does not explicitly teach wherein the processor is configured to: 
when the application installation package includes a plurality of sub installation packages and each sub installation package includes at least one installation file and signature information of each installation file, sign, for each sub installation package of the plurality of sub installation packages, the sub installation package using the first private key, and add signature information of the sub installation package and the second public key to the corresponding sub installation package, wherein the second public key is used for verifying the signature information of the sub installation package.
However, Barrera teaches the concept wherein a processer is configured to:
when an application installation package includes a plurality of sub installation packages and each sub installation package includes at least one installation file and signature information of each installation file, sign, for each sub installation package of the plurality of sub installation packages, the sub installation package using a first private key (page 4 section 3, MANIFEST.MF file contains list of every file name in archive, i.e. sub-installation packages comprising individual installation files; CERT.SF contains SHA1 hash of each entry in MANIFEST.MF; SHA1 hash can be seen as “signature information” of each installation file; CERT.RSA includes signature of CERT.SF file incorporating SHA1 hashes of each installation file and X.509 certificate of developer used for signing), and add signature information of the sub installation package and a second public key to the corresponding sub installation package (page 5-6 section 4.2, delegation token includes set of previously active and currently active certificates, signed by holder of KeyA; APK update signed by currently valid certificate; page 5 section 4, delegation token embedded in package update), wherein the second public key is used for verifying the signature information of the sub installation package (page 6 section 4.2, each delegation token includes encoding of each certificate in the previous certificate set as well as their fingerprints to allow for signature validation; full certificate is embedded).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the multiple-file installation package teachings of Barrera with the application installation package teachings of Goldman, in order to allow an application developer to choose a suitable organization method for arranging an application installation, and provide a means of securely verifying the security and integrity of each separate file of the installation package, thereby ensuring the security and integrity of the installation package as a whole.

Regarding Claim 3:
This is the method corresponding to the apparatus of claim 12, and is therefore rejected for corresponding reasons.

Claim 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Goldman and Barrera, and further in view of Farkas.

Regarding Claim 8:
Goldman in view of Barrera teaches the method of claim 7.

verifying, for each sub installation package of the at least one sub installation package, the signature information of the sub installation package based on the second public key; 
when verifying the signature information of the sub installation package fails, determining that the sub installation package has been tampered with; 
when verifying the signature information of the sub installation package is successful, verifying the signature information of the at least one installation file based on the first public key; 
when verifying the signature information of the at least one installation file fails, determining that the sub installation package has been tampered with; and 
when verifying the signature information of the at least one installation file is successful, determining that the sub installation package has not been tampered with.
However, Farkas teaches the concept of verifying, for each package of at least one package, signature information of the package based on a second public key (paragraph 53-55, Fig. 4, operations performed during validation process; to verify identity of copy 204b, framework uses identity public key 110a to decrypt digital signature 105c; if result is same as signature public key 210a, it is known that digital signature 105c was generated with identity private key); 
when verifying the signature information of the package fails, determining that the package has been tampered with (paragraph 8, framework 111 will verify the identity of the strong named assembly (e.g. as a means to verify that the assembly has not been tampered with) using signature verification; therefore, if signature verification fails, it indicates that assembly has been tampered with); 
when verifying the signature information of the package is successful, verifying the signature information of the at least one file based on the first public key (paragraph 53-55, Fig. 4, signature public key 210a is then used to decrypt digital signature 105a; framework also generates cryptographic digest 203 of assembly contents 104d; the result of decrypting digital signature 105a is compared to cryptographic digest 203; if they are equal, it is known that digital signature 105a was created using signature private key 210b thereby validating copy 204b of assembly 104); 
when verifying the signature information of the at least one file fails, determining that the package has been tampered with (paragraph 53-55, Fig. 4, verification of signature; paragraph 8, framework 111 will verify the identity of the strong named assembly (e.g. as a means to verify that the assembly has not been tampered with); this verification is done by extracting the identity public key from the identity of the assembly, using the identity public key to decrypt the digital signature of the digest, generating a cryptographic digest of the contents of the assembly, and comparing the decrypted digest to the generated digest; if the digests match, then it is known that the digital signature of the digest was generated using the identity private key, and the assembly will be loaded; therefore, failure indicates that assembly has been tampered with); and 
when verifying the signature information of the at least one file is successful, determining that the package has not been tampered with (paragraph 8, 53-55, Fig. 4, as above, successful signature verification verifies that assembly has not been tampered with); and
Barrera teaches wherein the package is a sub installation package (page 4 section 3, MANIFEST.MF file contains list of every file name in archive, i.e. sub-installation packages comprising individual installation files; Android applications are packaged and distributed); and
the file is an installation file (page 4 section 3, MANIFEST.MF file contains list of every file name in archive, i.e. sub-installation packages comprising individual installation files; Android applications are packaged and distributed as compressed zip archives).
The rationale to combine Goldman and Barrera is the same as provided for claim 7 due to the overlapping subject matter between claims 7 and 8.
.

Claims 4, 9, 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Goldman, and further in view of Litva et al (PGPUB 2015/0040224).

Regarding Claim 9:
Goldman teaches the method of claim 5.
Goldman does not explicitly teach wherein the method further comprises: 
when the application installation package includes a list of permissions, third signature information, and a third public key, verifying the third signature information based on the third public key; 
wherein the third signature information is obtained via signing the list of permissions using a second private key by the application download platform, wherein the third public key is used for verifying the third signature information; and 
determining whether the list of permissions has been tampered with based on the result of verifying the third signature information.
However, Litva teaches the concept wherein a method further comprises: 
when an application installation package includes a list of permissions, third signature information, and a third public key (paragraph 63, new unprotected asset from developer; created by application developer or development system is unsigned enhanced permission container manifest which lists permissions granted to application; asset protection tool generates or uses private key to generate signed enhanced permission container manifest; application secure store includes code signature, enhanced container manifest, and root of trust keys; result is signed and protected asset), verifying the third signature information based on the third public key (paragraph 68, agent 613 accesses the application secure store 610 to retrieve the signed enhanced permission container manifest 611 therefrom; the agent 613 validates the application's signed enhanced permission container manifest through integrity verification using the signed enhanced permission container manifest 611; signed enhanced permission container manifest containing permissions and root of trust keys are separate from application code signatures and can therefore be seen as “third signature information” and “third public key”); 
wherein the third signature information is obtained via signing the list of permissions using a second private key by the application download platform, wherein the third public key is used for verifying the third signature information (paragraph 63, new unprotected asset from developer; created by application developer or development system is unsigned enhanced permission container manifest which lists permissions granted to application; asset protection tool generates or uses private key to generate signed enhanced permission container manifest; application secure store includes code signature, enhanced container manifest, and root of trust keys; result is signed and protected asset); and 
determining whether the list of permissions has been tampered with based on the result of verifying the third signature information (paragraph 57, this "integrity monitoring" is done to detect any unauthorized modification (e.g., tampering) such as the modification, replacement, removal, or additions of components or sub-components that are critical to supporting the security objectives for the system).


Regarding Claim 13:
Goldman teaches the apparatus of any of claim 10.
Goldman does not explicitly teach wherein the processor is further configured to: 
when the application installation package includes a list of permissions for the application, sign the list of permissions using a second private key to obtain third signature information; and 
add the third signature information and a third public key to the application installation package, wherein the third public key is used for verifying the third signature information.
However, Litva teaches wherein a processor is configured to: 
when an application installation package includes a list of permissions for an application, sign the list of permissions using a second private key to obtain third signature information (paragraph 63, new unprotected asset from developer; created by application developer or development system is unsigned enhanced permission container manifest which lists permissions granted to application; asset protection tool generates or uses private key to generate signed enhanced permission container manifest; application secure store includes code signature, enhanced container manifest, and root of trust keys; result is signed and protected asset); and 
add the third signature information and a third public key to the application installation package (paragraph 63, application secure store includes code signature, enhanced container manifest, and root of trust keys; result is signed and protected asset), wherein the third public key is used for verifying the third signature information (paragraph 68, agent 613 accesses the application secure store 610 to retrieve the signed enhanced permission container manifest 611 therefrom; the agent 613 validates the application's signed enhanced permission container manifest through integrity verification using the signed enhanced permission container manifest 611; signed enhanced permission container manifest containing permissions and root of trust keys are separate from application code signatures and can therefore be seen as “third signature information” and “third public key”).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the permission signature teachings of Litva with the application installation package teachings of Goldman, in order to create an application installer which protects the security and integrity of intended application permissions, thereby preventing an attacker from using an application installer to intercept and elevate permissions of an application installation in an attempt to steal data or attack the underlying platform.

Regarding Claim 4:
This is the method corresponding to the apparatus of claim 13, and is therefore rejected for corresponding reasons.

Response to Arguments
Applicant's arguments filed 12/21/2021 have been fully considered but they are not persuasive.

Regarding the rejection of claims under 35 USC 103:
	Applicant’s arguments: As shown in FIG. 2A and FIG. 2B of the present application, an example signed application installation package 200 includes a package signature (SIG) 220 (corresponding to "first signature information" of claim 1) associated with a digital certificate (CERT) 230 and a migration signature (SIG-M) 250 (corresponding to "second signature information" of claim 1) associated with a digital certificate (CERT-M) 260; the certificate 230 can include within it a public signing key (PK) 232 (corresponding to "a first public key" of claim 1) used for decryption; the certificate 260 can include within it a public signing key (PK) 262 (corresponding to "a second public key" of claim 1); the migration signature 250 covers the package signature 220 but can be different from the package signature 220 (e.g., it can be created using a different certificate) (See paragraphs [0052]-[0055] of the description, FIG. 2A and FIG. 2B of Goldman.) 
However, the disclosed contents in paragraphs [0030], [0052], and [0055] and [0085]- [0086] of Goldman, as the Examiner listed on pages 3-4 of the Office Action, cannot be considered as corresponding to "signing the first public key using a first private key to obtain second signature information" of claim 1. Goldman even does not disclose that the migration signature 250 is generated based on the public signing key (PK) 232, not to mention, signing the public signing key 232 using a private key of the application distributor's computer 310 to obtain the migration signature 250. In fact, paragraph [0030] of Goldman recites "... signing an application with a certificate can refer, for example, to signing an application with a private key... ", as can be seen, Goldman at most discloses signing an application using a private key, rather than signing the public signing key 232 using a private key. Therefore, Goldman does not disclose "signing the first public key using a first private key to obtain second signature information," as recited in claim 1.

Examiner’s response: The Examiner disagrees.  Goldman discloses that “signing an application with a certificate” can refer to signing the application itself and the package signature (i.e. package 

Applicant’s arguments: Further, Goldman discloses in paragraph [0058]: "The migration signature 250 can serve to confirm that the application package 200 is a valid update to the version 205 of the application if the migration signature 250 matches the original signature 270. This match can be detected, for example, when the public key 262 of the migration signature 250 is the same as the public key 282 of the original signature 270." 
As can be seen, the public key 262 is not used for verifying the migration signature 250, and it should be configured to be the same as the public key 282 of the original signature 270 of a published version of application. It may be learned that the public key 262 is not "customized" to the migration signature 250, but should be the same as the public key 282 public key 282 of the original signature 270 of a published version of application. Therefore, Goldman fails to disclose "the second public key is used for verifying the second signature information," as recited in claim 1. 
As compared with Goldman, the claimed subject matter uses a different solution to solve different technical problems and achieves different technical effects. As mentioned previously, the claimed subject matter intends to improve security and accuracy of an application installation package that may be downloaded by users, and thus verifies whether a first public key has been replaced by 
Therefore, Goldman at least fails to disclose or suggest the claimed feature of "signing the first public key using a first private key to obtain second signature information" and "the second public key is used for verifying the second signature information," as recited in claim 1 and similarly recited in claim 10. Accordingly, Applicant respectfully submits that Goldman fails to disclose or suggest at least the aforementioned features recited in independent claims 1 and 10.

Examiner’s response: Applicant asserts that Goldman fails to teach that the second public key is used for verifying the second signature information, and then immediately recites the method in which Goldman uses the second public key to verify the second signature information.  As per paragraph 47 of Goldman, to validate an update, a signature match is confirmed, meaning it is determined if the migration signature matches the original signature associated with the application, including determining whether the signatures have the same public keys.  Therefore, the second public key is used to verify the signature.  While this is not the conventional means of verifying signatures, involving decrypting the signature with the public key and verifying the hash, it can certainly be seen as “the second public key is used for verifying the second signature information”.
Furthermore, while applicant argues “different technical effects”, Examiner notes that the teachings of Goldman result in similar technical effects, i.e. “avoiding an application installation package being tampered with and improving security and accuracy of the application installation package”, as signature mismatch indicates an invalid/corrupted/tampered application package.


Applicant’s arguments: The verification steps of Goldman mainly relate to verifying whether "a migration signature" matches "the original signature associated with the software application already installed on the end-user system," which are significantly different from those of claim 5.  
Therefore, in addition to the above-mentioned distinguishing features, Goldman fails to disclose "verifying the application installation package based on the first signature information, the first public key, the second signature information, and the second public key to determine whether the application installation package has been tampered with," as recited in claim 5. 
Therefore, Goldman at least fails to disclose or suggest the claimed feature of "the second signature information is obtained via signing the first public key using a first private key by the application download platform", "the second public key is used for verifying the second signature information" and "verifying the application installation package based on the first signature information, the first public key, the second signature information, and the second public key to determine whether the application installation package has been tampered with," as recited in claim 5 and similarly recited in claim 14. Accordingly, Applicant respectfully submits that Goldman fails to disclose or suggest at least the aforementioned features recited in independent claims 5 and 14.

Examiner’s response: Applicant claims that Goldman fails to teach “verifying the application installation package based on the first signature information, the first public key, the second signature information, and the second public key”.  However, Goldman teaches that the migration signature covers the first signature information and the first public key (as shown above).  Goldman further 
Therefore, Goldman teaches "the second signature information is obtained via signing the first public key using a first private key by the application download platform", "the second public key is used for verifying the second signature information" and "verifying the application installation package based on the first signature information, the first public key, the second signature information, and the second public key to determine whether the application installation package has been tampered with," as in claims 5 and 14.
	Applicant further argues that the dependent claims are allowable due to depending on an allowable independent claim.  However, as shown above, the independent claims are not allowable.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FORREST L CAREY/Examiner, Art Unit 2491                                


/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491