Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Publish apksigner output & remove not needed files in META-INF #2503

Open
emanuelb opened this issue Sep 23, 2021 · 1 comment
Open

Publish apksigner output & remove not needed files in META-INF #2503

emanuelb opened this issue Sep 23, 2021 · 1 comment

Comments

@emanuelb
Copy link

In order to verify direct APK download from github/google-play/(mirror/download)-websites the output from apksigner is needed.
see for example the verification section in aegis app:
https://github.com/beemdevelopment/Aegis#verification

Running apksigner (Command: apksigner verify --print-certs --verbose 320100.apk) on apk downloaded from github:
https://github.com/MixinNetwork/android-app/releases/download/v0.32.1/320100.apk
sha256sum: 46342aab01445b09d19cb1b3dd6c5f13a757d050d5112c519a19a55ae37e4652

Result:

Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: true
Number of signers: 1
Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: 02fb466874975338337ec00ab80b95b623c057814356b2ea3fa3f57578f81ab6
Signer #1 certificate SHA-1 digest: 8da0fc40e504fc2c533c527292c63af226d46e67
Signer #1 certificate MD5 digest: 073c2a74a5c5d6ba2fe43351fb6d95ad
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 4096
Signer #1 public key SHA-256 digest: 8063aa2ebcc8c31931a37b79d5f7e0b668a1a546edb3bb51bb3d9b9160fed973
Signer #1 public key SHA-1 digest: 3127e65d3e1daac7f89db579f604360a0245a444
Signer #1 public key MD5 digest: a92d6cd0c8bff7d7d8b4670c994eccbe
Source Stamp Signer certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Source Stamp Signer certificate SHA-256 digest: 3257d599a49d2c961a471ca9843f59d341a405884583fc087df4237b733bbd6d
Source Stamp Signer certificate SHA-1 digest: b1af3a0bf998aeede1a8716a539e5a59da1d86d6
Source Stamp Signer certificate MD5 digest: 577b8a9fbc7e308321aec6411169d2fb
Source Stamp Signer key algorithm: RSA
Source Stamp Signer key size (bits): 4096
Source Stamp Signer public key SHA-256 digest: 4c53c1d28f2ecceadcb1351603f0b702615b3454b6e30070de759359f241b802
Source Stamp Signer public key SHA-1 digest: 188b067a9ee881bde55dabe0f8f7ecb320b1a091
Source Stamp Signer public key MD5 digest: 965afac83f033aa037a54482eb6922d5
WARNING: META-INF/services/io.jsonwebtoken.CompressionCodec not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/services/io.jsonwebtoken.io.Deserializer not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/services/io.jsonwebtoken.io.Serializer not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/services/kotlinx.coroutines.CoroutineExceptionHandler not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/services/kotlinx.coroutines.internal.MainDispatcherFactory not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/services/sun.net.spi.nameservice.NameServiceDescriptor not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

All the files in WARNING should be removed or moved to other directory, it's not much problematic because apk also signed with v2, when v1 verification is used (which is deprecated from 2016) the files in WARNING are not authenticated ("Unauthorized modifications to this JAR entry will not be detected.")

They probably should be removed, which can be done for example by adding exclude lines to packagingOptions in build.gradle file.

see related question on stackoverflow for info on removing such files:
https://stackoverflow.com/questions/66897483/how-can-i-exclude-all-files-in-meta-inf-except-for-the-three-signature-files

@crossle
Copy link
Member

crossle commented Oct 18, 2021

kotlinx.coroutines.CoroutineExceptionHandler & kotlinx.coroutines.internal.MainDispatcherFactory need some validation if we can remove.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants