Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

signatures made by older AGP versions cannot be copied #88

Open
obfusk opened this issue Feb 16, 2023 · 0 comments · May be fixed by #109
Open

signatures made by older AGP versions cannot be copied #88

obfusk opened this issue Feb 16, 2023 · 0 comments · May be fixed by #109
Assignees
@obfusk
Labels
enhancement New feature or request wontfix This will not be worked on

Comments

@obfusk
Copy link
Owner

obfusk commented Feb 16, 2023
edited
Loading

Signatures made by older versions of AGP cannot be copied by apksigcopier because the signing method differs too much from that used by apksigner (and signflinger in newer versions).

It is unlikely that support for these signatures will be added.

ZIP entry ordering differences

The v1 (JAR) signature files are always added at the end of the ZIP file by apksigner and apksigcopier; these older versions add them in a different position and sometimes the order of the ZIP entries in the central directory doesn't match the order of the entries in the file.

v1 (JAR) signature file differences

Some versions (e.g. 4.0.2) use create_version=2.4 (resulting in an Unsupported create_version error from apksigcopier) for the v1 signature files and leave an empty (i.e. w/o any entries, just the main headers) MANIFEST.MF in the unsigned APK.

The empty MANIFEST.MF is also present in the signed APK when using v2 signing only, whereas apksigner and apksigcopier always remove this file during signing/copying.

Affected versions

Versions <= 4.1.2 produce unsupported signatures, versions >= 4.2.2 seem to be unaffected.

Workaround: sign with apksigner

If upgrading to a newer version of AGP is not an option, you can build an unsigned APK and sign it with apksigner; only use of a signingConfig in build.gradle with one of these older versions produces unsupported signatures.

Workaround: use apksigner instead of signingConfig in build.gradle

Another workaround is to use apksigner instead of signingConfig in build.gradle; this allows keeping the exact same workflow, requiring only some small modifications to build.gradle.

Related: #80
@obfusk obfusk added enhancement New feature or request wontfix This will not be worked on labels Feb 16, 2023
@obfusk obfusk self-assigned this Feb 16, 2023
@obfusk obfusk pinned this issue Feb 22, 2023
obfusk added a commit that referenced this issue Dec 22, 2024
@obfusk
support v1 signature after manifest (fixes #80, improves #88)
9662ad7
obfusk added a commit that referenced this issue Dec 23, 2024
@obfusk
put JSON w/ offsets in v1signature.zip & refactor (fixes #88)
40a2d72
@obfusk obfusk linked a pull request Dec 24, 2024 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@obfusk obfusk

Labels
enhancement New feature or request wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

various improvements obfusk/apksigcopier
1 participant
@obfusk