Bubblewrap asks for two passwords but only one supported by PKCS12 keystores

[finnurbreki]

I was creating my first TWA and couldn't get it to build because it kept complaining about the password being wrong. I tried multiple times, making absolutely sure I entered the two passwords correctly (one for the keystore and one for the key) but it kept telling me my password (the one I had created) was incorrect when trying to build.

cli ERROR Command failed: /usr/local/company/home/ldap/.bubblewrap/android_sdk/build-tools/30.0.3/apksigner sign --ks /usr/local/company/home/ldap/dev/bubblewrap/android.keystore --ks-key-alias android --ks-pass pass:[redacted] --key-pass pass:[redacted] --out ./app-release-signed.apk ./app-release-unsigned-aligned.apk
Failed to load signer "signer #1"
java.io.IOException: Failed to obtain key with alias "android" from /usr/local/company/home/ldap/dev/bubblewrap/android.keystore. Wrong password?
    at com.android.apksigner.SignerParams.loadPrivateKeyAndCertsFromKeyStore(SignerParams.java:320)
    at com.android.apksigner.SignerParams.loadPrivateKeyAndCerts(SignerParams.java:181)
    at com.android.apksigner.ApkSignerTool.getSignerConfig(ApkSignerTool.java:395)
    at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:316)
    at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:88)
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:465)
    at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
    at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
    at com.android.apksigner.SignerParams.getKeyStoreKey(SignerParams.java:375)
    at com.android.apksigner.SignerParams.loadPrivateKeyAndCertsFromKeyStore(SignerParams.java:288)
    ... 4 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
    at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
    at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
    at java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408)
    at java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440)
    at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202)
    at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:406)
    at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:295)
    at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:400)
    ... 8 more

Turns out there was a warning in there that I didn't even notice:

Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value.

In other words, Bubblewrap asks for two password but kind of silently uses only one behind the scenes.

This was on:

Operating System: Debian GNU/Linux rodete
Kernel: Linux 5.15.15-1rodete2-amd64
Architecture: x86-64