You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adding Bouncy Castle has increase the APK ~1MB in size. We had to include this as Ed25519 signature verification is not supported in standard Java/Android until Java 15 (or API 33). We should investigate whether we can drop this in some way. Here's some options I've thought of:
It looks like the majority of the size increase comes from some .properties files used by Bouncy Castle for Picnic which we're not currently using. We might be able to exclude these from the APK.
We could look at forking Bouncy Castle and only including the bits we need (currently just Ed25519 signature verification).
We could make Ed25519 signature verification an Android 13+ feature and use the java.security implementation (which ironically we'll probably be Bouncy Castle under the hood).
1 and 2 are pretty risky as messing around with a trusted crypto library feels like a bad path to go down.
3 isn't something we've done a lot of, but I think the use case that initially wanted extract-signed might be using Android 13 devices. If we do limit the XPath function to newer OSes, definitely think we should change the signature to always take an algorithm so that the "default" isn't a special case in the future.
The text was updated successfully, but these errors were encountered:
@lognaturel and I discussed this and decided that attempting to exclude parts of Bouncy Castle is the way to go. We should look into it, but I'm pretty sure ProGuard will already be excluding classes we don't use, so it might be best to just exclude the .properties files (referenced in 1).
Adding Bouncy Castle has increase the APK ~1MB in size. We had to include this as Ed25519 signature verification is not supported in standard Java/Android until Java 15 (or API 33). We should investigate whether we can drop this in some way. Here's some options I've thought of:
.properties
files used by Bouncy Castle for Picnic which we're not currently using. We might be able to exclude these from the APK.java.security
implementation (which ironically we'll probably be Bouncy Castle under the hood).1 and 2 are pretty risky as messing around with a trusted crypto library feels like a bad path to go down.
3 isn't something we've done a lot of, but I think the use case that initially wanted
extract-signed
might be using Android 13 devices. If we do limit the XPath function to newer OSes, definitely think we should change the signature to always take an algorithm so that the "default" isn't a special case in the future.The text was updated successfully, but these errors were encountered: