Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build-apks using keystore(2048bit keysize SHA256withDSA sigalg) is not supported? #140

Closed
sdsd08013 opened this issue Jan 22, 2020 · 3 comments
Closed

build-apks using keystore(2048bit keysize SHA256withDSA sigalg) is not supported? #140

sdsd08013 opened this issue Jan 22, 2020 · 3 comments

Comments

@sdsd08013
Copy link

Describe the bug
I tried to generate apks from abb and failed.

I'm not sure but I think it's caused by lack of minSdkVersion attribute part of splitApkManifest.
https://github.com/google/bundletool/blob/master/src/main/java/com/android/tools/build/bundletool/splitters/ModuleSplitter.java#L129
https://github.com/google/bundletool/blob/master/src/main/java/com/android/tools/build/bundletool/model/ModuleSplit.java#L266
https://android.googlesource.com/platform/tools/apksig/+/refs/heads/master/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeSigner.java#124

Bundletool version(s) affected
Version: 0.12.0

Stacktrace

[BT:0.12.0] Error: Failed to write APK file '/var/folders/z0/r46_v2n94ts8j__q3txlqtkr0000gn/T/2973773764400014628/splits/base-xxhdpi.apk'.
java.io.UncheckedIOException: Failed to write APK file '/var/folders/z0/r46_v2n94ts8j__q3txlqtkr0000gn/T/2973773764400014628/splits/base-xxhdpi.apk'.
	at com.android.tools.build.bundletool.io.ConcurrencyUtils.waitFor(ConcurrencyUtils.java:55)
	at com.android.tools.build.bundletool.io.ConcurrencyUtils.waitForAll(ConcurrencyUtils.java:42)
	at java.util.function.Function.lambda$andThen$1(Function.java:88)
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:570)
	at com.android.tools.build.bundletool.io.ApkSerializerManager.serializeApks(ApkSerializerManager.java:181)
	at com.android.tools.build.bundletool.io.ApkSerializerManager.populateApkSetBuilder(ApkSerializerManager.java:101)
	at com.android.tools.build.bundletool.commands.BuildApksManager.executeWithZip(BuildApksManager.java:233)
	at com.android.tools.build.bundletool.commands.BuildApksManager.execute(BuildApksManager.java:117)
	at com.android.tools.build.bundletool.commands.BuildApksCommand.execute(BuildApksCommand.java:532)
	at com.android.tools.build.bundletool.BundleToolMain.main(BundleToolMain.java:74)
	at com.android.tools.build.bundletool.BundleToolMain.main(BundleToolMain.java:46)
Caused by: java.io.IOException: Failed to generate v1 signature
	at com.android.tools.build.apkzlib.sign.SigningExtension.onOutputZipReadyForUpdate(SigningExtension.java:287)
	at com.android.tools.build.apkzlib.sign.SigningExtension.access$200(SigningExtension.java:57)
	at com.android.tools.build.apkzlib.sign.SigningExtension$1.lambda$beforeUpdate$2(SigningExtension.java:156)
	at com.android.tools.build.apkzlib.zip.ZFile.notify(ZFile.java:2269)
	at com.android.tools.build.apkzlib.zip.ZFile.update(ZFile.java:1002)
	at com.android.tools.build.apkzlib.zip.ZFile.close(ZFile.java:1335)
	at com.android.tools.build.bundletool.io.ApkSerializerHelper.writeToZipFile(ApkSerializerHelper.java:196)
	at com.android.tools.build.bundletool.io.ApkSerializerHelper.writeToZipFile(ApkSerializerHelper.java:139)
	at com.android.tools.build.bundletool.io.SplitApkSerializer.writeToDisk(SplitApkSerializer.java:75)
	at com.android.tools.build.bundletool.io.SplitApkSerializer.writeSplitToDisk(SplitApkSerializer.java:53)
	at com.android.tools.build.bundletool.io.ApkSetBuilderFactory$ApkSetArchiveBuilder.addSplitApk(ApkSetBuilderFactory.java:105)
	at com.android.tools.build.bundletool.io.ApkSerializerManager$ApkSerializer.serialize(ApkSerializerManager.java:377)
	at com.android.tools.build.bundletool.io.ApkSerializerManager.lambda$null$3(ApkSerializerManager.java:185)
	at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:117)
	at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:38)
	at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:77)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.InvalidKeyException: Failed to sign using signer "CERT"
	at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:295)
	at com.android.apksig.internal.apk.v1.V1SchemeSigner.sign(V1SchemeSigner.java:256)
	at com.android.apksig.DefaultApkSignerEngine.outputJarEntries(DefaultApkSignerEngine.java:424)
	at com.android.tools.build.apkzlib.sign.SigningExtension.onOutputZipReadyForUpdate(SigningExtension.java:285)
	... 18 more
Caused by: java.security.InvalidKeyException: Failed to sign using SHA1withDSA
	at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:519)
	at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:293)
	... 21 more
Caused by: java.security.InvalidKeyException: The security strength of SHA-1 digest algorithm is not sufficient for this key size
	at sun.security.provider.DSA.checkKey(DSA.java:111)
	at sun.security.provider.DSA.engineInitSign(DSA.java:143)
	at java.security.Signature$Delegate.init(Signature.java:1155)
	at java.security.Signature$Delegate.chooseProvider(Signature.java:1115)
	at java.security.Signature$Delegate.engineInitSign(Signature.java:1179)
	at java.security.Signature.initSign(Signature.java:530)
	at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:515)

To Reproduce

  1. create baz.keystore.
  • keyalg DSA
  • keysize 2048
  1. execute bellow command line.
bundletool build-apks \                               
             --bundle=foo.aab \
             --output=bar.apks \
             --ks=baz.keystore \
             --ks-pass=pass:foo \
             --ks-key-alias=bar \
             --key-pass=pass:foo \
             --connected-device

Known workaround
use SHA256withDSA keystore (keysize 1024bit length)
use SHA256withRSA keystore

Environment:
OS: macOS Mojave 10.14.3
connected-device: Pixel3 API28
@sdsd08013 sdsd08013 mentioned this issue Jan 22, 2020
Merged
@plecesne
Copy link
Contributor

This is a restriction of the JDK which doesn't allow using SHA-1 with 2048 bit keys: https://github.com/JetBrains/jdk8u_jdk/blob/master/src/share/classes/sun/security/provider/DSA.java#L111-L112

Using SHA-1 is unfortunately required due to the minSdkVersion your app uses because otherwise some devices your app targets wouldn't be able to install the app.

You thus have the options to either use a 1024 bit key, up the minSdkVersion to 21(?), or use an RSA key (not sure in which Android version support for SHA-256 was added nor if JDK has any such restriction as well, you'll have to test).

Hope that helps.

@sdsd08013
Copy link
Author

Thanks for replying.

This specification(bundletool does not support signing apk using SHA256withDSA 2048 bit length keystore) is documented anywhere or commonly known?(I didnt know about this...)

@plecesne
Copy link
Contributor

Bundletool supports it. It's a limitation of the JDK you are using. https://www.java.com/en/configure_crypto.html may be helpful to change the requirements of your JDK.

We could possibly do the signing with a different cryptographic provider, but I'm not sure we would do developers a favour by doing so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@plecesne @sdsd08013