Apksigner verify warnings

[tobiasKaminsky]

» apksigner verify android2-gplay-release.apk 
WARNING: META-INF/DEPENDENCIES not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/README.txt not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/services/com.fasterxml.jackson.core.JsonFactory not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/services/org.apache.commons.logging.LogFactory not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

Althought these are only text files we should investigate how to avoid this.

[mario]

Easy. Exclude as follows:

packagingOptions {
    exclude 'META-INF/LICENSE.txt'
    exclude 'META-INF/LICENSE'
}

[tobiasKaminsky]

This is a way, but don't we need these files?
This is in DEPENDENCIES

// ------------------------------------------------------------------
// Transitive dependencies of this project determined from the
// maven pom organized by organization.
// ------------------------------------------------------------------
Jackrabbit WebDAV Library
From: 'an unknown organization'

• Codec commons-codec:commons-codec:jar:1.2
  From: 'Apache Software Foundation' (http://jakarta.apache.org/)
• HttpClient (http://jakarta.apache.org/httpcomponents/httpclient-3.x/) commons-httpclient:commons-httpclient:jar:3.1
  License: Apache License (http://www.apache.org/licenses/LICENSE-2.0)
  From: 'QOS.ch' (http://www.qos.ch)
• JCL 1.1.1 implemented over SLF4J (http://www.slf4j.org) org.slf4j:jcl-over-slf4j:jar:1.7.4
  License: MIT License (http://www.opensource.org/licenses/mit-license.php)
• SLF4J API Module (http://www.slf4j.org) org.slf4j:slf4j-api:jar:1.6.6
  License: MIT License (http://www.opensource.org/licenses/mit-license.php)

I am also unsure about the purpose of META-INF/services/com.fasterxml.jackson.core.JsonFactory.
Content is only: com.fasterxml.jackson.core.JsonFactory

[mario]

I don't think we need any of these, to be honest. For DEPENDENCIES and README.TXT I'm sure. And those two other files are just random files.

[tobiasKaminsky]

👍
Then let's try with simple exclude them.

[tobiasKaminsky]

Adding these options works for all files but the services files:

packagingOptions {
        exclude 'META-INF/LICENSE.txt'
        exclude 'META-INF/LICENSE'
        exclude 'META-INF/DEPENDENCIES'
        exclude 'META-INF/README.txt'
        exclude 'META-INF/services/com.fasterxml.jackson.core.JsonFactory'
        exclude 'META-INF/services/org.apache.commons.logging.LogFactory'
    }

apksigner verify gplay/release/android2-gplay-release.apk
WARNING: META-INF/services/com.fasterxml.jackson.core.JsonFactory not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/services/org.apache.commons.logging.LogFactory not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

[lilian131]

hi @tobiasKaminsky where can I put these line of code ?
packagingOptions { exclude 'META-INF/LICENSE.txt' exclude 'META-INF/LICENSE' exclude 'META-INF/DEPENDENCIES' exclude 'META-INF/README.txt' exclude 'META-INF/services/com.fasterxml.jackson.core.JsonFactory' exclude 'META-INF/services/org.apache.commons.logging.LogFactory' }

[AndyScherzinger]

You need to create a file named proguard-rules.pro

[tobiasKaminsky]

It still shows warnings, but all in meta-inf directory, so I consider this as no problem.