signatures made by older AGP versions cannot be copied

[obfusk]

Signatures made by older versions of AGP cannot be copied by apksigcopier because the signing method differs too much from that used by apksigner (and signflinger in newer versions).

It is unlikely that support for these signatures will be added.

ZIP entry ordering differences

The v1 (JAR) signature files are always added at the end of the ZIP file by apksigner and apksigcopier; these older versions add them in a different position and sometimes the order of the ZIP entries in the central directory doesn't match the order of the entries in the file.

v1 (JAR) signature file differences

Some versions (e.g. 4.0.2) use create_version=2.4 for the v1 signature files and leave an empty (i.e. w/o any entries, just the main headers) MANIFEST.MF in the unsigned APK.

The empty MANIFEST.MF is also present in the signed APK when using v2 signing only, whereas apksigner and apksigcopier always remove this file during signing/copying.

Affected versions

Versions <= 4.1.2 produce unsupported signatures, versions >= 4.2.2 seem to be unaffected.

Workaround: sign with apksigner

If upgrading to a newer version of AGP is not an option, you can build an unsigned APK and sign it with apksigner; only use of a signingConfig in build.gradle with one of these older versions produces unsupported signatures.

Workaround: use apksigner instead of signingConfig in build.gradle

Another workaround is to use apksigner instead of signingConfig in build.gradle; this allows keeping the exact same workflow, requiring only some small modifications to build.gradle.

---

Related: #80