Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check if Cromite apks are signed #489

Closed
5 tasks done
uazo opened this issue Nov 1, 2023 · 4 comments
Closed
5 tasks done

Check if Cromite apks are signed #489

uazo opened this issue Nov 1, 2023 · 4 comments
Labels
need triage I will look into it, I promise! task These are things I tell myself I should do

Comments

@uazo
Copy link
Owner

uazo commented Nov 1, 2023

Preliminary checklist

  • I have read the README.
  • I have searched the existing issues for my problem. This is a new ticket, NOT a duplicate or related to another open issue.
  • I have read the FAQs.
  • I have updated Cromite to the latest version. The bug is reproducible on this latest version.
  • This is a bug report about the Cromite browser; not the website nor F-Droid nor anything else.

Can the bug be reproduced with corresponding Chromium version?

Yes

Cromite version

all

Device architecture

all

Platform version

I prefer not to write it/No matter

Android Device model

n/a

Is the device rooted?

I prefer not to write it

Changed flags

none

Is this bug happening in an incognito tab?

No

Is this bug caused by the adblocker?

No

Is this bug a crash?

no

Describe the bug

It seems that the apks are not signed.

try with:
keytool -printcert -jarfile xxx.apk

Steps to reproduce the bug

n/a

Expected behavior

I am probably doing something wrong during the build

Screenshots

n/a
@uazo uazo added the bug Something isn't working label Nov 1, 2023
@uazo uazo mentioned this issue Nov 1, 2023
Open
5 tasks
@uazo
Copy link
Owner Author

uazo commented Nov 1, 2023

so, what am I doing wrong?

gn args: https://github.com/uazo/cromite/blob/master/tools/images/bromite-build/build_args.gni#L17-L21
during build: https://github.com/uazo/cromite/actions/runs/6717728243/job/18256843368#step:4:66

@uazo
Copy link
Owner Author

uazo commented Nov 1, 2023

so:

apksigner verify --verbose ChromePublic.apk

Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1

while

jarsigner -verify -verbose -certs ChromePublic.apk   

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

no manifest.

jar is unsigned.

apk are signed with Signature Scheme v2

If your min API is lower than 24, v1 signing will be included in apk (inside META_INF). 
And because of that, these two tools will "poop out" your cert keys.

If using min API 24 or higher, v1 signing will be excluded (unless you enable it on your own
in build.gradle). In this case keytool or jarsigner don't work. They will output Not a 
signed jar file or jar is unsigned. To verify v2+ signature, you should use apksigner instead.

see https://source.android.com/docs/security/features/apksigning

@uazo uazo added need triage I will look into it, I promise! and removed bug Something isn't working labels Nov 1, 2023
@uazo uazo changed the title Cromite apks are not signed Check if Cromite apks are signed Nov 1, 2023
@uazo uazo added the task These are things I tell myself I should do label Nov 2, 2023
@basilgello
Copy link

You can try uber-apk-signer with custom keystore

@uazo
Copy link
Owner Author

uazo commented Nov 2, 2023

apks are automatically signed by build process, whereas for aabs it has to be done.

@uazo uazo closed this as completed Nov 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
need triage I will look into it, I promise! task These are things I tell myself I should do
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@basilgello @uazo