barto nemo (they/them) backupMay 10, 2025

Game changer in my #mobile #coding was, when i figured out that i don't need #androidstudio to compile and sign #apk !
Just plain java development kit, android sdk and platform tools, #gradle and #apksigner

Btw, i use #ionic with #vue to make mobile apps.

Hans-Christoph SteinerMar 19, 2025

#apksigner v35.0.2 is now in #Debian trixie. The v3.1 signer rotation stuff needs testing. Please try it out!

Getting apksigner from Debian has two key advantages over the Google binaries:

* They are reproducibly built.
* They have an actual free software license.

Show threadHans-Christoph SteinerJan 23, 2025

So what is the Android team's intention? Should v3.1-only APKs be considered valid? Or not? My guess is they should be not considered valid since the Android team has explicitly marked that kind of signature as invalid since apksigner v30.0.0 (besides v33). Are there any plans to unified the code that verifies APK signatures?

#Android #AndroidSDK #APK #apksigner

2/2

Hans-Christoph SteinerJan 23, 2025

Interesting bug in #apksigner reported to @fdroidorg: an APK with only a v3.1 signature was only considered valid by v33. <33 error out with "APK Signature Scheme v2 signature 0 indicates the APK is signed using APK Signature Scheme v3 but no such signature was found." >33 error out with "The APK contains a v3.1 signing block without a v3.0 base block". Android uses its own verify code and treats it as valid. https://gitlab.com/fdroid/fdroidserver/-/issues/1253

#AndroidSDK #APK

1/2

apksigner v33.0.x falsely verifies invalid APK which leads to wrong cert extracted for AllowedAPKSigningKeys (#1253) · Issues · F-Droid / fdroidserver · GitLab

With a specific configuration of fdroidserver and a specifically crafted APK, it is possible to bypass AllowedAPKSigningKeys. I could install the poc-v6.apk in an SDK-34...

GitLab
Show threadHans-Christoph SteinerJan 13, 2025
Don't get me wrong, I love #apksigner for signing and verifying. It is a vast improvement over jarsigner, etc. And @fdroidorg relies on it. Passing apksigner should remain a requirement for any APK published on f-droid.org. As things stand now, I would be staunchly opposed to removing `apksigner verify` checks for f-droid.org. I also recommend that all repos also require apksigner. 3/3
Hans-Christoph SteinerJan 13, 2025
I'm sometimes asked why #fdroidserver implements somethings in #Python rather than scraping #apksigner output. Reliably and securely parsing CLI output over the long term is really hard to get right because deployed fdroidserver code has to be future proof, in that it has to support newer apksigner versions that might have changed its output. 1/3