mirror of
https://github.com/f-droid/fdroidserver.git
synced 2025-11-04 14:30:30 +03:00
jarsigner: allow weak signatures
openjdk-11 11.0.17 in Debian unstable fails to verify weak signatures:
jarsigner -verbose -strict -verify tests/signindex/guardianproject.jar
131 Fri Dec 02 20:10:00 CET 2016 META-INF/MANIFEST.MF
252 Fri Dec 02 20:10:04 CET 2016 META-INF/1.SF
2299 Fri Dec 02 20:10:04 CET 2016 META-INF/1.RSA
0 Fri Dec 02 20:09:58 CET 2016 META-INF/
m ? 48743 Fri Dec 02 20:09:58 CET 2016 index.xml
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
? = unsigned entry
- Signed by "EMAILADDRESS=root@guardianproject.info, CN=guardianproject.info, O=Guardian Project, OU=FDroid Repo, L=New York, ST=New York, C=US"
Digest algorithm: SHA1 (disabled)
Signature algorithm: SHA1withRSA (disabled), 4096-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01, include jdk.disabled.namedCurves
This commit is contained in:
Jochen Sprickerhof
parent
d4b6e95c4e
commit
1bb963d768
5 changed files with 64 additions and 84 deletions
|
|
@ -39,7 +39,8 @@ import fdroidserver.signindex
|
|||
import fdroidserver.common
|
||||
import fdroidserver.metadata
|
||||
from testcommon import TmpCwd
|
||||
from fdroidserver.exception import FDroidException, VCSException, MetaDataException
|
||||
from fdroidserver.exception import FDroidException, VCSException,\
|
||||
MetaDataException, VerificationException
|
||||
|
||||
|
||||
class CommonTest(unittest.TestCase):
|
||||
|
|
@ -484,34 +485,33 @@ class CommonTest(unittest.TestCase):
|
|||
config['jarsigner'] = fdroidserver.common.find_sdk_tools_cmd('jarsigner')
|
||||
fdroidserver.common.config = config
|
||||
|
||||
self.assertTrue(fdroidserver.common.verify_old_apk_signature('bad-unicode-πÇÇ现代通用字-български-عربي1.apk'))
|
||||
self.assertTrue(fdroidserver.common.verify_old_apk_signature('org.bitbucket.tickytacky.mirrormirror_1.apk'))
|
||||
self.assertTrue(fdroidserver.common.verify_old_apk_signature('org.bitbucket.tickytacky.mirrormirror_2.apk'))
|
||||
self.assertTrue(fdroidserver.common.verify_old_apk_signature('org.bitbucket.tickytacky.mirrormirror_3.apk'))
|
||||
self.assertTrue(fdroidserver.common.verify_old_apk_signature('org.bitbucket.tickytacky.mirrormirror_4.apk'))
|
||||
self.assertTrue(fdroidserver.common.verify_old_apk_signature('org.dyndns.fules.ck_20.apk'))
|
||||
self.assertTrue(fdroidserver.common.verify_old_apk_signature('urzip.apk'))
|
||||
self.assertFalse(fdroidserver.common.verify_old_apk_signature('urzip-badcert.apk'))
|
||||
self.assertFalse(fdroidserver.common.verify_old_apk_signature('urzip-badsig.apk'))
|
||||
self.assertTrue(fdroidserver.common.verify_old_apk_signature('urzip-release.apk'))
|
||||
self.assertFalse(fdroidserver.common.verify_old_apk_signature('urzip-release-unsigned.apk'))
|
||||
try:
|
||||
fdroidserver.common.verify_deprecated_jar_signature('bad-unicode-πÇÇ现代通用字-български-عربي1.apk')
|
||||
fdroidserver.common.verify_deprecated_jar_signature('org.bitbucket.tickytacky.mirrormirror_1.apk')
|
||||
fdroidserver.common.verify_deprecated_jar_signature('org.bitbucket.tickytacky.mirrormirror_2.apk')
|
||||
fdroidserver.common.verify_deprecated_jar_signature('org.bitbucket.tickytacky.mirrormirror_3.apk')
|
||||
fdroidserver.common.verify_deprecated_jar_signature('org.bitbucket.tickytacky.mirrormirror_4.apk')
|
||||
fdroidserver.common.verify_deprecated_jar_signature('org.dyndns.fules.ck_20.apk')
|
||||
fdroidserver.common.verify_deprecated_jar_signature('urzip.apk')
|
||||
fdroidserver.common.verify_deprecated_jar_signature('urzip-release.apk')
|
||||
except VerificationException:
|
||||
self.fail("failed to jarsigner failed to verify an old apk")
|
||||
self.assertRaises(VerificationException, fdroidserver.common.verify_deprecated_jar_signature, 'urzip-badcert.apk')
|
||||
self.assertRaises(VerificationException, fdroidserver.common.verify_deprecated_jar_signature, 'urzip-badsig.apk')
|
||||
self.assertRaises(VerificationException, fdroidserver.common.verify_deprecated_jar_signature, 'urzip-release-unsigned.apk')
|
||||
|
||||
def test_verify_jar_signature_succeeds(self):
|
||||
config = fdroidserver.common.read_config(fdroidserver.common.options)
|
||||
fdroidserver.common.config = config
|
||||
source_dir = os.path.join(self.basedir, 'signindex')
|
||||
for f in ('testy.jar', 'guardianproject.jar'):
|
||||
testfile = os.path.join(source_dir, f)
|
||||
fdroidserver.common.verify_jar_signature(testfile)
|
||||
|
||||
def test_verify_jar_signature_fails(self):
|
||||
def test_verify_deprecated_jar_signature(self):
|
||||
config = fdroidserver.common.read_config(fdroidserver.common.options)
|
||||
config['jarsigner'] = fdroidserver.common.find_sdk_tools_cmd('jarsigner')
|
||||
fdroidserver.common.config = config
|
||||
source_dir = os.path.join(self.basedir, 'signindex')
|
||||
for f in ('testy.jar', 'guardianproject.jar'):
|
||||
testfile = os.path.join(source_dir, f)
|
||||
fdroidserver.common.verify_deprecated_jar_signature(testfile)
|
||||
|
||||
testfile = os.path.join(source_dir, 'unsigned.jar')
|
||||
with self.assertRaises(fdroidserver.index.VerificationException):
|
||||
fdroidserver.common.verify_jar_signature(testfile)
|
||||
fdroidserver.common.verify_deprecated_jar_signature(testfile)
|
||||
|
||||
def test_verify_apks(self):
|
||||
config = fdroidserver.common.read_config(fdroidserver.common.options)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue