use apksigner to sign index-v2 with modern, supported algorithms

The current signing method uses apksigner to sign the JAR so that it will automatically select algorithms that are compatible with Android SDK 23, which added the most recent algorithms: https://developer.android.com/reference/java/security/Signature This signing method uses then inherits the default signing algothim settings, since Java and Android both maintain those. That helps avoid a repeat of being stuck on an old signing algorithm. That means specifically that this call to apksigner does not specify any of the algorithms. The old indexes must be signed by SHA1withRSA otherwise they will no longer be compatible with old Androids. apksigner 30.0.0+ is available in Debian/bullseye, Debian/buster-backports, Ubuntu 21.10, and Ubuntu 20.04 from the fdroid PPA. Here's a quick way to test: for f in `ls -1 /opt/android-sdk/build-tools/*/apksigner | sort ` /usr/bin/apksigner; do printf "$f : "; $f sign --v4-signing-enabled false; done closes #1005
2025-11-10 01:00:29 +03:00 · 2022-05-23 23:08:16 +02:00 · 2022-05-23 23:08:16 +02:00 · 3182b77d18
commit 3182b77d18
parent 07a6ad6c1e
6 changed files with 158 additions and 46 deletions
--- a/tests/common.TestCase
+++ b/tests/common.TestCase
@ -450,7 +450,7 @@ class CommonTest(unittest.TestCase):
            sourcefile = os.path.join(sourcedir, f)
            testfile = os.path.join(testsdir, f)
            shutil.copy(sourcefile, testsdir)
-            fdroidserver.signindex.sign_jar(testfile)
+            fdroidserver.signindex.sign_jar(testfile, use_old_algs=True)
            # these should be resigned, and therefore different
            self.assertNotEqual(
                open(sourcefile, 'rb').read(), open(testfile, 'rb').read()
@ -872,6 +872,9 @@ class CommonTest(unittest.TestCase):
        self.assertFalse(os.path.isfile(unsigned))
        self.assertTrue(fdroidserver.common.verify_apk_signature(signed))

+    @unittest.skipUnless(
+        os.path.exists('tests/SystemWebView-repack.apk'), "file too big for sdist"
+    )
    def test_resign_apk(self):
        """When using apksigner, it should resign signed APKs"""
        config = fdroidserver.common.read_config(fdroidserver.common.options)
@ -2455,8 +2458,42 @@ class CommonTest(unittest.TestCase):
                self.assertTrue(os.path.exists(f), f + ' was created')
                self.assertFalse(is_repo_file(f), f + ' not repo file')

+    def test_get_apksigner_smartcardoptions(self):
+        testdir = tempfile.mkdtemp(
+            prefix=inspect.currentframe().f_code.co_name, dir=self.tmpdir
+        )
+        os.chdir(testdir)
+        with open('config.yml', 'w') as fp:
+            d = {
+                'smartcardoptions': '-storetype PKCS11'
+                ' -providerName SunPKCS11-OpenSC'
+                ' -providerClass sun.security.pkcs11.SunPKCS11'
+                ' -providerArg opensc-fdroid.cfg'
+            }
+            yaml.dump(d, fp)
+        config = fdroidserver.common.read_config()
+        fdroidserver.common.config = config
+        self.assertTrue(isinstance(d['smartcardoptions'], str))
+        self.assertTrue(isinstance(config['smartcardoptions'], list))
+        self.assertEqual(
+            [
+                '--ks-type',
+                'PKCS11',
+                '--provider-class',
+                'sun.security.pkcs11.SunPKCS11',
+                '--provider-arg',
+                'opensc-fdroid.cfg',
+            ],
+            fdroidserver.common.get_apksigner_smartcardoptions(
+                config['smartcardoptions']
+            ),
+        )
+
    def test_get_smartcardoptions_list(self):
-        os.chdir(self.tmpdir)
+        testdir = tempfile.mkdtemp(
+            prefix=inspect.currentframe().f_code.co_name, dir=self.tmpdir
+        )
+        os.chdir(testdir)
        with open('config.yml', 'w') as fp:
            fp.write(
                textwrap.dedent(
@ -2491,7 +2528,10 @@ class CommonTest(unittest.TestCase):
        )

    def test_get_smartcardoptions_spaces(self):
-        os.chdir(self.tmpdir)
+        testdir = tempfile.mkdtemp(
+            prefix=inspect.currentframe().f_code.co_name, dir=self.tmpdir
+        )
+        os.chdir(testdir)
        with open('config.yml', 'w') as fp:
            fp.write(
                textwrap.dedent(
@ -2519,7 +2559,10 @@ class CommonTest(unittest.TestCase):
        )

    def test_get_smartcardoptions_config_py(self):
-        os.chdir(self.tmpdir)
+        testdir = tempfile.mkdtemp(
+            prefix=inspect.currentframe().f_code.co_name, dir=self.tmpdir
+        )
+        os.chdir(testdir)
        with open('config.py', 'w') as fp:
            fp.write(
                textwrap.dedent(