mirrors/fdroidserver
1
0
Fork 0
mirror of https://github.com/f-droid/fdroidserver.git synced 2025-09-15 15:32:30 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add method for downloading (and verifying) a repository index

Browse source 
This includes some test cases to test the new code.
This commit is contained in:
Torsten Grote 2017-03-29 18:33:09 -03:00
parent d8ad1c78c2
commit a23da47118
No known key found for this signature in database
GPG key ID: 3E5F77D92CF891FF
5 changed files with 197 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

12
fdroidserver/common.py
View file

@ -46,6 +46,9 @@ import fdroidserver.metadata
from .asynchronousfilereader import AsynchronousFileReader
# A signature block file with a .DSA, .RSA, or .EC extension
CERT_PATH_REGEX = re.compile(r'^META-INF/.*\.(DSA|EC|RSA)$')
XMLElementTree.register_namespace('android', 'http://schemas.android.com/apk/res/android')
config = None
@ -2027,16 +2030,21 @@ def verify_apks(signed_apk, unsigned_apk, tmp_dir):
return None
def verify_apk_signature(apk):
def verify_apk_signature(apk, jar=False):
"""verify the signature on an APK
Try to use apksigner whenever possible since jarsigner is very
shitty: unsigned APKs pass as "verified"! So this has to turn on
-strict then check for result 4.
You can set :param: jar to True if you want to use this method
to verify jar signatures.
"""
if set_command_in_config('apksigner'):
return subprocess.call([config['apksigner'], 'verify', apk]) == 0
args = [config['apksigner'], 'verify']
if jar:
args += ['--min-sdk-version=1']
return subprocess.call(args + [apk]) == 0
else:
logging.warning("Using Java's jarsigner, not recommended for verifying APKs! Use apksigner")
return subprocess.call([config['jarsigner'], '-strict', '-verify', apk]) == 4