update: allow deprecated signatures only in the archive

In April 2017, Oracle's jarsigner and Google's apksigner both switched to considering any APK signature that uses MD5 as unsigned. Any old build is likely to have a MD5 signature. This sets up the archive as the only place where these "disabled algorithms" are allowed in the repo, and marks any APK signed by a "disabled algorithm" as having a "known vulnerability" This also now automatically moves APKs with invalid signatures to the archive section. #323
2025-10-08 18:31:07 +03:00 · 2017-06-27 09:54:35 +02:00 · 2017-06-27 09:54:35 +02:00 · b7260ea854
commit b7260ea854
parent 0047f19d56
2 changed files with 31 additions and 2 deletions
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@ -1184,9 +1184,18 @@ def scan_apk(apkcache, apkfilename, repodir, knownapks, use_date_from_apk):
            apk['srcname'] = srcfilename
        apk['size'] = os.path.getsize(apkfile)

-        # verify the jar signature is correct
+        # verify the jar signature is correct, allow deprecated
+        # algorithms only if the APK is in the archive.
        if not common.verify_apk_signature(apkfile):
-            return True, None, False
+            if repodir == 'archive':
+                if common.verify_old_apk_signature(apkfile):
+                    apk['antiFeatures'].add('KnownVuln')
+                else:
+                    return True, None, False
+            else:
+                logging.warning('Archiving "' + apkfilename + '" with invalid signature!')
+                move_apk_between_sections('repo', 'archive', apk)
+                return True, None, False

        if has_known_vulnerability(apkfile):
            apk['antiFeatures'].add('KnownVuln')