move apk signature verification into getsig() function

This makes the python replacement behave like an all-in-one replacement for getsig.java. fixes #5 https://gitlab.com/fdroid/fdroidserver/issues/5
2025-11-04 14:30:30 +03:00 · 2014-08-30 00:45:12 -04:00 · 2014-08-30 00:45:12 -04:00 · d74235564f
commit d74235564f
parent 6e2d0a9e1e
1 changed files with 7 additions and 10 deletions
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@ -342,6 +342,13 @@ def getsig(apkpath):

    cert = None

+    # verify the jar signature is correct
+    args = ['jarsigner', '-verify', apkpath]
+    p = FDroidPopen(args)
+    if p.returncode != 0:
+        logging.critical(apkpath + " has a bad signature!")
+        return None
+
    with zipfile.ZipFile(apkpath, 'r') as apk:

        certs = [n for n in apk.namelist() if cert_path_regex.match(n)]
@ -516,16 +523,6 @@ def scan_apks(apps, apkcache, repodir, knownapks):
                    sha.update(t)
                thisinfo['sha256'] = sha.hexdigest()

-            # verify the jar signature is correct
-            args = ['jarsigner', '-verify']
-            if options.verbose:
-                args += ['-verbose', '-certs']
-            args += apkfile
-            p = FDroidPopen(args)
-            if p.returncode != 0:
-                logging.critical(apkfile + " has a bad signature!")
-                sys.exit(1)
-
            # Get the signature (or md5 of, to be precise)...
            thisinfo['sig'] = getsig(os.path.join(os.getcwd(), apkfile))
            if not thisinfo['sig']: