| 22 Sep 2020 |
 cdesai | And https://android.googlesource.com/platform/tools/apksig/+/refs/heads/master/src/main/java/com/android/apksig/internal/zip/ | 09:49:18 |
 mimi89999 | That's much more complicated than I thought. | 09:57:37 |
| mimi89999 | Does not verify | 10:02:14 |
| mimi89999 | But apksigner might have aligned and reordered my zip. | 10:03:20 |
 _hc | there are two ordered places in a ZIP: the file entries in the ZIP header and the actual data. The ZIP header can be rewritten easily. The actual data basically needs to be reconstructed from scratch to reorder it | 10:19:49 |
| _hc | mimi89999: have you looked at any of the Python libs that do JAR signing? It might be helpful | 10:21:01 |
| _hc | there are also some relevant issues: https://gitlab.com/fdroid/fdroidserver/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=apksig | 10:23:51 |
 wb9688 | mimi89999: Once you have something working that I could test, please ping me | 10:24:33 |
| mimi89999 | There is that code under the MR | 10:25:04 |
| _hc | also, I think androguard has some code to parse APK sigs | 10:25:34 |
| mimi89999 | https://gitlab.com/fdroid/fdroidserver/-/issues/551 | 10:26:16 |
| mimi89999 | https://gitlab.com/fdroid/fdroidserver/-/issues/404 | 10:26:22 |
| mimi89999 | > there isn't really a clear standard for the file order in APKs | 10:26:50 |
| mimi89999 | Hmm | 10:26:52 |
| mimi89999 | AndroidManifest.xml | 10:27:27 |
| _hc | I guess the standard would be what the latest Android SDK tools do | 10:27:31 |
| mimi89999 | Always got that one first | 10:27:34 |
| mimi89999 | The code is huge and I can't find what I'm searching form | 10:29:15 |
| cdesai | you can use https://cs.android.com/android/platform/superproject/+/master:tools/apksig/ for AOSP | 10:37:52 |
| mimi89999 | The signer seems to add the `META-INF/CERT.SF`, `META-INF/CERT.RSA` and `META-INF/MANIFEST.MF` files at the end. | 10:49:12 |
| mimi89999 | That would make sense. It makes it easy to append them to the zip and might make it easier to read them. | 10:49:46 |
| mimi89999 | What was the URL of F-Droid reproducible builds? | 10:55:56 |
| _hc | there is a page in the docs? | 11:21:17 |
| mimi89999 | https://cs.android.com/android/platform/superproject/+/master:tools/apksig/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeSigner.java?q=MANIFEST_ENTRY_NAME&ss=android%2Fplatform%2Fsuperproject:tools%2Fapksig%2F | 11:28:32 |
| mimi89999 | There is this. I will order the files in the same way | 11:28:46 |
| _hc | mimi89999: one tricky bit is that Java JAR format says that META-INF/MANIFEST.MF should be first https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8031748 | 11:38:07 |
| _hc | so APKs signed by jarsigner will likely have that order | 11:38:20 |
| mimi89999 | But apksigner puts that last | 11:52:54 |
| _hc | yeah so for APKs with v2/v3 it should follow apksigner, for v1 only, it might need to follow Java JAR. Or I guess it could follow apksigner for all those cases | 12:08:31 |
| wb9688 | _hc: What about v1+v2? | 12:13:38 |
