7 Apr 2021 |
_hc | or really, that should be the source of that anti-feature | 21:03:19 |
_hc | DisabledAlgorithm | 21:03:32 |
_hc | there are some test cases around that | 21:03:43 |
jochensp | but they don't have an MD5, as far as I can see | 21:05:10 |
jochensp | (and they should not as they where signed with apksigner, last month) | 21:05:34 |
_hc | it has some other error, see man jarsigner | 21:07:45 |
_hc | the exit code is 130 | 21:07:50 |
_hc | there is the section "SEVERE WARNINGS" | 21:08:01 |
_hc | oh weird, it seems to have corrected itself to exit code 4 | 21:08:58 |
_hc | jarsigner -verify -strict -verbose de.chagemann.regexcrossword_26.apk gives me 4 on my machine... | 21:10:24 |
jochensp | yeah, but do we care or do we rather use apksigner? | 21:11:28 |
_hc | well we did care once upon a time | 21:13:29 |
_hc | I think it still makes sense | 21:13:59 |
_hc | but I don't know the whole picture | 21:14:06 |
jochensp | but that sounds like the build server is using jarsigner for verification, still | 21:14:47 |
jochensp | maybe because verification is done on a different system? | 21:15:27 |
_hc | ah right could be | 21:19:43 |
_hc | but for me, both jarsigner and apksigner verified de.chagemann.regexcrossword_26.apk | 21:20:23 |
jochensp | how did you call jarsigner? | 21:21:45 |
_hc | the update server has apksigner: https://f-droid.org/repo/status/update.json | 21:21:56 |
_hc | and jarsigner an is running buster like me | 21:22:19 |
_hc | jarsigner -verify -strict -verbose de.chagemann.regexcrossword_25.apk | 21:22:30 |
_hc | which should produce exit value 4 | 21:22:36 |
_hc | since APKs don't use CAs | 21:22:45 |
_hc | certificacte authorities | 21:22:57 |
jochensp | yeah, it does | 21:23:06 |
jochensp | but why would the bulidserver tag them as KnownVuln, DisabledAlgorithm then? | 21:23:47 |
jochensp | hm.. maybe we don't delete them again? | 21:30:23 |
_hc | try this:
| 21:37:39 |
_hc | mkdir /tmp/fdroid | 21:37:42 |