20 Apr 2021 |
jochensp | _hc: there are a number of traceback in the issuebot run, are you aware of that? | 17:55:42 |
_hc | jochensp: as far as I can tell, they were there before, but now they are exposed, since it shows the whole trackback | 18:03:12 |
_hc | izzy: seems like issuebot didn't find an APK | 18:04:25 |
_hc | also, that the fdroid build failure is from the fdroid build --scan-binary . issuebot doesn't have that (yet?) | 18:05:59 |
jochensp | _hc: but: โ Built build/app/outputs/flutter-apk/app-release.apk (35.3MB). | 18:07:53 |
_hc | I have some sketches for issuebot modules that do what fdroid build --scan-binary does, but more reliably. they use gradle to run the build, and output which libs are used. I can send them to anyone who'd like to work on them | 18:10:19 |
| @freenode_smichel17:matrix.org joined the room. | 18:56:43 |
izzy | _hc <seems like _issuebot_ didn't find an APK> then my bot would have produced an empty report. But it explicitly wreote it found no libs, so it must have had an APK to scan. | 18:58:15 |
izzy | Let me quote: "<h3>APK library scanner</h3> <details>\n <summary>unsigned/com.hanntech.free2pass_8.apk</summary>\n No offending libs found.\n</details>\n" โ so it had some "unsigned/com.hanntech.free2pass_8.apk" which then didn't make it to the artifacts. | 18:59:57 |
izzy | And that confuses me. | 19:01:05 |
@obfusk:matrix.org | In reply to @eighthave:matrix.org a v4 sig is functionally the same as v2/v3 an a PGP detached sig, so if we can get APKs to pass v2/v3, then the associated v4 sig file will also work yes. I hadn't looked at all the details yet so wasn't sure if there was more to it, but v4 seems to be an optional detached .apk.idsig signature file (and still requires a v1/v2/v3 signature as well). so it should work, as you said :)
I don't think the version of apksigner in Debian supports v4 yet though, so I'd have to get a newer version to test.
though unless those signature files are also being distributed, being "supported" doesn't really mean anything in practice *yet* (even if it's true).
it does look like (newer versions of) adb will also validate them, so it's not just used for Play it seems. | 19:57:30 |
cdesai | apksigner has been generating those files here when signing chromium | 19:58:17 |
@obfusk:matrix.org | _hc: I finally managed to get one of my python-for-android apps to build identically on stretch and buster, so I'll probably have another RB test case soonish. | 20:00:03 |
@obfusk:matrix.org | In reply to @freenode_cdesai:matrix.org apksigner has been generating those files here when signing chromium I think the CI run for my MR to add signatures to one of my apps also generated one. | 20:01:34 |
@obfusk:matrix.org | according to https://source.android.com/security/apksigning/v4 v4 verification failures are more or less ignored though ๐ | 20:04:25 |
21 Apr 2021 |
izzy | _hc: again on the library scanner with above MR. I wonder what APK it eats there. When running it locally on the very same APK from artifacts, it reports "2 offenders". Running via the pipeline, it states "no offenders". I'm confused. Once you've merged my update, reportData will hopefully give more details. | 07:53:32 |
_hc | izzy: yeah, seems like there is a bug there. I'm currently deep in Tor work, so I be able to look at this for a while. please file issues against issuebot when you find things like that and ping me if you want me to respond sooner rather than later | 08:01:49 |
_hc | ๅนธ็ซ: cdesai I mostly mentioned v4 signatures because I thought people would ask, and it is easier to say "all signature types" rather than listing out the types | 08:02:35 |
_hc | v4 signatures are not relevant in F-Droid only Google Play AFAIK | 08:02:48 |
_hc | F-Droid alreay provides two signatures that are equivalent to the v4: gpg and the sha256 in the signed index | 08:03:21 |
izzy | Thanks _hc[m]! Maybe you could merge my latest MR? I cleaned up a little bit and now include full scan results with reportData, that might help me tracking things down. | 08:04:21 |
_hc | i'll look now | 08:04:32 |
izzy | Thanks! | 08:04:38 |
_hc | also, FYI, I'm ok with you self merging on the php stuff, and others with Developer access can merge | 08:05:25 |
jochensp | _hc: I can't merge MRs in the issuebot repo | 08:06:15 |
jochensp | (otherwise I would have don it) | 08:06:24 |
jochensp | *done | 08:06:27 |
_hc | oh? I though you had Developer access in the group? | 08:06:40 |
jochensp | yes | 08:06:46 |
izzy | I don't have merge privileges at issuebot โ but yeah, I'd be fine with self-merging things I feel confident with (which matches "the php stuff" here and not much more). I'd of course keep fingers off stuff I cannot confidently confirm ;) | 08:06:50 |