Skip to content
Snippets Groups Projects
New issue look: Off

include APK signatures in build metadata file

    • Closed Issue created by username-removed-24982 @eighthave

    In order to make a good workflow when including the developer's APK signature, the signature data itself should be included in the build entry of the app's metadata. The Binaries: entry requires that the file is posted somewhere public online, and if it disappears, the build cannot be reproduced again.

    • Provide tool to fetch signature from an existing, signed APK
    • Include it in each release's build entry
    • include only signature and manifest
      • how is manifest signed?
    • signing key can be part of app metadata, it should not change
    • SigningKeys: should allow string and list entries

    #153

    Designs

    Child items 0

    • No child items are currently open.

    Activity

    • username-removed-24982 added bazaar requires-client-changes labels

      added bazaar requires-client-changes labels

    • username-removed-24982 changed milestone to %0.8

      changed milestone to %0.8

    • username-removed-24982 assigned to @eighthave

      assigned to @eighthave

    • username-removed-24982
      username-removed-24982 @eighthave ·
      Author Owner

      Wow, YAML makes this really easy:

      import yaml

with open('CERT.RSA', 'rb') as fp:
  binary = fp.read()

output = dict()
output['SigningKey'] = binary
output['SigningKeys'] = [binary]
with open('output.yaml', 'w') as fp:
  yaml.dump(output, fp)

      generates:

      SigningKey:
- !!binary |
  MIIDBAYJKoZIhvcNAQcCoIIC9TCCAvECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCAekw
  ggHlMIIBTqADAgECAgRPPYE1MA0GCSqGSIb3DQEBBQUAMDcxCzAJBgNVBAYTAlVTMRAwDgYDVQQK
  EwdBbmRyb2lkMRYwFAYDVQQDEw1BbmRyb2lkIERlYnVnMB4XDTEyMDIxNjIyMjAzN1oXDTQyMDIw
  ODIyMjAzN1owNzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJv
  aWQgRGVidWcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANwClO0uyV4VIxMMVj9fyzx14noe
  tUmgP/sW6arDwPsoxs9bAHBgMrhum4zQFZueqau55Iyc4nF+1ovN51AaOfAxAv6rsTi3ctAuDxDk
  gHk5009USSMDA7zoIi9RhQhK70O4Ah+s7gCA/yURWzepyJIQ47Ng2J0gZe2iSX/MAi3NAgMBAAEw
  DQYJKoZIhvcNAQEFBQADgYEAKKv0yX3wNJfmRn/PcZ3Zh3cazuqovk80pQcry2eHhXwqL04dYjvh
  Ha3eVdclxi8csr3bGnTABWU/EmsTKz+ccYSdJ62tAD1mC6QPejP/2rjIUAVj4Kj57cILxGbhB+39
  JHSLYwSd/coo2xvMX4MInel6jVKNEww5Kf8DViqSfbQxgeQwgeECAQEwPzA3MQswCQYDVQQGEwJV
  UzEQMA4GA1UEChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZwIETz2BNTAJBgUrDgMC
  GgUAMA0GCSqGSIb3DQEBAQUABIGATgszGqDxPGwnnfipenBzEF/6k2soJ4HaGsgQT+msBv36vUtL
  b/lErqqLpNN2hyhRr5YLBxuZ/aMc/r0g+eizj4uqgR2ZbN0Q2AxZ6cKnhfKv5bYIXQ7VAHWcvBa8
  2tkfxsFx4rgCvYt6yzKNRon1WYSuoqnwo5zQa/HH59N1Ezc=
      Edited by username-removed-24982
    • username-removed-24982
      username-removed-24982 @eighthave ·
      Author Owner

      It should probably store the original file names too, i.e.

      SigningKey:
  CERT.RSA: !!binary |
    MIIDBAYJKoZIhvcNAQcCoIIC9TCCAvECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCAekw
    ggHlMIIBTqADAgECAgRPPYE1MA0GCSqGSIb3DQEBBQUAMDcxCzAJBgNVBAYTAlVTMRAwDgYDVQQK
    EwdBbmRyb2lkMRYwFAYDVQQDEw1BbmRyb2lkIERlYnVnMB4XDTEyMDIxNjIyMjAzN1oXDTQyMDIw
    ODIyMjAzN1owNzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJv
    aWQgRGVidWcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANwClO0uyV4VIxMMVj9fyzx14noe
    tUmgP/sW6arDwPsoxs9bAHBgMrhum4zQFZueqau55Iyc4nF+1ovN51AaOfAxAv6rsTi3ctAuDxDk
    gHk5009USSMDA7zoIi9RhQhK70O4Ah+s7gCA/yURWzepyJIQ47Ng2J0gZe2iSX/MAi3NAgMBAAEw
    DQYJKoZIhvcNAQEFBQADgYEAKKv0yX3wNJfmRn/PcZ3Zh3cazuqovk80pQcry2eHhXwqL04dYjvh
    Ha3eVdclxi8csr3bGnTABWU/EmsTKz+ccYSdJ62tAD1mC6QPejP/2rjIUAVj4Kj57cILxGbhB+39
    JHSLYwSd/coo2xvMX4MInel6jVKNEww5Kf8DViqSfbQxgeQwgeECAQEwPzA3MQswCQYDVQQGEwJV
    UzEQMA4GA1UEChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZwIETz2BNTAJBgUrDgMC
    GgUAMA0GCSqGSIb3DQEBAQUABIGATgszGqDxPGwnnfipenBzEF/6k2soJ4HaGsgQT+msBv36vUtL
    b/lErqqLpNN2hyhRr5YLBxuZ/aMc/r0g+eizj4uqgR2ZbN0Q2AxZ6cKnhfKv5bYIXQ7VAHWcvBa8
    2tkfxsFx4rgCvYt6yzKNRon1WYSuoqnwo5zQa/HH59N1Ezc=
builds:
  signature:
    CERT.SF: !!binary |
      MIIDBAYJKoZIhvcNAQcCoIIC9TCCAvECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCAekw
      ggHlMIIBTqADAgECAgRPPYE1MA0GCSqGSIb3DQEBBQUAMDcxCzAJBgNVBAYTAlVTMRAwDgYDVQQK
      EwdBbmRyb2lkMRYwFAYDVQQDEw1BbmRyb2lkIERlYnVnMB4XDTEyMDIxNjIyMjAzN1oXDTQyMDIw
      ODIyMjAzN1owNzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJv
      aWQgRGVidWcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANwClO0uyV4VIxMMVj9fyzx14noe
      tUmgP/sW6arDwPsoxs9bAHBgMrhum4zQFZueqau55Iyc4nF+1ovN51AaOfAxAv6rsTi3ctAuDxDk
      gHk5009USSMDA7zoIi9RhQhK70O4Ah+s7gCA/yURWzepyJIQ47Ng2J0gZe2iSX/MAi3NAgMBAAEw
      DQYJKoZIhvcNAQEFBQADgYEAKKv0yX3wNJfmRn/PcZ3Zh3cazuqovk80pQcry2eHhXwqL04dYjvh
      Ha3eVdclxi8csr3bGnTABWU/EmsTKz+ccYSdJ62tAD1mC6QPejP/2rjIUAVj4Kj57cILxGbhB+39
      JHSLYwSd/coo2xvMX4MInel6jVKNEww5Kf8DViqSfbQxgeQwgeECAQEwPzA3MQswCQYDVQQGEwJV
      UzEQMA4GA1UEChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZwIETz2BNTAJBgUrDgMC
      GgUAMA0GCSqGSIb3DQEBAQUABIGATgszGqDxPGwnnfipenBzEF/6k2soJ4HaGsgQT+msBv36vUtL
      b/lErqqLpNN2hyhRr5YLBxuZ/aMc/r0g+eizj4uqgR2ZbN0Q2AxZ6cKnhfKv5bYIXQ7VAHWcvBa8
      2tkfxsFx4rgCvYt6yzKNRon1WYSuoqnwo5zQa/HH59N1Ezc=
    MANIFEST.MF: !!binary |
      MIIDBAYJKoZIhvcNAQcCoIIC9TCCAvECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCAekw
      ggHlMIIBTqADAgECAgRPPYE1MA0GCSqGSIb3DQEBBQUAMDcxCzAJBgNVBAYTAlVTMRAwDgYDVQQK
      EwdBbmRyb2lkMRYwFAYDVQQDEw1BbmRyb2lkIERlYnVnMB4XDTEyMDIxNjIyMjAzN1oXDTQyMDIw
      ODIyMjAzN1owNzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJv
      aWQgRGVidWcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANwClO0uyV4VIxMMVj9fyzx14noe
      tUmgP/sW6arDwPsoxs9bAHBgMrhum4zQFZueqau55Iyc4nF+1ovN51AaOfAxAv6rsTi3ctAuDxDk
      gHk5009USSMDA7zoIi9RhQhK70O4Ah+s7gCA/yURWzepyJIQ47Ng2J0gZe2iSX/MAi3NAgMBAAEw
      DQYJKoZIhvcNAQEFBQADgYEAKKv0yX3wNJfmRn/PcZ3Zh3cazuqovk80pQcry2eHhXwqL04dYjvh
      Ha3eVdclxi8csr3bGnTABWU/EmsTKz+ccYSdJ62tAD1mC6QPejP/2rjIUAVj4Kj57cILxGbhB+39
      JHSLYwSd/coo2xvMX4MInel6jVKNEww5Kf8DViqSfbQxgeQwgeECAQEwPzA3MQswCQYDVQQGEwJV
      UzEQMA4GA1UEChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZwIETz2BNTAJBgUrDgMC
      GgUAMA0GCSqGSIb3DQEBAQUABIGATgszGqDxPGwnnfipenBzEF/6k2soJ4HaGsgQT+msBv36vUtL
      b/lErqqLpNN2hyhRr5YLBxuZ/aMc/r0g+eizj4uqgR2ZbN0Q2AxZ6cKnhfKv5bYIXQ7VAHWcvBa8
      2tkfxsFx4rgCvYt6yzKNRon1WYSuoqnwo5zQa/HH59N1Ezc=
  versionCode: 100
  versionName: '1.0'
      Edited by username-removed-24982
    • username-removed-24982
      username-removed-24982 @eighthave ·
      Author Owner

      Since those blocks are huge, there might need to be a file/dir structure, similar to the localized stuff:

      metadata/<packageName>/signatures/CERT.RSA
metadata/<packageName>/signatures/<versionCode>/CERT.SF
metadata/<packageName>/signatures/<versionCode>/MANIFEST.MF
      Edited by username-removed-24982
    • username-removed-24982
      username-removed-24982 @eighthave ·
      Author Owner

      one open question: is the signing certificate e.g. CERT.RSA always the exact same file in all released APKs of an app?

    • username-removed-24982 assigned to @uniqx

      assigned to @uniqx

    • username-removed-24982 mentioned in issue fdroidclient#831 (closed)

      mentioned in issue fdroidclient#831 (closed)

    • username-removed-24982 mentioned in issue fdroidclient#107 (closed)

      mentioned in issue fdroidclient#107 (closed)

    • username-removed-24982 mentioned in issue fdroidclient#740 (closed)

      mentioned in issue fdroidclient#740 (closed)

    • username-removed-24982
      username-removed-24982 @eighthave ·
      Author Owner

      The good news is I have signatures for 1231 APKs. The annoying bit is that the CERT.RSA file is not the same across APKs, even though it is supposed to be the signing certificate. So it'll have to be stored per-versionCode like the other signature files.

    • username-removed-24982 mentioned in merge request fdroiddata!2241

      mentioned in merge request fdroiddata!2241

    • username-removed-24982
      username-removed-24982 @eighthave ·
      Author Owner

      also, fdroid lint will need to be fixed to understand these new files: "Found non-file at metadata/org.dynalogin.android/signatures"

    • username-removed-972314 created branch 291-include-apk-signatures-in-build-metadata-file

      created branch 291-include-apk-signatures-in-build-metadata-file

    • username-removed-24982 added apksig label

      added apksig label

    • username-removed-972314 mentioned in merge request !287 (merged)

      mentioned in merge request !287 (merged)

    • username-removed-24982 changed milestone to %1.0

      changed milestone to %1.0

    • username-removed-972314 mentioned in merge request !327 (merged)

      mentioned in merge request !327 (merged)

    • username-removed-24982 closed via merge request !287 (merged)

      closed via merge request !287 (merged)

    Please register or sign in to reply