search

PhilippC / keepass2android

Password manager app for Android
https://play.google.com/store/apps/details?id=keepass2android.keepass2android
GNU General Public License v3.0
4.7k stars 378 forks source link

APK of v1.06 broken? #610

Open IzzySoft opened 5 years ago

IzzySoft commented 5 years ago

I get an error thrown when trying to integrate it with my repo:

DOES NOT VERIFY
ERROR: JAR signer KP2A.RSA: Failed to verify JAR signature META-INF/KP2A.RSA against META-INF/KP2A.SF: java.security.SignatureException: Algorithm constraints check failed on disabled algorithm: MD5.

Further, the package name is keepass2android.keepass2android, and no longer keepass2android.keepass2android_nonet, so it doesn't match. Could you please check?

PhilippC commented 5 years ago

Hi @IzzySoft, I tried to find out how to switch to SHA1 but without success so far. I have seen several projects where you raised this question - do you have any insight on how this can be done, especially using Xamarin?

Regarding the package name: This is the package for the regular release, not the "nonet" release. I am still testing the 1.06 package for nonet, so please wait for that to be published.

IzzySoft commented 5 years ago

My updater picked it automatically. So will the nonet version have "nonet" in its name? Then I can tell my updater to only pick that.

As for MD5: I've allowed MD5 in my repo (though it's deprecated). The error message doesn't complain about MD5 per se, but about the signature not verifying.

As I'm no dev, I've got no experience concerning this. AFAIK you can sign an APK more than once, e.g. adding the SHA1 "on top" of the MD5. Not sure if then, after a couple of versions, you could drop the MD5 …

PhilippC commented 5 years ago

I will try to follow the same naming scheme as in the previous nonet release: https://github.com/PhilippC/keepass2android/releases/tag/1.05d-nonet The tag contains "nonet", the title contains "Offline".

I hope the signature verification will work then. Google Play did accept the 1.06f (regular) release. Let me close this for now. Please reopen if the nonet release fails.

IzzySoft commented 5 years ago

Thanks. I'm matching on the file name, which contains _nonet.

Unfortunately, I again get

DOES NOT VERIFY
ERROR: JAR signer KP2A.RSA: Failed to verify JAR signature META-INF/KP2A.RSA against META-INF/KP2A.SF: java.security.SignatureException: Algorithm constraints check failed on disabled algorithm: MD5.

Strange thing is the APK was accepted nevertheless (so the new version should pop up in my repo this evening). So maybe that just means it doesn't like MD5; but I have several other apps in my repo with MD5 and don't remember having seen this error within the last year …

Please reopen if the nonet release fails.

I can't (no reopen button) – but then, it didn't really fail. Though the output suggests an ERROR, it was dealt with like a WARNING :confused:

IzzySoft commented 5 years ago

@PhilippC No chance to get that fixed? Looks ugly with those AntiFeatures…

michelesr commented 5 years ago

@PhilippC MD5 is not secure

PhilippC commented 4 years ago

@IzzySoft sorry for not taking care of this so long. I am now more actively working on the app again and wanted to fix this, but failed to reproduce. I don't see any MD5 related warning in apksigner or jarsigner. What exactly are you running to get the output you posted?

IzzySoft commented 4 years ago

@PhilippC Oooohhh… Guess you solved it by waiting it out then :rofl: v1.0.7 doesn't show that anymore (just NonFreeDep due to your use of GMS). So feel free to either close this issue – or keep it open to solve the GMS dependency (what is that needed for in the offline variant? Maybe it could be safely removed from that?)

PhilippC commented 4 years ago

how do you see that it uses GMS?

IzzySoft commented 4 years ago

Smali analysis. So actually it shows that there are GMS libraries – but I cannot tell if they are used. I've just rescanned to give you the full path, but funnily there is no "gms" in the Smali output – which means it must be one of the obfuscated parts which LibRadar maps:

./smali/md54bf36091a7b870ca3b5aa723f8ae00d5:
./smali/md566f8aed84904e91e83419346baaddee4:
./smali/md5821c45a32d5427f95b28bb08932fecf7:
./smali/md5988f925930a408a560bdf27be91a0cc7:
./smali/md5a8750cfc48940501f26b541c4e8295f3:
./smali/md5ada60065d854129aa23a39d02e0720b6:
./smali/md5b0db2e8f0b4b4a8e15a69655bd266f56:
./smali/md5b85ab5ea2545156b0f09600c184a5178:
./smali/md5d34a41c1978ce3f69838e1e5f2481313:
./smali/md5d467eca764982993ff67490944d877db:
./smali/md5e7dd1c39ca0e2cd8c286c073edc3eb5c:
./smali/md5f376cd5a47a07b7142b0796d4f523502: