Install on Android 7

[JacobLawtonClaro]

I have a gear-vrf based app on the store, it works fine with android 6, but now people are switching to android 7 it is not installing. The app works fine when I install from Android Studio, but when installing from the store it gets a "Install failed for org.gearvrf.gvrmagX: UNTRUSTED_APK_ERROR." error, I have no idea why is, this a bug with the framework, or am I missing really simple for Android 7 installs?

I have attaches the error log. error.txt

[liaxim]

The only thing I'd imagine the framework could be doing is having something in the manifest. Other than that the framework has no chance of executing since the Oculus installer service is rejecting the apk before the installation. The manifest contents are:

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="org.gearvrf"
    android:versionCode="1"
    android:versionName="1.0" >

    /**
     * Thanks to the manifest merging this permission will be automatically added to the
     * application's manifest. Yet another reason why we should be using AS and gradle exclusively.
     */
    <uses-permission android:name="com.samsung.android.hmt.permission.READ_SETTINGS" />

    <uses-sdk
        android:minSdkVersion="19"
        android:targetSdkVersion="24" />

    <uses-feature android:glEsVersion="0x00030000" android:required="true" />

    <application
        android:largeHeap="true">
    </application>

</manifest>

You can try removing the permission and the largeHeap.

It sounds like some kind of a certificate problem. Might be useful to try contacting the Oculus support. @thomasflynn may try to find out more about this error.

[JacobLawtonClaro]

The framework Manifest is correct, I have contacted Oclulus just waiting for a reply. Just thought I would see if this bug has come up on other gvrf projects.

[liaxim]

First time I am seeing it.

[thomasflynn]

Here's a reply from one of our internal people, "I have no idea, the log seems to point to Oculus store preventing “untrusted apk..”?, something about missing provider info (maybe it needs to be defined on Android manifest) – purely guessing here."

[robcuts]

Does this occur on all devices with Nougat? Also, what's the name of your app?

[JacobLawtonClaro]

It has failed on my device but I have reviews reporting it failing on other devices, the name of the app on the store is FotoFrezVR. Also I was thinking the same about the manifest info but why would it still work on Android 6 and not 7? It uses camera permissions, you think that could have something to do with it????

[liaxim]

I doubt it since it installs fine through the Android installer when signed with the devkey. It must be something about Oculus. Some of the users mention having Facebook disabled and from personal experience I know that breaks Oculus. Will flash an N build and try it out.

[thomasflynn]

send me an email offline at: tom.flynn@samsung.com i have someone who wants to take a look at your apk.

[liaxim]

I am seeing the same failure on N but have nothing more to say.

[JacobLawtonClaro]

I am still waiting on a reply from Oculus, will update when it fixed, I don't think it will be a framework issue.

[liaxim]

I think this might be related to your problem: http://stackoverflow.com/questions/37947323/google-play-shows-error-code-504-for-android-n-preview

I can directly install your apk on M devices but on my N this is the error I get from the Android package manager:

Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Failed to collect certificates from /data/app/vmdl305150639.tmp/base.apk: META-INF/CERT.SF indicates /data/app/vmdl305150639.tmp/base.apk is signed using APK Signature Scheme v2, but no such signature was found. Signature stripped?]

[JacobLawtonClaro]

Talked to Tom, he thinks it's the same thing, but I can't get the fix to work. Does this build file look right to you?

apply plugin: 'com.android.application'

System.setProperty("appName", "gvr-magVR")

if(file("../../common.gradle").exists()) {
    apply from: '../../common.gradle'
}
else if(file("../../../../GearVRf-Demos/common.gradle").exists()) {
    apply from: '../../../../GearVRf-Demos/common.gradle'
}

android {
    defaultConfig {
        renderscriptTargetApi 21
        minSdkVersion 21
        targetSdkVersion 21
    }
    signingConfigs {
        defaultConfig{
            v2SigningEnabled false
        }

    }

    buildTypes {
        release {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.txt'
        }
    }

    sourceSets.main {
        jni.srcDirs = [] // no auto generation of Android.mk
        jniLibs.srcDir 'libs' // pre-compiled libraries
    }
}

dependencies {
    compile 'com.android.support:support-v4:25.0.0'
}

[ragner]

Hi, could you send me the apk to ragner.n@samsung.com? I would like to take a look too.

[ragner]

Hi @JacobLawtonClaro, I created a signed apk of GearVRf-Demos/gvr-simplephysics to compare the results of apksigner verify with your apk.

$ apksigner verify -v app/gvr-simplephysics.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Number of signers: 1

$ apksigner verify -v gvr-FotoFrez.apk 
DOES NOT VERIFY
ERROR: JAR signer CERT.RSA: JAR signature META-INF/CERT.SF indicates the APK is signed using APK Signature Scheme v2 but no such signature was found. Signature stripped?

I followed https://developer.android.com/studio/publish/app-signing.html #"Build and sign your app from command line" then selected Android Studio ->Build ->Generate signed APK -> select your app module -> Choose existing key store(choose your private key generated by keytool) -> Fill passwords -> Next and Finish.

Could you try it?

[JacobLawtonClaro]

Ok I tried that and it still does not install from the store, I ran akpsigner verify on the apk and got the correct result back, tested both manually signing and using Android Studio signing.

I then downloaded the file I had just uploaded which was correctly signed and then ran verify on the downloaded file and the signing was broken, this must be a problem with the store right? How else would the signing break between upload and download?

[ragner]

Please, send me both versions. The version that akpsigner verify is returning the correct result and the other one downloaded from store ... I would like to check both. Please send me each one in different emails because of my inbox limitations ragner.n@samsung.com

Thank you.

[ragner]

I am not sure but the store may take a time to really publish the newest version

[ragner]

Hi @JacobLawtonClaro, could you try disable v2 signing in your build.gradle file See https://developer.android.com/studio/releases/gradle-plugin.html, in particular, v2SigningEnabled.

This looks necessary because the store is modifying your apk. You can check it just with a ls -l or checking the content of downloaded apk you will see a new file META-INF/oculus_prod.OSIG

So If you sign your APK using apksigner and make further changes to the APK, its signature is invalidated.

http://stackoverflow.com/questions/41391531/android-signing-apk-signature-v2 https://developer.android.com/studio/command-line/zipalign.html

[JacobLawtonClaro]

I posted my build file above, with the signingConfigs { defaultConfig{ v2SigningEnabled false } } but when I build it is still signed with scheme v2 is there anything obvious in the file that I should change?

[liaxim]

@JacobLawtonClaro Might be a redundant question but are you using the 2.2.3 version of Android's gradle plugin?

Also according to the documentation

    signingConfigs {
        defaultConfig{
            v2SigningEnabled false
        }

    }

should be

    signingConfigs {
        config{
            v2SigningEnabled false
        }

    }

[liaxim]

According to https://developer.android.com/about/versions/nougat/android-7.0.html#apk_signature_v2 it should be more like

  android {
    signingConfigs {
      release {
        v2SigningEnabled false
      }
    }
  }

[JacobLawtonClaro]

I am using 2.2.3, I have seen the config style a few ways, I will try the two you posted, see if they actually disable the signing.

[JacobLawtonClaro]

I have tried both ways and the apk is still being signed with scheme v2, I even tried it with one of the demos and that was still signed.

[liaxim]

Are you using Android Studio to generate the signed apk?

[liaxim]

Looks like AS is messing up the signing process. I tried with AS and always got the V2 signature.

Signing from the command line build worked. These are the changes I made to the gradle file:

android {
    signingConfigs {
        release {
            v2SigningEnabled false
            storeFile file("<full-path-to-your-store-file>")
            storePassword "<your_store_pwd>"
            keyAlias "<alias>"
            keyPassword "<key_pwd>"
        }
    }
    defaultConfig {
        signingConfig signingConfigs.release
    }
}

Then just run ./gradlew assembleDebug.

[ragner]

Hi all, v2SigningEnabled false hasn't worked to me at AndroidStudio's apk build. but $ ./gradlew assembleRelease works fine:

$ apksigner verify -v ./app/build/outputs/apk/gvr-simplephysics.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): false
Number of signers: 1

[JacobLawtonClaro]

That worked!!! It can be installed from the store, Oculus also finally got back to me they confirmed that they do not currently support v2 signing so until they do all projects that are going to be uploaded to the store should be signed the above way.

Thank you.

[liaxim]

Awesome

[thomasflynn]

@liaxim , let's add this to the wiki/faq

[liaxim]

Added entry 15.

[JacobLawtonClaro]

The Android Studio 2.3 update gives options for v1/v2 signing when building the APK, disabling v2 using this method works.