Closed licaon-kter closed 7 months ago
ShiftHackZ
commented
7 months ago Hi, the apk from tag 0.5.4 was signed used the same keystore:
However the release 0.5.4 was built on windows machine using the openjdk 17.0.10
Could the environment change affect the apk mismatch?
ShiftHackZ
commented
7 months ago I have tried building tag 0.5.4 on ubuntu VM with latest openjdk-17-jdk-headless:
I uploaded 0.5.4 built on Ubuntu VM here.
But I can not find a signed f-droid apk file com.shifthackz.aisdv1.app.foss_168_signed.apk, there is only com.shifthackz.aisdv1.app.foss_168.apk in the pipeline artifacts.
Could you please point out where I can find the signed apk to check it using apksigcopier.
licaon-kter
commented
7 months ago Could you please point out where I can find the signed apk to check it using apksigcopier.
You can just sign it yourself and then compare.
licaon-kter
commented
7 months ago Comparing your Ubuntu vs your (Windows?) release:
$ apksigcopier compare sdai-foss-release-0.5.4_ubuntu.apk sdai-foss-release-0.5.4.apk
Error: APK Signing Block offset < central directory offset...yields a strange result
/LE: if I reverse the APKs I get the same as OP:
$ apksigcopier compare sdai-foss-release-0.5.4.apk sdai-foss-release-0.5.4_ubuntu.apk
DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1: APK integrity check failed. CHUNKED_SHA256 digest mismatch. Expected: <3036ab79c1e6736c09688a098dffbc4855159cdd235ace29afac617c407ce6a1>, actual: <41c9389f4210da701b453a10e7e9e859bf73ebda5c2d99fbd675c960724f0c18>
Error: failed to verify /tmp/tmp5w4xbd8j/output.apk.Thanks, I tried:
apksigcopier from both ubuntu and windows environments apk;apksigner with the same alias and jks file.Result: Comparing both ubuntu/windows env apk with f-droid apk singed by both apksigcopier/(apksigner+original jks & alias) always result in getting the same error CHUNKED_SHA256 digest mismatch.
linsui
commented
7 months ago How do you sign your apk? Could you build an unsigned apk?
ShiftHackZ
commented
7 months ago Here is an unsigned apk built from tag 0.5.4 in ubuntu vm: app-foss-release-unsigned.apk
To sign the apk there is a config in app/build.gradle at Lines 30-44 which loads config from app/keystore/signing.properties:
keystore.password=(( REDACTED ))
keystore.alias=(( REDACTED ))
keystore=keystore/aisdv1.jksThe app/keystore is in .gitignore to prevent jks leak. For github releases build is done from the cli running ./gradlew assebleFossRelease, building either from the AS or the cli will result in signed apk file:
linsui
commented
7 months ago I compared the unsigned apks. The assets/demo.json is different.
licaon-kter
commented
7 months ago I guess fix-newlines assets/demo.json will do :)
That was my initial fix, https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/com.shifthackz.aisdv1.app.foss.yml#L107 but the APK verification failed hence this OP :shrug:
ShiftHackZ
commented
7 months ago That's strange that this asset causing the issue. I did not modify the demo module (including assets/demo.json) since the very first publish on f-droid.
Does it makes sense if I re-implement demo module functionality without using assets/demo.json and publish a new release?
linsui
commented
7 months ago @licaon-kter Is the unsigned apk same as yours?
@ShiftHackZ If it's the newline difference, then maybe you changed the OS?
ShiftHackZ
commented
7 months ago I have mentioned that the apk in the 0.5.4 GH release was made on windows machine. But the unsigned apk that I provided today was made on Ubuntu VM.
ShiftHackZ
commented
7 months ago I made a new release tagged as 0.5.5.
It is refactored to not use assets/demo.json, and built on linux with openjdk17.
Can we try running the f-droid pipeline for the new release to see if my changes resolved the problem ?
licaon-kter
commented
7 months ago Will test locally asap
licaon-kter
commented
7 months ago Same result :cry:, demo.json is not an issue, but while the APK contents are exactly the same, verification fails
...
DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1: APK integrity check failed. CHUNKED_SHA256 digest mismatch. Expected: <93acfebd1bb9902157fb374367cfa0e2ad1d614b8a3f1b35f89366b65676eb74>, actual: <4ef636767db756ec7038f2ca6d602e824e5cf9c639b154dbd935b7ae8d92c6f7>
2024-02-27 10:53:01,374 ERROR:
/tmp/tmpcli0k041/sigcp_com.shifthackz.aisdv1.app.foss_169.apk:
2024-02-27 10:53:01,374 INFO: ...NOT verified - /tmp/tmpcli0k041/sigcp_com.shifthackz.aisdv1.app.foss_169.apk
2024-02-27 10:53:02,591 DEBUG: > diff -r /tmp/tmpcli0k041/unsigned_binaries_com.shifthackz.aisdv1.app.foss_169.binary /tmp/tmpcli0k041/_tmp_tmpcli0k041_sigcp_com.shifthackz.aisdv1.app.foss_169
2024-02-27 10:53:02,883 DEBUG: removing unsigned/com.shifthackz.aisdv1.app.foss_169.apk
2024-02-27 10:53:02,897 DEBUG: removing unsigned/binaries/com.shifthackz.aisdv1.app.foss_169.binary.apk
2024-02-27 10:53:02,998 ERROR: Could not build app com.shifthackz.aisdv1.app.foss: compared built binary to supplied reference binary but failed
==== detail begin ====
verification of APK with copied signature failed
Comparing reference APK to APK with copied signature...
Unexpected diff output:
==== detail end ====and
$ apksigcopier compare sdai-foss-release-0.5.5.apk com.shifthackz.aisdv1.app.foss_169.apk
DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1: APK integrity check failed. CHUNKED_SHA256 digest mismatch. Expected: <93acfebd1bb9902157fb374367cfa0e2ad1d614b8a3f1b35f89366b65676eb74>, actual: <4ef636767db756ec7038f2ca6d602e824e5cf9c639b154dbd935b7ae8d92c6f7>
Error: failed to verify /tmp/tmpmvm10oz9/output.apk.Thanks !
licaon-kter
commented
7 months ago @ShiftHackZ what did you do differently this time? If anything
ref: https://gitlab.com/fdroid/fdroiddata/-/jobs/6136043977#L1808 the difference is empty hence I smell an APK issue
Comparing directly:
Is the APK aligned? Does it have all the needed signatures?