search

TrianguloY / URLCheck

Android app by TrianguloY: URLCheck
Other
969 stars 57 forks source link

apksigner Warning #396

Open DiagonalArg opened 15 hours ago

DiagonalArg commented 15 hours ago

Steps to reproduce

I wonder if the dev might be willing to repair this warning from apksigner. It would help support consistency with AppVerifier.

$ apksigner verify --print-certs URLCheck-2.17.apk 
Signer #1 certificate DN: CN=TrianguloY
Signer #1 certificate SHA-256 digest: bf1b69c14da2420ca72011f72cf4837458ec5d3cc4b538243437bc17c19201c6
Signer #1 certificate SHA-1 digest: 4135bf77f3e515cb284173cb3da30a4e6cce3eba
Signer #1 certificate MD5 digest: e67416e5e4e98a7b5501efd2a9a12da8
WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/version-control-info.textproto not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

$ apksigner verify --print-certs URLCheck-3.0.apk 
Signer #1 certificate DN: CN=TrianguloY
Signer #1 certificate SHA-256 digest: bf1b69c14da2420ca72011f72cf4837458ec5d3cc4b538243437bc17c19201c6
Signer #1 certificate SHA-1 digest: 4135bf77f3e515cb284173cb3da30a4e6cce3eba
Signer #1 certificate MD5 digest: e67416e5e4e98a7b5501efd2a9a12da8
WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/version-control-info.textproto not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

Expected behavior

No warning.

Actual behavior

warning

URLCheck version

2.1.7 and 3.0

Android version

Android 15

Android Custom/Specific ROM or Device

GrapheneOS

Other details

No response

Acknowledgements

TrianguloY commented 14 hours ago

I'll happily fix that (whenever possible) if I knew how!

That is the Github apk, which is built directly from a Github action. I don't use any libraries, and from what I could find, those are automatic files just for metadata, even if they were changed the app should not care, apparently.

The only thing I can think of is to use a different signing version (I know there are v1, v2, v3 and even v4?) and I don't really know which one I'm using. Do you know of any parameters, perhaps in the build.gradle file, that I should add to fix this?

DiagonalArg commented 14 hours ago

Thanks for responding. :)

I'll see if I can find out....

DiagonalArg commented 10 hours ago

I'm not a dev, but I asked someone who is. He said, "I'm hesitant to give advise since I know almost nothing about his development. So take this w/a grain of salt..."

Here it is:

  1. Identify the purpose of the file: META-INF/com/android/build/gradle/app-metadata.properties is likely a build configuration file generated by your Android project’s Gradle build script. It contains metadata about your app, such as its package name, version, & other build settings.

  2. Remove or move the file: As the warning suggests, you can safely delete or move this file outside of the META-INF directory. This will prevent the APK signature verification tool (apksigner) from complaining about an unprotected JAR entry. To do this, you can:

    • Delete the file manually from your project’s build/intermediates/merged_assets directory (or similar, depending on your project’s structure). • Use a Gradle task or script to remove or move the file as part of your build process.

  3. Alternatively, sign the file: If you need to keep the file for some reason (e.g., it’s used by your app), you can sign it using a digital signature. This will ensure that any modifications to the file will be detected during APK signature verification. To sign the file, you’ll need to: • Create a keystore (e.g., using keytool) & generate a certificate. • Use a tool like jarsigner or apksigner to sign the app-metadata.properties file with the certificate.

  4. Verify the APK: After removing or signing the file, re-run the APK signing & verification process to ensure that the warning is no longer present.

Remember to carefully evaluate the impact of removing or signing this file, as it may affect your app’s build process or functionality. If you’re unsure, consider consulting your project’s documentation or seeking guidance from your team/lead.

TrianguloY commented 9 hours ago

From what I could find, this is an issue with the APK signature v1, which doesn't signs files inside the META-INF folder. Signatures v2+ do sign them and have no issue.

A google search of "META-INF/com/android/build/gradle/app-metadata.properties" will give several answers to this, like https://stackoverflow.com/questions/77543352/a-file-not-protected-by-signature-unauthorized-modifications-to-this-jar-entry, https://github.com/signalapp/Signal-Android/issues/13270, etc.

I'm interested however in which signing version I'm using, as I'm not specifying anything so it's probably the default. Is it v1 only? or v1+v2? Does the output of apksigner says something about this? (I think you need to add the --verbose flag)

If I'm only using v1, I should configure it to use both v1 and v2 (at least). If I'm already using v2 it should not be an issue, since devices that support v2 will verify everything, and for older devices that only support v1 I prefer to keep the compatibility instead of making them unable to install the app.

Perhaps I could also remove the files as you suggested, but they are automatically built files, and I prefer to avoid touching those.