Closed emanuelb closed 1 year ago
Almost fixed in https://github.com/btcontract/wallet/commit/ae9c28f3697ccfc4dff92acc19520d5cae27ce8b, the only remaining entry is META-INF/services/java.security.Provider
which stays even despite specific instructions to remove that file.
I don't quite understand what's going on here and assume that file is needed by system somehow. Is it OK if it stays?
Verification info was added to: https://github.com/btcontract/wallet#verification-with-apksigner
I don't quite understand what's going on here and assume that file is needed by system somehow. Is it OK if it stays?
not sure if it's needed, will require more digging to figure this out, still the commit improved as less files included, so it's OK if it stays, but better to remove it if it's not needed inside the APK file which is likely...
also see related question in stackoverflow without answer: https://stackoverflow.com/questions/66897483/how-can-i-exclude-all-files-in-meta-inf-except-for-the-three-signature-files
In order to verify direct APK download from github/google-play/(mirror/download)-websites the output from apksigner is needed. see for example the verification section in aegis app: https://github.com/beemdevelopment/Aegis#verification
Running apksigner (Command:
apksigner verify --print-certs --verbose SBW-2.0.6.apk
) on apk downloaded from github: https://github.com/btcontract/wallet/releases/download/2.0.6/SBW-2.0.6.apk sha256sum: 46342aab01445b09d19cb1b3dd6c5f13a757d050d5112c519a19a55ae37e4652Result:
All the files in WARNING should be removed or moved to other directory, it's not much problematic because apk also signed with v2, when v1 verification is used (which is deprecated from 2016) the files in WARNING are not authenticated ("Unauthorized modifications to this JAR entry will not be detected.")
They probably should be removed, which can be done for example by adding
exclude
lines topackagingOptions
in build.gradle file.