V2 signature

[xvarlez]

Hi,

Are there any plans to introduce support for V2 signing (full APK signature)? I believe this would require switching from jarsigner to the apksigner tool.

Thanks

[trapacska]

Hey @xvarlez !

Opened a discussion in the team with this question. We'll get back with the answer as soon as we have one! 🙂

[sourjam]

Hey there @trapacska just wanted to follow up and see if there were any updates to switching to apksigner? We're interested in adding that to our bitrise workflow as well. Thanks!

[trapacska]

Hey @sourjam !

It is not under development yet.

[xvarlez]

Hey,

If it can help anyone, I am using this workflow as a workaround for now. You need to setup the code signing configuration for your project on Bitrise under Workflow Editor -> Code signing

bitrise.yml

   - file-downloader@1.0.1:
        inputs:
        - destination: "$HOME/keystores/my_keystore.jks"
        - source: "$BITRISEIO_ANDROID_KEYSTORE_URL"
    - gradle-runner@1.8.3:
        inputs:
        - gradle_file: "$GRADLE_BUILD_FILE_PATH"
        - gradle_task: assembleRelease
        - gradlew_path: "$GRADLEW_PATH"

With the following in build.gradle:

    signingConfigs {
        release {
            keyAlias System.getenv("BITRISEIO_ANDROID_KEYSTORE_ALIAS")
            keyPassword System.getenv("BITRISEIO_ANDROID_KEYSTORE_PRIVATE_KEY_PASSWORD")
            storeFile file(System.getenv("HOME") + "/keystores/my_keystore.jks")
            storePassword System.getenv("BITRISEIO_ANDROID_KEYSTORE_PASSWORD")
        }
    }

[sourjam]

Thanks for the info @trapacska ! Also, thank you for the alternative @xvarlez !

[yuriymyronovych]

any chance this can be implemented?

[laggedHero]

Hello all, I think it is time to revisit this topic. I've just got an interesting error.

Failed to [REDACTED] APKs: failed to [REDACTED] apk, error: googleapi: Error 403: APK signature is invalid or does not exist. Error from apksigner: ERROR: MIN_SIG_SCHEME_FOR_TARGET_SDK_NOT_MET: Target SDK version 30 requires a minimum of signature scheme v2; the APK is not signed with this or a later signature scheme, forbidden

Let me know how I may help.

[jcoona]

@laggedHero when you target your app to Android 11, It has to use v2. See here: https://developer.android.com/about/versions/11/behavior-changes-11#minimum-signature-scheme

@trapacska can support be added for this? We won't be able to deploy apps targeting Android 11 anymore.

[igorcferreira]

@jcoona I've made a correction to the step on a fork to unblock one project that we are working on. I've created a PR to, hopefully, have this sorted on the step lib soon. But, if you want to give a try to my config, you can do so by using:

- apt-get-install@0:
    inputs:
    - upgrade: 'no'
    - packages: openjdk-9-jre
- git::https://github.com/FutureWorkshops/steps-sign-apk.git@feature/apk_signer:
    inputs:
    - keystore_url: $APP_KEYSTORE_URL
    - keystore_password: "$KEYSTORE_PASSWORD"
    - keystore_alias: "$KEYSTORE_ALIAS"
    - private_key_password: "$KEYALIAS_PASSWORD"
    - use_apk_signer: 'true'

Unfortunately, the install of JRE 9 before the usage of ApkSignerTool is necessary on the SDK v30. But, this shouldn't delay your build too much.

@trapacska Let me know if I can help in any way, or if I should close the PR if the team is working on a different approach.

[ecramer]

Any update on this?

[something15525]

Android 11 has released to the public. We've been able to get around the signing issue by generating AAB files for production builds, but for testing builds generated by Bitrise, they are unable to be installed on Android 11 phones. Could we please get an update on when this will be fixed?

[jcoona]

Looks like this issue has been patched in their latest released version on Bitrise

[igorcferreira]

This was fixed on version 1.7.0, where the usage of APKSigner was introduced. If you use the latest version or pin to 1.7.+, you should be able to use this step to sign APKs for Android 11. One important information is to set use_apk_signer: 'true' to use the correct signer since this is disabled for retro compatibility.

[yasitha999]

@igorcferreira How did you upgrade jdk version to 9? Tried below and it doesn't seem to be working. `- apt-get-install@0: inputs:

• upgrade: 'no'
• packages: openjdk-9-jre`

[igorcferreira]

@igorcferreira How did you upgrade jdk version to 9? Tried below and it doesn't seem to be working. - apt-get-install@0: inputs: - upgrade: 'no' - packages: openjdk-9-jre

@yasitha999 I just added this step. But, keep in mind that this installs only the JRE, not the full JDK. This should be enough for the APKSigner on SDK 30 to work just fine if this step is added before the signer step. What issue are you facing?

[yasitha999]

Thanks @igorcferreira It worked, I had it a bit higher up in the hierarchy, adding it just before the signer step works.

[something15525]

Anybody else getting this error when trying to sign:

Zipalign Build Artifact => /opt/[REDACTED]-sdk-linux/build-tools/30.0.0/zipalign "-f" "4" "/tmp/bitrise-sign-build-artifact233445561/unsigned.apk" "/bitrise/deploy/[REDACTED]-app-bitrise-aligned.apk" Failed to zipalign Build Artifact, error: [ exit status 1]

[yasitha999]

Anybody else getting this error when trying to sign:

Zipalign Build Artifact => /opt/[REDACTED]-sdk-linux/build-tools/30.0.0/zipalign "-f" "4" "/tmp/bitrise-sign-build-artifact233445561/unsigned.apk" "/bitrise/deploy/[REDACTED]-app-bitrise-aligned.apk" Failed to zipalign Build Artifact, error: [ exit status 1]

Yes @something15525 , I'm getting the same error, I have multiple flavours, the first flavour gets zip aligned and signed properly, but I'm getting this error for the second flavour.

[something15525]

Anybody else getting this error when trying to sign: Zipalign Build Artifact => /opt/[REDACTED]-sdk-linux/build-tools/30.0.0/zipalign "-f" "4" "/tmp/bitrise-sign-build-artifact233445561/unsigned.apk" "/bitrise/deploy/[REDACTED]-app-bitrise-aligned.apk" Failed to zipalign Build Artifact, error: [ exit status 1]

Yes @something15525 , I'm getting the same error, I have multiple flavours, the first flavour gets zip aligned and signed properly, but I'm getting this error for the second flavour.

Okay great, so looks like we're having the same issue. I have multiple flavors as well. @igorcferreira any suggestions about how to get around this?

[igorcferreira]

@something15525 @yasitha999 I believe that there is a PR open (#57) to improve the logic of the zipalign, to cover issues in this specific process. Those changes will (most probably) solve this that you are seeing. It would be good to run your project with the step pointing to that specific branch to validate it.

[something15525]

@something15525 @yasitha999 I believe that there is a PR open (#57) to improve the logic of the zipalign, to cover issues in this specific process. Those changes will (most probably) solve this that you are seeing. It would be good to run your project with the step pointing to that specific branch to validate it.

Sorry, didn't have time to test this out. Looks like the PR was merged, so I'll test it out in the new version.

[something15525]

Just a heads up, with the latest version (1.7.2), I had to add a script step, but then it got things working. Here's the script:

Hope this helps!

# fail if any commands fails
set -e
# debug log
set -x

sudo update-alternatives --set javac /usr/lib/jvm/java-11-openjdk-amd64/bin/javac
sudo update-alternatives --set java /usr/lib/jvm/java-11-openjdk-amd64/bin/java
export JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64"
envman add --key JAVA_HOME --value "/usr/lib/jvm/java-11-openjdk-amd64"```

[something15525]

The APK size on my app however has jumped from 36 mb to ~130 mb, which is a little ridiculous.

[ecramer]

Likewise on both accounts @something15525
1.7.2 + script worked for me. Mine went from 29MB to 102MB.

[igorcferreira]

@something15525 @ecramer Could you provide more details about the configuration of the project? Things like:

• Minimum SDK version
• Target SDK version
• Does your app uses NDK or not?
• Is it a debug enabled build?
• Is your project signing the build on Gradle or the assemble outputs an unsigned APK?

I'm asking that because I'm not seeing a massive APK size increase on the apps that I'm signing using the version 1.7.2 (examples below) and it would be good to have a brought picture, to see if it is possible to simulate the problem.

Unsigned APK:

Signed APK:

I would also recommend to, if the step starts to be a big issue and your development process allows you, to try to replace this step for a gradle configuration, letting the Android plugin to produce the signed APK. For example:

android {
    signingConfigs {
        def keystore = System.getenv("KEYSTORE_PATH")
        if( keystore != null && keystore.length() > 0 ) {
            bitriseConfig {
                keyAlias(System.getenv("KEYSTORE_ALIAS"))
                keyPassword(System.getenv("KEYSTORE_PASSWORD"))
                storeFile file(keystore)
                storePassword(System.getenv("KEYALIAS_PASSWORD"))
            }
        }
    }
    ...
    buildTypes {
        release {
            ...
            def keystore = System.getenv("KEYSTORE_PATH")
            if( keystore != null && keystore.length() > 0 ) {
                signingConfig signingConfigs.bitriseConfig
            }
        }
    }
}

[ecramer]

it definitely appears to be a debug thing. release builds have stayed roughly the same size

[something15525]

@igorcferreira I'll have some time in a bit to look through this issue, but focusing on other things at the moment. I'm fairly sure that my builds are debuggable, which could be the issue.

[XinyueZ]

Any update ?

[igorcferreira]

Any update ?

@XinyueZ The proper usage of APK Signer, to support V2 and V3 of signature was properly solved on the PR #54. If you use the most recent versions of the step, the code will use your APK manifest as a reference to which version to apply. If you are still facing issues with upload to Google Play, please, check if your APK is being exported as debuggable.

[something15525]

Hey there,

I finally had some more time to look at this issue, and with the latest version of the sign-apk step (1.7.4 as of time of writing this), I'm still seeing a failure. Here's the output from the step:

+------------------------------------------------------------------------------+

| (9) sign-apk@1.7                                                             |
+------------------------------------------------------------------------------+
| id: sign-apk                                                                 |
| version: 1.7.4                                                               |
| collection: https://github.com/bitrise-io/bitrise-steplib.git                |
| toolkit: go                                                                  |
| time: 2021-04-27T17:43:35Z                                                   |
+------------------------------------------------------------------------------+
|                                                                              |
INFO[17:43:35] Start installing (zip) with apt-get          
INFO[17:43:35]  * [OK] Step dependency (zip) installed, available. 
Configs:
- BuildArtifactPath: /bitrise/deploy/[REDACTED]-resident-app-iotas-staging.apk
- KeystoreURL: [REDACTED]
- KeystorePassword: [REDACTED]
- KeystoreAlias: [REDACTED]
- PrivateKeyPassword: [REDACTED]
- OutputName: 
- VerboseLog: true
- PageAlign: automatic
- SignerScheme: automatic
- DebuggablePermitted: true
- UseAPKSigner: true
- APKPath: 
Download keystore
using keystore at: /tmp/bitrise-sign-build-artifact257059226/keystore.jks
[REDACTED]_home: /opt/[REDACTED]-sdk-linux
aapt: /opt/[REDACTED]-sdk-linux/build-tools/30.0.3/aapt
zipalign: /opt/[REDACTED]-sdk-linux/build-tools/30.0.3/zipalign
zip: /usr/bin/zip
Signing 1 Build Artifacts
1/1 signing /bitrise/deploy/[REDACTED]-resident-app-iotas-staging.apk
Signature file (DSA or RSA) found in META-INF, unsigning the build artifact...
=> /usr/bin/zip "-d" "/tmp/bitrise-sign-build-artifact257059226/unsigned.apk" "META-INF/CERT.SF" "META-INF/MANIFEST.MF" "META-INF/CERT.RSA"
Zipalign Build Artifact
=> /opt/[REDACTED]-sdk-linux/build-tools/30.0.3/zipalign "-p" "-c" "4" "/tmp/bitrise-sign-build-artifact257059226/unsigned.apk"
=> /opt/[REDACTED]-sdk-linux/build-tools/30.0.3/zipalign "-p" "-f" "4" "/tmp/bitrise-sign-build-artifact257059226/unsigned.apk" "/bitrise/deploy/[REDACTED]-resident-app-iotas-staging-bitrise-aligned.apk"
Failed to zipalign Build Artifact, error: [
exit status 1]
|                                                                              |
+---+---------------------------------------------------------------+----------+
| x | sign-apk@1.7 (exit code: 1)                                   | 5.32 sec |
+---+---------------------------------------------------------------+----------+
| Issue tracker: https://github.com/bitrise-steplib/steps-sign-apk/issues      |
| Source: https://github.com/bitrise-steplib/steps-sign-apk                    |
+---+---------------------------------------------------------------+----------+

Here is our buildTypes section from our app's build.gradle:

buildTypes {
        debug {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
            signingConfig signingConfigs.debug
            applicationIdSuffix ".dfe"
        }
        staging {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
            signingConfig signingConfigs.debug
            applicationIdSuffix ".staging"
            debuggable true
        }
        release {
            minifyEnabled true
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
        }
    }

Let me know if anything else would be helpful to provide for debugging this failure.

[something15525]

One more quick thing on this, version 1.7.2 of the step works fine with no errors for me, but generates ~270mb size files.

[mateherber]

Closing this issue as the title is no longer applicable to later reported issues. V2 signature is already supported via apksigner, introduced in #54. The step has a bug which prevents zipalign in some cases using the apksigner tool. I opened a new issue, #71 and linked all relevant information.