Closed severinrudie closed 5 years ago
This blocks us from releasing any code
I reached out to the Autograph team on Slack and asked them to look into this. We should follow up on this in a few days to see if they have a fix.
Mentioned some possible fixes in https://mozilla.slack.com/archives/CEMMGTZJ5/p1562192026270800 :
passthrough
from all
(assuming this is the Fx Connect signer) in the autograph edge config https://github.com/mozilla-services/autograph/tree/master/signer/apk#2signature-requestzipalign -v 4
after signingAutograph should only be stripping case insensitive matches for META-INF/manifest.mf
, META-INF/*.sf
, META-INF/*.rsa
, META-INF/*.dsa
, META-INF/*.ec
, and META-INF/sig-
(i.e. matching isSignatureFile
here https://github.com/mozilla-services/autograph/blob/master/signer/apk/jar.go#L143-L169).
which key is this using?
Should be the Connect key (I believe Connect was the prerelease name for the Show)
Autograph should only be stripping case insensitive matches for
META-INF/manifest.mf
,META-INF/*.sf
,META-INF/*.rsa
,META-INF/*.dsa
,META-INF/*.ec
, andMETA-INF/sig-
Hm, not sure what's going on here then. I've attached META-INF folders taken from a build pre and post signing so you can take a look. There are a lot of files missing that don't appear to follow that format. The steps taken were:
-PnoValidate
to disable some release checks)tools/sign_release.sh
(passing --test
to disable Sentry key check)OK I do see debug CERT.SF, CERT.RSA, and MANIFEST.MF in the unsigned APK. Overwriting those should be fine, since we replace them with valid versions.
zipinfo shows a mix of uncompressed (stor
) and deflate compressed (defN
) entries, so I think this is the same issue we saw with FxR.
edit: I'll redeploy autograph edge to use the zip passthrough
option and I have a PR to zip align after signing.
edit 2: done, sent a test signed APK to @Baron-Severin
@g-k is Autograph going to start using the new apksigner, that will protect these other files? If so, we should file a bug to turn off ignoring warnings when that is done.
@liuche Not sure I fully understand the question, but:
Steps to reproduce
tools/sign_release.sh
Expected behavior
Actual behavior
Device information
Crash log
Notes