Autograph signed builds crash when opening any website

[severinrudie]

Steps to reproduce

• Build master
• Sign using tools/sign_release.sh
• Deploy code
• Open any website

Expected behavior

• Website loads

Actual behavior

• App crashes

Device information

• Echo Show device: 2nd gen & Show 5
• Latest affected Firefox version: 0a6782925c93e326f1a34dc544a4a445bb1786be (current master)
• Earliest affected Firefox version: ?

Crash log

07-03 14:52:06.533 17648-17648/org.mozilla.connect.firefox E/AndroidRuntime: FATAL EXCEPTION: main
    Process: org.mozilla.connect.firefox, PID: 17648
    java.lang.IllegalStateException: Module with the Main dispatcher is missing. Add dependency providing the Main dispatcher, e.g. 'kotlinx-coroutines-android'
        at kotlinx.coroutines.MissingMainCoroutineDispatcher.missing(Dispatchers.kt:123)
        at kotlinx.coroutines.MissingMainCoroutineDispatcher.dispatch(Dispatchers.kt:116)
        at kotlinx.coroutines.DispatchedKt.resumeCancellable(Dispatched.kt:282)
        at kotlinx.coroutines.intrinsics.CancellableKt.startCoroutineCancellable(Cancellable.kt:23)
        at kotlinx.coroutines.CoroutineStart.invoke(CoroutineStart.kt:109)
        at kotlinx.coroutines.AbstractCoroutine.start(AbstractCoroutine.kt:160)
        at kotlinx.coroutines.BuildersKt__Builders_commonKt.launch(Builders.common.kt:54)
        at kotlinx.coroutines.BuildersKt.launch(Unknown Source)
        at kotlinx.coroutines.BuildersKt__Builders_commonKt.launch$default(Builders.common.kt:47)
        at kotlinx.coroutines.BuildersKt.launch$default(Unknown Source)
        at org.mozilla.focus.toolbar.ProgressBarController.hideProgressBar(ProgressBarController.kt:62)
        at org.mozilla.focus.toolbar.ProgressBarController.onLoadingUpdate(ProgressBarController.kt:28)
        at org.mozilla.focus.toolbar.ToolbarIntegration$setup$3.invoke(ToolbarIntegration.kt:115)
        at org.mozilla.focus.toolbar.ToolbarIntegration$setup$3.invoke(ToolbarIntegration.kt:68)
        at org.mozilla.focus.MainActivity.onSessionLoadingUpdate(MainActivity.kt:193)
        at org.mozilla.focus.browser.BrowserFragment$SessionLoadingObserver.onChanged(BrowserFragment.kt:227)
        at org.mozilla.focus.browser.BrowserFragment$SessionLoadingObserver.onChanged(BrowserFragment.kt:224)
        at androidx.lifecycle.LiveData.considerNotify(LiveData.java:113)
        at androidx.lifecycle.LiveData.dispatchingValue(LiveData.java:131)
        at androidx.lifecycle.LiveData.setValue(LiveData.java:289)
        at org.mozilla.focus.architecture.NonNullLiveData.setValue(NonNullLiveData.kt:40)
        at org.mozilla.focus.architecture.NonNullMutableLiveData.setValue(NonNullMutableLiveData.kt:19)
        at org.mozilla.focus.session.Session.setLoading(Session.java:80)
        at org.mozilla.focus.session.SessionCallbackProxy.onPageFinished(SessionCallbackProxy.java:39)
        at org.mozilla.focus.webview.FocusWebViewClient.onPageFinished(FocusWebViewClient.java:212)
        at com.amazon.webview.awvclients.AmazonWebViewClient.onPageFinished(AmazonWebViewClient.java:95)
        at com.android.webview.chromium.WebViewContentsClientAdapter.onPageFinished(WebViewContentsClientAdapter.java:546)
        at com.android.webview.chromium.WebViewExtAmazonContentsClientAdapter.onPageFinished(WebViewExtAmazonContentsClientAdapter.java:18)
        at org.chromium.android_webview.AwContentsClientCallbackHelper$MyHandler.handleMessage(AwContentsClientCallbackHelper.java:201)
        at android.os.Handler.dispatchMessage(Handler.java:102)
        at android.os.Looper.loop(Looper.java:135)
        at android.app.ActivityThread.main(ActivityThread.java:5597)
        at java.lang.reflect.Method.invoke(Native Method)
        at java.lang.reflect.Method.invoke(Method.java:372)
        at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:984)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:779)

Notes

• According to this link, this can happen when the APKs META-INF folder is modified during the signing process
• Inspecting the META-INF folder of a local build, it contains a lot of AndroidX related files that are not found in our Autograph signed version
• We migrated to AndroidX since our last release (which was successfully signed with Autograph)

[athomasmoz]

This blocks us from releasing any code

[severinrudie]

I reached out to the Autograph team on Slack and asked them to look into this. We should follow up on this in a few days to see if they have a fix.

[g-k]

Mentioned some possible fixes in https://mozilla.slack.com/archives/CEMMGTZJ5/p1562192026270800 :

• I can change the apkzip option to passthrough from all (assuming this is the Fx Connect signer) in the autograph edge config https://github.com/mozilla-services/autograph/tree/master/signer/apk#2signature-request
• running zipalign -v 4 after signing

Autograph should only be stripping case insensitive matches for META-INF/manifest.mf, META-INF/*.sf, META-INF/*.rsa, META-INF/*.dsa, META-INF/*.ec, and META-INF/sig- (i.e. matching isSignatureFile here https://github.com/mozilla-services/autograph/blob/master/signer/apk/jar.go#L143-L169).

[severinrudie]

which key is this using?

Should be the Connect key (I believe Connect was the prerelease name for the Show)

Autograph should only be stripping case insensitive matches for META-INF/manifest.mf, META-INF/*.sf, META-INF/*.rsa, META-INF/*.dsa, META-INF/*.ec, and META-INF/sig-

Hm, not sure what's going on here then. I've attached META-INF folders taken from a build pre and post signing so you can take a look. There are a lot of files missing that don't appear to follow that format. The steps taken were:

• Build locally (passing -PnoValidate to disable some release checks)
• Run tools/sign_release.sh (passing --test to disable Sentry key check)
• Decompile both APKs using http://www.javadecompilers.com/apk

signed-META-INF.zip unsigned-META-INF.zip

[g-k]

OK I do see debug CERT.SF, CERT.RSA, and MANIFEST.MF in the unsigned APK. Overwriting those should be fine, since we replace them with valid versions.

zipinfo shows a mix of uncompressed (stor) and deflate compressed (defN) entries, so I think this is the same issue we saw with FxR.

edit: I'll redeploy autograph edge to use the zip passthrough option and I have a PR to zip align after signing.

edit 2: done, sent a test signed APK to @Baron-Severin

[liuche]

@g-k is Autograph going to start using the new apksigner, that will protect these other files? If so, we should file a bug to turn off ignoring warnings when that is done.

[g-k]

@liuche Not sure I fully understand the question, but:

• the autograph golang implementation of apk v1 signature includes non-blacklisted META-INF files in the manifest file (and protect them). However, there are known issues with the v1 format.
• we have an issue for APK v2 signature support in autograph https://github.com/mozilla-services/autograph/issues/64 and @jvehent wants to work on it at some point, but it's not on the roadmap
• FxLite / Rocket is using AAB for the Play Store, which provides other benefits. That's an option if you're interested.
• we are manually signing FxR offline with a v2 signature https://mana.mozilla.org/wiki/display/SVCOPS/Firefox+Reality+APK+v2 , because the oculus store requires it but don't want to do that for all the apps.