search

mozilla-mobile / firefox-echo-show

Firefox for Amazon's Echo Show
Mozilla Public License 2.0
25 stars 12 forks source link

Build & sign script `apksigner verify` fails #326

Closed mcomella closed 4 years ago

mcomella commented 4 years ago

Steps to reproduce

Expected behavior

Build and sign successful

Actual behavior

Build and sign fails at apksigner verify:

DOES NOT VERIFY
ERROR: JAR signer APK2_FIR.RSA: JAR signature META-INF/APK2_FIR.SF indicates the APK is signed using APK Signature Scheme v2 but no such signature was found. Signature stripped?
mcomella commented 4 years ago

The build and signing script failed on the last release too https://github.com/mozilla-mobile/firefox-echo-show/issues/287 – I wonder if there's anything to be learned here.

mcomella commented 4 years ago

The zipalign docs say:

Caution: You must use zipalign at one of two specific points in the app-building process, depending on which app-signing tool you use:

    If you use apksigner, zipalign must only be performed before the APK file has been signed. If you sign your APK using apksigner and make further changes to the APK, its signature is invalidated.
    If you use jarsigner, zipalign must only be performed after the APK file has been signed.

https://developer.android.com/studio/command-line/zipalign

I wonder if we switched to using apksigner. I did verify that moving zipalign to before the signing does seem to address the issue (though we still get warnings about manifest files not being protected by the signature).