Closed licaon-kter closed 2 months ago
I now added an FAQ entry, copied here:
Since build-tools
>= 35.0.0-rc1, backwards-incompatible changes to apksigner
break apksigcopier
as it now by default forcibly replaces existing alignment padding and changed the default page alignment from 4k to 16k (same as Android Gradle Plugin >= 8.3, so the latter is only an issue when using older AGP).
Unlike zipalign
and Android Gradle Plugin, which use zero padding, apksigner
uses a 0xd935
"Android ZIP Alignment Extra Field" which stores the alignment itself plus zero padding and is thus always at least 6 bytes.
It now forcibly replaces existing padding even when the file is already aligned as it should be, except when --alignment-preserved
is specified, in which case it will keep existing (non)alignment and padding.
This means it will replace existing zero padding with different padding for each and every non-compressed file. This padding will not only be different but also longer for regular files aligned to 4 bytes with zero padding, but often the same size for .so
shared objects aligned to 16k (unless they happened to require less than 6 bytes of zero padding before).
Unfortunately, supporting this change in apksigcopier
without breaking compatibility with the signatures currently supported would require rather significant changes. Luckily, there are 3 workarounds available:
First: use apksigner
from build-tools
<= 34.0.0 (clearly not ideal).
Second: use apksigner sign
from build-tools
>= 35.0.0-rc1 with the --alignment-preserved
option.
Third: use zipalign.py --page-size 16 --pad-like-apksigner --replace
on the unsigned APK to replace the padding the same way apksigner
now does before using apksigcopier
.
Click "Details" to expand.
The third alternative could be automated: if copying the signature fails, add the garbage and retry. However, this is still out of scope for apksigcopier
, which only copies the signature; validation of the resulting APK is left up to the user -- except for the compare
command which is provided merely for convenience, the copy
and patch
commands do not and cannot validate the signature (and should not require apksigner
to work) -- or whatever program is using the apksigcopier
API.
As I pointed out elsewhere and not for the first time:
I worry that there isn't really a sustainable solution for F-Droid running a Reproducible Builds project when they no longer have an expert to fix things when they break or anyone having a proper understanding of all the tooling they depend on.
If you don't understand what changes tooling like
zipalign
,apksigner
,repro-apk
, etc. make to the APK, you will not be able to fix anything if it breaks because something changed in the toolchain like here. Except by downgrading or getting lucky with trial and error of various options you happen to know about. Hoping someone else fixes it for you seems like a bad strategy :woman_shrugging:But I resigned from F-Droid last year so it's not my problem any more 🤷♀️
This is a known issue.
Link?
Use apksigner from build-tools >= 35.0.0-rc1 for signing and tell it to not add the garbage
Ah, but 'tis a sekret, wink-wink, nudge-nudge, say no more
:tada:
getting lucky with trial and error of various options you happen to know about
How do you think I got so far? :cat:
Link?
"Known issue" as in "I knew about it but just didn't get around to updating the apksigcopier
FAQ yet". I told you to "feel free to report it to Google" if you want them to fix apksigner
.
Don't forget, apksigcopier
may be a vital dependency for F-Droid, but to me it's just an unpaid hobby project I work on whenever I have time and feel like it. After my resignation, Hans' behaviour got him permanently banned from all of my projects; the rest of F-Droid should expect no support from me either. The only reason you got a detailed reply here is that I was already aware of this and planning to document it. Had I needed to investigate this just for F-Droid, you would have been out of luck.
Ah, but 'tis a sekret, wink-wink, nudge-nudge, say no more [it works with
--alignment-preserved true
, as expected] 🎉
What? I just didn't remember the option name and didn't bother looking it up just for you, knowing you couldn't possibly fail to find it, as you clearly just demonstrated.
How do you think I got so far?
If you didn't need my help, why open this issue to ask for it?
@licaon-kter @linsui I don't care about credit here. I'm just glad this can be fixed for the developers that were affected. But given that LK is now taking credit for figuring out what changed: do not ask me for help again next time. You say you don't need my help, fine. Maybe you don't. Maybe your luck won't run out. But then you don't get to ask for my help either. You're on your own from now on. My issue trackers are closed to F-Droid now. Good luck next time.
Reported to Google: https://issuetracker.google.com/issues/351408623
If anyone wants Google to fix this on their end and has a Google account, please consider adding a +1 to the issue.
Suddenly for the past week more repro APKs can't be verified.
eg. https://github.com/Futsch1/medTimer/releases/tag/v1.8.10 has unsigned and signed
They have in common a thing, they get built by the Github CI, eg. signed here with apksigner from build-tools 35: https://github.com/Futsch1/medTimer/actions/runs/9750431791/job/26909848960#step:16:5
CI recipes use
ubuntu-latest
eg. https://github.com/Futsch1/medTimer/blob/v1.8.10/.github/workflows/android.yml#L14 so maybe the Github image got updated to build-tools 35 and now CI's just end up using it by defaultapksigcopier can't cope with whatever apksigner 35 does?