Sign gapps with platform key

[kyvaith]

I've noticed, gapps apks and jars are not signed with platform key while building AOSP. Is there any reason for that? Could You please add it? Thanks.

[acr92]

Hey,

That's deliberate, otherwise Google would be unable to remote update their apps. If you find an app that should be signed with the platform key then I'm happy to fix that.

On 8 Aug 2017 16:52, "Tomasz Witke" notifications@github.com wrote:

I've noticed, gapps apks and jars are not signed with platform key while building AOSP. Is there any reason for that? Could You please add it? Thanks.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/opengapps/aosp_build/issues/145, or mute the thread https://github.com/notifications/unsubscribe-auth/AATzmpf8C6dVhTr-pgBFWxoWYFk3aJ2nks5sWIQugaJpZM4Ow7z6 .

[kyvaith]

I didn't know that. If so, all apps and frameworks which are not in Play Store should be signed within build process. My main problem is SetupWraith and few other system apps are not signed, which produce FCs. I can make a pull request if You prefer that.

[acr92]

StupWraith?

What force close do you get? Can you share a logcat?

On 9 Aug 2017 08:59, "Tomasz Witke" notifications@github.com wrote:

I didn't know that. If so, all apps and frameworks which are not in Play Store should be signed within build process. My main problem is StupWraith and few other system apps are not signed, which produce FCs. I can make a pull request if You prefer that.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/opengapps/aosp_build/issues/145#issuecomment-321182946, or mute the thread https://github.com/notifications/unsubscribe-auth/AATzmntRAhFU9lpdslxgi6JF7twLni5sks5sWWbsgaJpZM4Ow7z6 .

[kyvaith]

No WRITE_GSETTINGS permission.

[kyvaith]

after dirty changing local_certificate to platform, all works, except PlayServices which is not surprise. I'm planing to move local_certificate declaration form prebuilt_apk.mk to modules Android.mk files. Or maybe you know how to overwrite it for certain modlues?

[acr92]

And you get a permission issue because of that?

What is that permission marked as, and who is the owner? I would think it was a signature permission.

On 9 Aug 2017 09:32, "Tomasz Witke" notifications@github.com wrote:

after dirty changing local_certificate to platform, all works, except PlayServices which is not surprise. I'm planing to move local_certificate declaration form prebuilt_apk.mk to modules Android.mk files. Or maybe you know how to overwrite it for certain modlues?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/opengapps/aosp_build/issues/145#issuecomment-321190513, or mute the thread https://github.com/notifications/unsubscribe-auth/AATzmlQ5_O0gHyMrKSro6KO1CU7U8Lwnks5sWW63gaJpZM4Ow7z6 .

[kyvaith]

Sure, please refer to this: https://stackoverflow.com/questions/32422587/android-marshmallow-dangerous-protection-level-and-system-components-apps#answer-38629354

[acr92]

You didn't answer my question. I'm perfectly aware of how the Android M permission system works.

Please give me a "adb bugreport" so I can see who owns that permission on your device.

On 9 Aug 2017 12:27, "Tomasz Witke" notifications@github.com wrote:

Sure, please refer to this: https://stackoverflow.com/ questions/32422587/android-marshmallow-dangerous- protection-level-and-system-components-apps#answer-38629354

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/opengapps/aosp_build/issues/145#issuecomment-321228177, or mute the thread https://github.com/notifications/unsubscribe-auth/AATzmgQJhc08bKDlSmI7TTVvtPV-BBAtks5sWZeLgaJpZM4Ow7z6 .

[kyvaith]

Oh, ok. This is form my old logcat. Is it enough? If no, I'll need to build again without signing gapps.

07-31 12:58:14.560 2024 2024 W PackageManager: Not granting permission com.google.android.providers.settings.permission.WRITE_GSETTINGS to package com.google.android.tungsten.setupwraith (protectionLevel=2 flags=0x38483e45) 07-31 13:00:58.458 2535 2568 E DatabaseUtils: Writing exception to parcel 07-31 13:00:58.458 2535 2568 E DatabaseUtils: java.lang.SecurityException: Permission Denial: writing com.google.android.gsf.settings.GoogleSettingsProvider uri content://com.google.settings/partner from pid=2521, uid=10025 requires com.google.android.providers.settings.permission.WRITE_GSETTINGS, or grantUriPermission() 07-31 13:00:58.458 2535 2568 E DatabaseUtils: at android.content.ContentProvider.enforceWritePermissionInner(ContentProvider.java:682) 07-31 13:00:58.458 2535 2568 E DatabaseUtils: at android.content.ContentProvider$Transport.enforceWritePermission(ContentProvider.java:497) 07-31 13:00:58.458 2535 2568 E DatabaseUtils: at android.content.ContentProvider$Transport.insert(ContentProvider.java:259) 07-31 13:00:58.458 2535 2568 E DatabaseUtils: at android.content.ContentProviderNative.onTransact(ContentProviderNative.java:163) 07-31 13:00:58.458 2535 2568 E DatabaseUtils: at android.os.Binder.execTransact(Binder.java:565)

[kyvaith]

I've tried to sign most of apks which are not on play store with platform key, but Play services won't work. Right now I'm signing only SetupWraith and all seems to be ok. Will let You know tomorrow, thanks.

[acr92]

I can see that SetupWraith uses a different key than for example the Play Store:

        Serial Number: 17775933671679047513 (0xf6b0cd7e5355b759)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Mountain View, O=Google Inc., OU=Android, CN=Android
        Validity
            Not Before: Sep 28 23:51:32 2014 GMT
            Not After : Feb 13 23:51:32 2042 GMT
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc., OU=Android, CN=Android

vs (e.g. the vending package)

        Serial Number: 14042372374541250701 (0xc2e08746644a308d)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, ST=California, L=Mountain View, O=Google Inc., OU=Android, CN=Android
        Validity
            Not Before: Aug 21 23:13:34 2008 GMT
            Not After : Jan  7 23:13:34 2036 GMT
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc., OU=Android, CN=Android

(checked using: https://stackoverflow.com/questions/11361452/getting-certificate-details-from-an-apk )

This looks a bit strange...WRITE_GSETTINGS is a Signature permission (and not a dangerous or system permission, see: https://developer.android.com/reference/android/content/pm/PermissionInfo.html#PROTECTION_SIGNATURE ), and if the signatures doesn't match then it won't grant the permission.

SetupWraith is an Android TV thing, right? @mfonville maybe check if Android TV has a different signature chain than normal Android?

[acr92]

So, I went through the certificates for all Google apps, and the user ID they want to run as:

http://paste.ubuntu.com/25305121/

Looking at the SetupWraith package in particular, we see that it shares the certificate with a few other apps:

file	serial_number	shared_user
sources/all/priv-app/com.google.android.tungsten.setupwraith/	17775933671679047513
sources/all/priv-app/com.google.android.pano.packageinstaller/	17775933671679047513
sources/all/app/com.google.android.tv.bugreportsender/	17775933671679047513	android.uid.shell
sources/all/app/com.google.tungsten.bugreportsender/	17775933671679047513	android.uid.shell
sources/all/priv-app/com.google.android.athome.remotecontrol/	17775933671679047513	android.uid.system
sources/all/priv-app/com.google.android.athome.globalkeyinterceptor/	17775933671679047513	android.uid.system

These I think should be signed with the platform certificate, but only these.

[acr92]

@kyvaith did you try signing the apps I listed with the platform certificate?

[kyvaith]

@Blystad You're most probably right, but now I'm trying to get Android TV 8.0 x86 to work, so I'm unable to test it.