search

tidev / titanium-sdk

🚀 Native iOS and Android Apps with JavaScript
https://titaniumsdk.com/
Other
2.75k stars 1.21k forks source link

Failed to sign apk - unrecognized algorithm name #10769

Closed ryanbuening closed 5 years ago

ryanbuening commented 5 years ago

Describe the bug

To Reproduce

  1. Publish - Distribute - Android Play Store
  2. Signing errors with the following:
[INFO] :   Writing unsigned apk: **omitted**
[INFO] :   Using MD5withRSA (weak) signature algorithm
[INFO] :   Signing apk: /Library/Java/JavaVirtualMachines/jdk1.8.0_162.jdk/Contents/Home/bin/jarsigner "-sigalg" "MD5withRSA (weak)" "-digestalg" "SHA1" "-keystore" "/dev_keystore" "-storepass" "*******" "-signedjar" "Name.apk" "../app-unsigned.apk" "tidev"
[ERROR] :  Failed to sign apk:
[ERROR] :  jarsigner error: java.security.NoSuchAlgorithmException: unrecognized algorithm name: MD5withRSA (weak)

Expected behavior Expected the app to be signed. I haven't had issues in the past.

Environment Titanium SDK version: 7.5.1 GA CLI version: 5.1.1

Logs:

[INFO] :   Writing unsigned apk: **omitted**
[INFO] :   Using MD5withRSA (weak) signature algorithm
[INFO] :   Signing apk: /Library/Java/JavaVirtualMachines/jdk1.8.0_162.jdk/Contents/Home/bin/jarsigner "-sigalg" "MD5withRSA (weak)" "-digestalg" "SHA1" "-keystore" "/dev_keystore" "-storepass" "*******" "-signedjar" "Name.apk" "../app-unsigned.apk" "tidev"
[ERROR] :  Failed to sign apk:
[ERROR] :  jarsigner error: java.security.NoSuchAlgorithmException: unrecognized algorithm name: MD5withRSA (weak)
cb1kenobi commented 5 years ago

Sounds like keytool appends a little message after the signature algorithm in the keytool output. I'm not sure if that's a Java 8 thing or what. I don't have a MD5withRSA keystore on hand to test.

Temporary workaround would be to just build your app from the command line using appc run (or ti build) and pass in --sigalg MD5withRSA to override the signature algorithm detected by keytool.

A more permanent fix would be to update the createSignedApk() function to strip off anything after the first instance of whitespace.

https://github.com/appcelerator/titanium_mobile/blob/master/android/cli/commands/_build.js#L4632

const sigalg = (this.sigalg || this.keystoreAlias.sigalg || 'MD5withRSA').split(' ')[0],

@jquick-axway what do you think?

jquick-axway commented 5 years ago

Yes, I'm pretty sure Oracle has been appending " (weak)" to the returned "MD5withRSA" algorithm since JDK 8. You can see it in their release notes below if you search for "(weak)". https://www.java.com/en/download/faq/release_changes.xml

ryanbuening commented 5 years ago

@cb1kenobi - Something like below?

appc run -p android -T dist-playstore [-K <KEYSTORE_FILE> -P <KEYSTORE_PASSWORD> -L <KEYSTORE_ALIAS> -O <OUTPUT_DIRECTORY>]

appc run -p android -T dist-playstore -K ~/android.keystore -P secret -L foo -O ./dist/
cb1kenobi commented 5 years ago

@ryanbuening You would need to also pass in the --sigalg like this:

appc run -p android -T dist-playstore -K ~/android.keystore -P secret -L foo -O ./dist/ --sigalg MD5withRSA
jquick-axway commented 5 years ago

@ryanbuening , thanks for bringing this issue to our attention. We've written up a bug report for it below. https://jira.appcelerator.org/browse/TIMOB-26895

ryanbuening commented 5 years ago

Thanks guys. I'm using the appc run command as a workaround for now.