garywill
commented
5 years ago 1.Were the files diwnloaded from apkmirror and other sources the same?
- I guess an app has different apks for different cpus, dpis, etc
Closed ixearth closed 5 years ago
garywill
commented
5 years ago 1.Were the files diwnloaded from apkmirror and other sources the same?
ixearth
commented
5 years ago @garywill
I didn't compare it with other mirror, but apkmirror.com seems the only website provide hash of apk. and it's not necessary to do this since apk downloaded by using aurora store, playmaker (both directly fetch apk from Google's server) is same as the file downloaded from apkmirror
I know and that's why I choose Reddit for example. Reddit apk is universal and only have "nodpi" the one apk.
I can also take provide another compare.
AmazeFileManager the developer release the apk both on Play Store and GitHub release. versionName: 3.3.2 versionCode: 77 apkmirror
size: 7952340 bytes
File hashes:
MD5: e91e97a5cd42e9c94deaea08d48e9c6f
SHA-1: c85b6f02658e1aaa7d6f7918235a2ffb8d1f21fc
SHA-256: b9ad05cb510378dcb124c6c117c503616ad22b8b799a575b2792de5c13782f4aTeamAmaze github release: match the file size and hash shows on apkmirror.com Aurora Store: same file as downloaded from github release Yalp Store (0.45-legacy, F-Droid): different file in size 7952559 bytes
MD5: 96c8373300730c2300e37f77423b5773
SHA1: 08b182f8bc5f2a9cc0c17c7d1ce4d6123be4474a
SHA256: d3417a83870d63516c91f6879fedbb43163baa7c547394cd22e947e993103524IDK why but I even get a 14M file once, but I tried to download twice and I get this file.
garywill
commented
5 years ago I downloaded amaze file manager from yalp 0.43, got the same file as you. Raccoon downloaded the same file as github release.
I analyzed the two binaries. The apk from yalp has these additional strings
> NDF!d?
> -*,:
> x/JIH0F
> Y56S
> APK Sig Block 42PK6188143a6188144,6188326
> D3 .
> 00 .
> *
> B3 .
> 00 .
> *
> 4E N
> 44 D
> 46 F
> 21 !
> 64 d
> 3F ?
> 08 .
> 05 .
> 10 .
> 00 .
> 18 .
> 00 .
> 20
> 97 .
> 9C .
> A6 .
> D3 .
> B0 .
> 2D -
> 2A *
> 2C ,
> 3A :
> 02 .
> 10 .
> 01 .
> 42 B
> 04 .
> 0A .
> 02 .
> 08 .
> 0E .
> 52 R
> 20
> 0A .
> 1E .
> FF .
> *
> 07 .
> 00 .
> *
> 10 .
> 40 @
> 00 .
> 38 8
> 40 @
> 01 .
> 48 H
> 02 .
> 23 #
> 22 "
> 00 .
> *
> B9 .
> AD .
> 05 .
> CB .
> 51 Q
> 03 .
> 78 x
> DC .
> B1 .
> 24 $
> C6 .
> C1 .
> 17 .
> C5 .
> 03 .
> 61 a
> 6A j
> D2 .
> 2B +
> 8B .
> 79 y
> 9A .
> 57 W
> 5B [
> 27 '
> 92 .
> DE .
> 5C \
> 13 .
> 78 x
> 2F /
> 4A J
> 49 I
> 48 H
> 30 0
> 46 F
> 02 .
> 21 !
> 00 .
> AC .
> 81 .
> 60 `
> 7D }
> E2 .
> FA .
> 04 .
> 03 .
> C5 .
> EF .
> E4 .
> D6 .
> 61 a
> 4E N
> C8 .
> BE .
> 53 S
> E1 .
> 91 .
> 3C <
> 9A .
> 47 G
> 3B ;
> 8D .
> 41 A
> DE .
> E3 .
> 59 Y
> B3 .
> 00 .
> 6B k
> 83 .
> 02 .
> 21 !
> 00 .
> A5 .
> 29 )
> ED .
> 75 u
> 6B k
> B2 .
> CD .
> C6 .
> 6D m
> 04 .
> 59 Y
> 35 5
> 36 6
> 53 S
> A9 .
> 97 .
> 10 .
> 53 S
> 57 W
> 85 .
> 40 @
> B4 .
> 92 .
> 10 .
> 8E .
> AD .
> CE .
> 12 .
> 0E .
> 20
> B2 .
> 5E ^
> D3 .
> 00 .
> *
> 41 A
> 50 P
> 4B K
> 20
> 53 S
> 69 i
> 67 g
> 20
> 42 B
> 6C l
> 6F o
> 63 c
> 6B k
> 20
> 34 4
> 32 2
6257031,6257032c6257214,6257215
< 32 2
< 07 .
---
> 0D .
> 08 .
I don't have GApps so I can't really make sure if apk download by using yalpstore and using playstore are same or different. But I asked someone to download Amaze for me by using Play Store, result in get the same apk I downloaded by using yalpstore.
so, the amaze apk released on github is signed with APK Signature Scheme v1, while apk downloaded from/by_using playstore/yalpstore are signed with Signature Scheme v2.
https://source.android.com/security/apksigning/v2
APK Signature Scheme v2 was introduced in Android 7.0 (Nougat). To make a APK installable on Android 6.0 (Marshmallow) and older devices, the APK should be signed using JAR signing before being signed with the v2 scheme. does play store signed it with v2 scheme? or these developers upload apk signed with v1 scheme on github and v2 scheme for Play Store?
and why aurora store get v1 scheme signed apk, while yalp store get v2 scheme signed apk?
Anyway seems it's not really an issue. yalpstore get the same apk as get from Play Store.
Expected behavior Tell us what should happen apk downloaded and installed by using Yalp Store should match the one downloaded from Play store. I take Reddit as example here. Reddit 3.21.1 (227482) | APKMIRROR this version of Reddit was updated on February 28, 2019 on Play Store. file size: 26,752,852 bytes File hashes: MD5:
1506fd3b3bf785cab3f8a0a637ca4487SHA-1:393225cc1cd37d5dbee2d28beb6a005fb4b29835SHA-256:d8abe637b81862cbf2f56898c9a028434564e6d69eb4fdd74060b74759924bf0Actual behavior Tell us what happens instead I tried a few apps, it's all different from the one download from other source. it's bigger in size (but IDK why it does not break signature).
/sdcard/Download/com.reddit.frontpage.227482.apkI downloaded by using yalpstore (or the apk I pull from /data/com.reddit.frontpage-*/base.apk after install it). File size: 26,753,085 bytes File hashes: MD5:e01620521a4fbb3c6f1bb85d51c5edbdSHA-1:236378567e14dc334799a7c41e4cd018a732ab8bSHA-256:6a55cb7d5628ddd6f7d888691790a98a61d98ddb9da7589021cff3aa93ee6eedgplaycli get the same apk. the apk download from Aurora Store are same with the one on APKMirror, different from this one.Steps to reproduce
Your setup Device model, android falvor, Yalp Store version OnePlus 3 (oneplus3) Android Pie (Lineage OS 16.0) Yalp Store version 0.45-legacy (installed from F-Droid)