Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signature stripped #913

Open
braindamagedman opened this issue Mar 17, 2021 · 4 comments
Open

Signature stripped #913

braindamagedman opened this issue Mar 17, 2021 · 4 comments
Labels
help wanted question

Comments

@braindamagedman
Copy link

braindamagedman commented Mar 17, 2021
edited

V2 and V3 signature stripped in apk files:

$ apksigner verify Phonesky.apk
DOES NOT VERIFY
WARNING: No SourceStamp signature
ERROR: JAR signer BNDLTOOL.RSA: JAR signature META-INF/BNDLTOOL.SF indicates the APK is signed using APK Signature Scheme v2 but no such signature was found. Signature stripped?
ERROR: JAR signer BNDLTOOL.RSA: JAR signature META-INF/BNDLTOOL.SF indicates the APK is signed using APK Signature Scheme v3 but no such signature was found. Signature stripped?

Checked in several opengapps builds: open_gapps-arm64-8.1-mini-20210314.zip, open_gapps-arm64-8.1-pico-20210314.zip, open_gapps-arm64-10.0-pico-20210314.zip

This leads to error when try to install apks via ADB:

$ adb install Phonesky.apk 
Performing Streamed Install
adb: failed to install Phonesky.apk: Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Failed to collect certificates from /data/app/vmdl1536924348.tmp/base.apk: META-INF/BNDLTOOL.SF indicates /data/app/vmdl1536924348.tmp/base.apk is signed using APK Signature Scheme v2, but no such signature was found. Signature stripped?]

I checked apks in source repo - https://gitlab.opengapps.org/opengapps/arm64/-/tree/master/priv-app/com.android.vending/21/nodpi - there is no such problem:

$ apksigner verify 82442310.apk 
WARNING: No SourceStamp signature
WARNING: META-INF/services/com.fasterxml.jackson.core.JsonFactory not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/services/com.google.protobuf.GeneratedExtensionRegistryLoader not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/services/kotlinx.coroutines.CoroutineExceptionHandler not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/services/kotlinx.coroutines.internal.MainDispatcherFactory not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
@osm0sis
Copy link
Member

osm0sis commented May 8, 2021
edited

@NicholasBuse are these intentional, or what's the deal with the Open GApps' signatures nowadays with the whole lzip packaging, etc.?

@NicholasBuse
Copy link
Contributor

Sounds like the APK's are good in the repos. I don't have much expertise of manipulations due to the build process. Maybe @nezorflame or @mfonville have thoughts?

@mfonville
Copy link
Member

I think we touch the APKs at some point in the building process with zipping them ourselves because we need decompressed libraries:

opengapps/scripts/inc.buildhelper.sh

Line 330 in 62d68d4

if (unzip -v "$targetapk" | grep "lib/" | grep -qv "Stored"); then #check if there are compressed libs present

Normally breaking the v2 and v3 signatures (which are whole-file signatures, so they describe the compressed zip, not the contents like v1 does) doesn't influence any system APKs stored on /system, because they are assumed to be ok.

If you install them via adb they will indeed not pass verification. So you need to use the APKs from the repository and not from our package.

It is quite awhile ago that I had a look at this, and it might be that compressed APKs would now work on /system and that we could do with modifying the APK and not breaking these signatures, but that'd need some experimenting.

@ipdev99
Copy link
Contributor

ipdev99 commented Jul 22, 2021
edited

I am not sure if it helps.

Back in 2018, (I was using Delta Gapps on arm devices) and used a compressed LatinIMEGoogle.apk when installing.
Google Keyboard was working fine. (SDK27 ?)

More recent (2020).
I was testing somethings using AOSP GSI (SDK29) on my OnePlus 6T that required PlayServices.

Since I could not mount the GSI system read-write, I made a quick Magisk module to overlay Gapp core files.
All Google bits were pulled from Google Factory image, no modification.
[bonito 10.0.0 (QQ1A.191205.011, Dec 2019)]

Two examples when I used compressed apk(s) with a gapps install.

I would say this is definitely worth looking into..

EDIT:
2018 - xda Link
2020 - xda Link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@NicholasBuse @braindamagedman @osm0sis @mfonville @ipdev99