apksigner v33.0.x falsely verifies invalid APK which leads to wrong cert extracted for AllowedAPKSigningKeys

With a specific configuration of fdroidserver and a specifically crafted APK, it is possible to bypass AllowedAPKSigningKeys. I could install the poc-v6.apk in an SDK-34 emulator. Here is the required config:

apksigner v33.0.x (all other versions of apksigner reject this APK, including the Debian package)
v3.1-only signature (an invalid APK signature format, it has a v3.1 signing block without a v3.0 base block)
minSdkVersion > 32

Standard configurations are unaffected and will remove poc-v6.apk as invalid.:

f-droid.org production and fdroiddata CI
apt-get install fdroidserver on Debian/stable or Debian/testing
pip install fdroidserver with a recent build-tools package

obfusk reported this:

Script to make the APK: https://github.com/obfusk/fdroid-fakesigner-poc/blob/master/make-poc-v6.py
Or download directly https://gitlab.com/eighthave/fdroid-fakesigner-poc/-/jobs/8902052356/artifacts/browse

Here are the affected versions of apksigner:

$ /opt/android-sdk/build-tools/28.0.3/apksigner verify poc-v6.apk
DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1: Malformed additional attribute #1
$ /opt/android-sdk/build-tools/29.0.3/apksigner verify poc-v6.apk
DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1: APK Signature Scheme v2 signature 0 indicates the APK is signed using APK Signature Scheme v3 but no such signature was found. Signature stripped?
$ /opt/android-sdk/build-tools/30.0.3/apksigner verify poc-v6.apk
DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1: APK Signature Scheme v2 signature 0 indicates the APK is signed using APK Signature Scheme v3 but no such signature was found. Signature stripped?
$ /opt/android-sdk/build-tools/31.0.0/apksigner verify poc-v6.apk
DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1: APK Signature Scheme v2 signature 0 indicates the APK is signed using APK Signature Scheme v3 but no such signature was found. Signature stripped?
$ /opt/android-sdk/build-tools/32.0.0/apksigner verify poc-v6.apk
DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1: APK Signature Scheme v2 signature 0 indicates the APK is signed using APK Signature Scheme v3 but no such signature was found. Signature stripped?
$ /opt/android-sdk/build-tools/33.0.0/apksigner verify poc-v6.apk
$ /opt/android-sdk/build-tools/33.0.0-rc1/apksigner verify poc-v6.apk
$ /opt/android-sdk/build-tools/33.0.0-rc2/apksigner verify poc-v6.apk
$ /opt/android-sdk/build-tools/33.0.0-rc3/apksigner verify poc-v6.apk
$ /opt/android-sdk/build-tools/33.0.0-rc4/apksigner verify poc-v6.apk
$ /opt/android-sdk/build-tools/33.0.1/apksigner verify poc-v6.apk
$ /opt/android-sdk/build-tools/33.0.2/apksigner verify poc-v6.apk
$ /opt/android-sdk/build-tools/33.0.3/apksigner verify poc-v6.apk
$ /opt/android-sdk/build-tools/34.0.0/apksigner verify poc-v6.apk
DOES NOT VERIFY
ERROR: The APK contains a v3.1 signing block without a v3.0 base block
$ /opt/android-sdk/build-tools/35.0.0/apksigner verify poc-v6.apk
DOES NOT VERIFY
ERROR: The APK contains a v3.1 signing block without a v3.0 base block
$ /opt/android-sdk/build-tools/36.0.0-rc3/apksigner verify poc-v6.apk
DOES NOT VERIFY
ERROR: The APK contains a v3.1 signing block without a v3.0 base block

Edited Jan 21, 2025 by Hans-Christoph Steiner

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information