replace signing algorithm with SHA1withRSA
Right now, fdroidserver uses -sigalg MD5withRSA
to sign repos and APKs. Looking at the Android signing tools, they only ever sign using SHA1withRSA
or SHA256withRSA
. In fact, if you specify MD5withRSA
, the Android tools will ignore that and use SHA1withRSA
. Anything using a DSA or ECDSA key is forced to SHA256, but that ECDSA is not supported on older Android versions.
- https://android.googlesource.com/platform/build/+/2ba2d8503f397f67285f34d56b953717639e82c5/tools/signapk/SignApk.java#83
- https://android.googlesource.com/platform/build/+/2ba2d8503f397f67285f34d56b953717639e82c5/tools/signapk/SignApk.java#126
- https://android.googlesource.com/platform/build/+/2ba2d8503f397f67285f34d56b953717639e82c5/tools/signapk/SignApk.java#141