Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
  • Sign in / Register
Server
Server
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 244
    • Issues 244
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge Requests 19
    • Merge Requests 19
  • Requirements
    • Requirements
    • List
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Security & Compliance
    • Security & Compliance
    • Dependency List
    • License Compliance
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • External Wiki
    • External Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • F-Droid
  • ServerServer
  • Issues
  • #26

Closed
Open
Opened Jul 15, 2014 by Hans-Christoph Steiner@eighthaveOwner

replace signing algorithm with SHA1withRSA

Right now, fdroidserver uses -sigalg MD5withRSA to sign repos and APKs. Looking at the Android signing tools, they only ever sign using SHA1withRSA or SHA256withRSA. In fact, if you specify MD5withRSA, the Android tools will ignore that and use SHA1withRSA. Anything using a DSA or ECDSA key is forced to SHA256, but that ECDSA is not supported on older Android versions.

  • https://android.googlesource.com/platform/build/+/2ba2d8503f397f67285f34d56b953717639e82c5/tools/signapk/SignApk.java#83
  • https://android.googlesource.com/platform/build/+/2ba2d8503f397f67285f34d56b953717639e82c5/tools/signapk/SignApk.java#126
  • https://android.googlesource.com/platform/build/+/2ba2d8503f397f67285f34d56b953717639e82c5/tools/signapk/SignApk.java#141
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: fdroid/fdroidserver#26