GitLab

Right now, fdroidserver uses -sigalg MD5withRSA to sign repos and APKs. Looking at the Android signing tools, they only ever sign using SHA1withRSA or SHA256withRSA. In fact, if you specify MD5withRSA, the Android tools will ignore that and use SHA1withRSA. Anything using a DSA or ECDSA key is forced to SHA256, but that ECDSA is not supported on older Android versions.

• https://android.googlesource.com/platform/build/+/2ba2d8503f397f67285f34d56b953717639e82c5/tools/signapk/SignApk.java#83
• https://android.googlesource.com/platform/build/+/2ba2d8503f397f67285f34d56b953717639e82c5/tools/signapk/SignApk.java#126
• https://android.googlesource.com/platform/build/+/2ba2d8503f397f67285f34d56b953717639e82c5/tools/signapk/SignApk.java#141