replacing getsig.java
getsig.java
is the only snippet of Java code in the server tools, and also it uses an algorithm that is difficult to understand. It would be good to convert this code to python and in the process also update the algorithm to be more straightforward and use a hash algorithm that is not deprecated (i.e. replacing MD5 with SHA-256). This is not high priority so I'm opening this issue as a place to discuss it until we find the path of least resistance.
As far as I understand it, the hash generated by getsig.java
represents the signing key of the APK. It seems it is only used to compare the signing keys on the installed APK and the APK that is requested to be installed so that FDroid can tell the user that the signing keys are not the same. If so, I think we should use the algorithm that Android itself uses to compare signing keys. IIRC, it just a byte-for-byte comparison of the byte[] of the signing key.
Here's @pd0x's comment on it:
/*
* I don't fully understand the loop used here. I've copied it
* verbatim from getsig.java bundled with FDroidServer. I *believe*
* it is taking the raw byte encoding of the certificate &
* converting it to a byte array of the hex representation of the
* original certificate byte array. This is then MD5 sum'd. It's a
* really bad way to be doing this if I'm right... If I'm not right,
* I really don't know! see lines 67->75 in getsig.java bundled with
* Fdroidserver
*/