Signature verification for v2/v3 signature schemes

When reproducible builds are used, MANIFEST.MF and CERT.* files are copied from remote APK or local metadata and then included into resulting APK (source). In case original APK is signed with v1+v2 or v1+v3 signature schemes, apksigner will fail to verify such APKs since CERT.SF will contain a mark that APK is also signed with newer scheme, but signature is missing (it's appended to the end of an APK file in contrast to v1 scheme, so it can't be copied just like a regular ZIP entry).

The only solution now is using v1 scheme only. It might be possible to compare ZIP contents instead of relying on apksigner to check APK files the same, and run apksigner against remote APK only. This solution will work for remote APKs, but it won't if signing files are included into local metadata, though. Moving to old jarsigner instead of apksigner is not a solution as well, since v1 signature is not required on Android 7+ at all.