use apksigner to sign index-v2 with modern, supported algorithms (!1134) · Merge requests · F-Droid / fdroidserver

Hans-Christoph Steiner requested to merge eighthave/fdroidserver:apksigner-entry-jar into master May 24, 2022

This switches the entry.jar signing method to use apksigner to sign the JAR so that it will automatically select algorithms that are compatible with Android SDK 23, which added the most recent algorithms: https://developer.android.com/reference/java/security/Signature

This signing method uses then inherits the default signing algorithm settings, since Android maintains those, and it is somewhat separate from how Java maintains them. That helps avoid a repeat of being stuck on an old signing algorithm. That means specifically that this call to apksigner does not specify any of the algorithms.

The old indexes must be signed by SHA1withRSA otherwise they will no longer be compatible with old Androids.

apksigner 30.0.0+ is available in Debian/bullseye, Debian/buster-backports, Ubuntu 21.10, and Ubuntu 20.04 from the fdroid PPA. Here's a quick way to test:

for f in `ls -1 /opt/android-sdk/build-tools/*/apksigner | sort ` /usr/bin/apksigner; do
    printf "$f : "
    $f sign --v4-signing-enabled false
done

closes #1005 (closed)

Draft because it is based on !1133 (merged)

Edited May 25, 2022 by Hans-Christoph Steiner

use apksigner to sign index-v2 with modern, supported algorithms

Merge request reports