The JAR Signature on the index files was forced to SHA1 back when MD5 was the default. Now SHA1 needs to go away. The jarsigner defaults will use something more modern by default, but devices older that TODO do not support SHA-256 or better. I propose to sign _index-v1.jar_ with _jarsigner_ defaults, which should currently give us SHA-256 as well as newer algorithms in the future as Java deems it fit. Then to support older device, _index.jar_ will forever be signed by SHA1. Hopefully _fdroidclient_ will already fail over from _index-v1.jar_ to _ index.jar_ when it does not support the signature algorithm (e.g. SHA-256). Otherwise this change will require a _index-v2.jar_. I started an implementation of this: ```diff diff --git a/fdroidserver/signindex.py b/fdroidserver/signindex.py index 693b127e..4118b6bd 100644 --- a/fdroidserver/signindex.py +++ b/fdroidserver/signindex.py @@ -31,21 +31,22 @@ options = None start_timestamp = time.gmtime() -def sign_jar(jar): - """ - Sign a JAR file with Java's jarsigner. +def sign_jar(jar, force_sha1=False): + """Sign a JAR file with Java's jarsigner. This method requires a properly initialized config object. - This does use old hashing algorithms, i.e. SHA1, but that's not - broken yet for file verification. This could be set to SHA256, - but then Android < 4.3 would not be able to verify it. + With force_sha1=True, this uses old hashing algorithms, i.e. SHA1, in + order to support Android < 4.3. Otherwise, it uses platform + defaults, which are generally a lot more modern. https://code.google.com/p/android/issues/detail?id=38321 + """ args = [config['jarsigner'], '-keystore', config['keystore'], - '-storepass:env', 'FDROID_KEY_STORE_PASS', - '-digestalg', 'SHA1', '-sigalg', 'SHA1withRSA', - jar, config['repo_keyalias']] + '-storepass:env', 'FDROID_KEY_STORE_PASS'] + if force_sha1: + args += ['-digestalg', 'SHA1', '-sigalg', 'SHA1withRSA'] + args += [jar, config['repo_keyalias']] if config['keystore'] == 'NONE': args += config['smartcardoptions'] else: # smardcards never use -keypass @@ -113,7 +114,7 @@ def main(): unsigned = os.path.join(output_dir, 'index_unsigned.jar') if os.path.exists(unsigned): - sign_jar(unsigned) + sign_jar(unsigned, force_sha1=True) index_jar = os.path.join(output_dir, 'index.jar') os.rename(unsigned, index_jar) logging.info('Signed index in ' + output_dir) ```