Update fails on apps signed with MD5
jarsigner
from java-1.8.0-openjdk-1.8.0.131
now has MD5 disabled (at least on my system). This caused fdroidserver
to fail when updating a repository that includes an old APK that is still signed with MD5.
$ jarsigner -verify -verbose old.apk
...
- Signed by "CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK"
Digest algorithm: SHA1
Signature algorithm: MD5withRSA (weak), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
How should we handle these APKs? Ignore them? Delete them? Still include them?
Failing the entire update process is probably not the right way to handle it.