Interesting bug in #apksigner reported to @fdroidorg: an APK with only a v3.1 signature was only considered valid by v33. <33 error out with "APK Signature Scheme v2 signature 0 indicates the APK is signed using APK Signature Scheme v3 but no such signature was found." >33 error out with "The APK contains a v3.1 signing block without a v3.0 base block". Android uses its own verify code and treats it as valid. https://gitlab.com/fdroid/fdroidserver/-/issues/1253
1/2
So what is the Android team's intention? Should v3.1-only APKs be considered valid? Or not? My guess is they should be not considered valid since the Android team has explicitly marked that kind of signature as invalid since apksigner v30.0.0 (besides v33). Are there any plans to unified the code that verifies APK signatures?
#Android #AndroidSDK #APK #apksigner
2/2
🇺🇦 🇹🇼
@eighthave I will need to ask/check, as I haven't looked into that myself so far.
@rene_mobile is there anything you could add here? It would be quite useful to have these questions clarified so we can make solid Python implementations as used in projects like Androguard, F-Droid, etc.