Hans-Christoph Steiner  

Interesting bug in reported to @fdroidorg: an APK with only a v3.1 signature was only considered valid by v33. <33 error out with "APK Signature Scheme v2 signature 0 indicates the APK is signed using APK Signature Scheme v3 but no such signature was found." >33 error out with "The APK contains a v3.1 signing block without a v3.0 base block". Android uses its own verify code and treats it as valid. gitlab.com/fdroid/fdroidserver

1/2

1
Hans-Christoph Steiner  

So what is the Android team's intention? Should v3.1-only APKs be considered valid? Or not? My guess is they should be not considered valid since the Android team has explicitly marked that kind of signature as invalid since apksigner v30.0.0 (besides v33). Are there any plans to unified the code that verifies APK signatures?

2/2

Show thread
1
Hans-Christoph Steiner
Follow

@rene_mobile is there anything you could add here? It would be quite useful to have these questions clarified so we can make solid Python implementations as used in projects like Androguard, F-Droid, etc.

· Web · 1 · 0 · 0
René Mayrhofer :verified: 🇺🇦 🇹🇼  

@eighthave I will need to ask/check, as I haven't looked into that myself so far.

0
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml