Merge branch 'two-fixes' into 'master'

two fixes around the signing process

See merge request fdroid/fdroidserver!863

.gitlab-ci.yml

@@ -10,7 +10,7 @@ test:
   script:
     - $pip install -e .[test]
     # the `fdroid build` test in tests/run-tests needs android-23
-    - echo y | $ANDROID_HOME/tools/bin/sdkmanager "platforms;android-23"
+    - echo y | $ANDROID_HOME/tools/bin/sdkmanager "platforms;android-23" > /dev/null
     - cd tests
     - ./complete-ci-tests
 
@@ -218,8 +218,8 @@ fedora_latest:
     - printf "\n79120722343a6f314e0719f863036c702b0e6b2a\n84831b9409646a918e30573bab4c9c91346d8abd" > $ANDROID_HOME/licenses/android-sdk-preview-license-old
     - mkdir ~/.android
     - touch ~/.android/repositories.cfg
-    - echo y | $ANDROID_HOME/tools/bin/sdkmanager "platform-tools"
-    - echo y | $ANDROID_HOME/tools/bin/sdkmanager "build-tools;$BUILD_TOOLS_VERSION"
+    - echo y | $ANDROID_HOME/tools/bin/sdkmanager "platform-tools" > /dev/null
+    - echo y | $ANDROID_HOME/tools/bin/sdkmanager "build-tools;$BUILD_TOOLS_VERSION" > /dev/null
     - chown -R testuser .
     - cd tests
     - su testuser --login --command

CHANGELOG.md

@@ -41,6 +41,7 @@ milestone](https://gitlab.com/fdroid/fdroidserver/-/milestones/10)
 * Smoother process for signing APKs with `apksigner`
   ([!736](https://gitlab.com/fdroid/fdroidserver/merge_requests/736))
   ([!821](https://gitlab.com/fdroid/fdroidserver/merge_requests/821))
+* `apksigner` is used by default on new repos
 * All parts except _build_ and _publish_ work without the Android SDK
   ([!821](https://gitlab.com/fdroid/fdroidserver/merge_requests/821))
 * Description: is now passed to clients unchanged, no HTML conversion

fdroidserver/index.py

@@ -57,7 +57,10 @@ def make(apps, apks, repodir, archive):
     """
     from fdroidserver.update import METADATA_VERSION
 
-    if not common.options.nosign:
+    if hasattr(common.options, 'nosign') and common.options.nosign:
+        if 'keystore' not in common.config and 'repo_pubkey' not in common.config:
+            raise FDroidException(_('"repo_pubkey" must be present in config.py when using --nosign!'))
+    else:
         common.assert_config_keystore(common.config)
 
     # Historically the index has been sorted by App Name, so we enforce this ordering here

fdroidserver/init.py

@@ -148,7 +148,9 @@ def main():
 
     # enable apksigner by default so v2/v3 APK signatures validate
     if common.find_apksigner() is not None:
-        test_config['apksigner'] = common.find_apksigner()
+        apksigner = common.find_apksigner()
+        test_config['apksigner'] = apksigner
+        common.write_to_config(test_config, 'apksigner', apksigner)
 
     # the NDK is optional and there may be multiple versions of it, so it's
     # left for the user to configure

tests/init.TestCase

@@ -9,6 +9,7 @@ import optparse
 import sys
 import tempfile
 import unittest
+import yaml
 
 
 localmodule = os.path.realpath(
@@ -30,6 +31,7 @@ class InitTest(unittest.TestCase):
         if not os.path.exists(self.tmpdir):
             os.makedirs(self.tmpdir)
         os.chdir(self.basedir)
+        fdroidserver.common.config = None
         fdroidserver.init.config = None
 
     def test_disable_in_config(self):
@@ -38,6 +40,7 @@ class InitTest(unittest.TestCase):
         with open('config.yml', 'w') as fp:
             fp.write('keystore: NONE\n')
             fp.write('keypass: mysupersecrets\n')
+        os.chmod('config.yml', 0o600)
         config = fdroidserver.common.read_config(fdroidserver.common.options)
         self.assertEqual('NONE', config['keystore'])
         self.assertEqual('mysupersecrets', config['keypass'])
@@ -48,6 +51,25 @@ class InitTest(unittest.TestCase):
         config = fdroidserver.common.read_config(fdroidserver.common.options)
         self.assertIsNone(config.get('keypass'))
 
+    def test_main_in_empty_dir(self):
+        testdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name, dir=self.tmpdir)
+        os.chdir(testdir)
+
+        bindir = os.path.join(os.getcwd(), 'bin')
+        os.mkdir(bindir)
+        apksigner = os.path.join(bindir, 'apksigner')
+        open(apksigner, 'w').close()
+        os.chmod(apksigner, 0o755)
+        os.environ['PATH'] = bindir
+
+        sys.argv = ['fdroid init']
+        fdroidserver.init.main()
+        with open('config.yml') as fp:
+            config = yaml.safe_load(fp)
+        self.assertTrue(os.path.exists(config['keystore']))
+        self.assertTrue(os.path.exists(config['apksigner']))
+        self.assertEqual(apksigner, config['apksigner'])
+
 
 if __name__ == "__main__":
     os.chdir(os.path.dirname(__file__))

tests/run-tests

@@ -75,6 +75,10 @@ is_MD5_disabled() {
     return $?
 }
 
+use_apksigner() {
+    test -x "`sed -En 's,^ *apksigner: +,,p' config.yml`"
+}
+
 #------------------------------------------------------------------------------#
 # "main"
 
@@ -312,7 +316,7 @@ cp $WORKSPACE/tests/urzip.apk \
 printf '\narchive_older: 3\n' >> config.yml
 
 $fdroid update --pretty --nosign
-if which apksigner; then
+if use_apksigner; then
     test `grep '<package>' archive/index.xml | wc -l` -eq 2
     test `grep '<package>' repo/index.xml | wc -l` -eq 10
 else
@@ -529,6 +533,7 @@ test -e repo/org.bitbucket.tickytacky.mirrormirror_3.apk
 test -e repo/org.bitbucket.tickytacky.mirrormirror_4.apk
 test -e archive/urzip-badsig.apk
 
+sed -i.tmp '/apksigner:/d' config.yml
 if ! which apksigner; then
     $sed -i.tmp '/allow_disabled_algorithms/d' config.yml
     $fdroid update --pretty --nosign