From 896ffed703e09b54f21cec51728c5827262c6b3a Mon Sep 17 00:00:00 2001 From: akwizgran Date: Tue, 29 Sep 2020 12:18:56 +0000 Subject: [PATCH] Use jarsigner to verify reproducible APKs --- fdroidserver/common.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fdroidserver/common.py b/fdroidserver/common.py index 9b8f59cf..610e0f74 100644 --- a/fdroidserver/common.py +++ b/fdroidserver/common.py @@ -3178,7 +3178,14 @@ def verify_apks(signed_apk, unsigned_apk, tmp_dir): return "duplicate filename found: " + info.filename tmp.writestr(info, unsigned.read(info.filename)) - verified = verify_apk_signature(tmp_apk) + # Use jarsigner to verify the v1 signature on the reproduced APK, as + # apksigner will reject the reproduced APK if the original also had a v2 + # signature + try: + verify_jar_signature(tmp_apk) + verified = True + except Exception: + verified = False if not verified: logging.info("...NOT verified - {0}".format(tmp_apk))