From 896ffed703e09b54f21cec51728c5827262c6b3a Mon Sep 17 00:00:00 2001
From: akwizgran <michael@briarproject.org>
Date: Tue, 29 Sep 2020 12:18:56 +0000
Subject: [PATCH] Use jarsigner to verify reproducible APKs

---
 fdroidserver/common.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index 9b8f59cf..610e0f74 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -3178,7 +3178,14 @@ def verify_apks(signed_apk, unsigned_apk, tmp_dir):
                         return "duplicate filename found: " + info.filename
                     tmp.writestr(info, unsigned.read(info.filename))
 
-    verified = verify_apk_signature(tmp_apk)
+    # Use jarsigner to verify the v1 signature on the reproduced APK, as
+    # apksigner will reject the reproduced APK if the original also had a v2
+    # signature
+    try:
+        verify_jar_signature(tmp_apk)
+        verified = True
+    except Exception:
+        verified = False
 
     if not verified:
         logging.info("...NOT verified - {0}".format(tmp_apk))