diff --git a/fdroidserver/update.py b/fdroidserver/update.py index 106ed1bb..5356f800 100644 --- a/fdroidserver/update.py +++ b/fdroidserver/update.py @@ -1330,18 +1330,7 @@ def make_index(apps, sortedids, apks, repodir, archive): if os.path.exists(signed): os.remove(signed) else: - args = [config['jarsigner'], '-keystore', config['keystore'], - '-storepass:file', config['keystorepassfile'], - '-digestalg', 'SHA1', '-sigalg', 'SHA1withRSA', - signed, config['repo_keyalias']] - if config['keystore'] == 'NONE': - args += config['smartcardoptions'] - else: # smardcards never use -keypass - args += ['-keypass:file', config['keypassfile']] - p = FDroidPopen(args) - if p.returncode != 0: - logging.critical("Failed to sign index") - sys.exit(1) + signjar(signed) # Copy the repo icon into the repo directory... icon_dir = os.path.join(repodir, 'icons') @@ -1349,6 +1338,29 @@ def make_index(apps, sortedids, apks, repodir, archive): shutil.copyfile(config['repo_icon'], iconfilename) +def signjar(jar): + ''' + sign a JAR file with Java's jarsigner. + + This does use old hashing algorithms, i.e. SHA1, but that's not + broken yet for file verification. This could be set to SHA256, + but then Android < 4.3 would not be able to verify it. + https://code.google.com/p/android/issues/detail?id=38321 + ''' + args = [config['jarsigner'], '-keystore', config['keystore'], + '-storepass:file', config['keystorepassfile'], + '-digestalg', 'SHA1', '-sigalg', 'SHA1withRSA', + jar, config['repo_keyalias']] + if config['keystore'] == 'NONE': + args += config['smartcardoptions'] + else: # smardcards never use -keypass + args += ['-keypass:file', config['keypassfile']] + p = FDroidPopen(args) + if p.returncode != 0: + logging.critical("Failed to sign index") + sys.exit(1) + + def make_categories_txt(repodir, categories): '''Write a category list in the repo to allow quick access''' catdata = ''