gugelfrei
/
minmicrog
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

func-resdl.sh: use apksigner instead of jarsigner for signature verification

Browse Source 
It's much more robust and complete than jarsigner and should catch more
issues than it. I suspect the flags that I'm using to make it work for
JARs (signature format v1) is a hack and not actually an intended feature
but it works for now.

It also likely has much more availability across platforms as it's a
Java applet (separately packaged for Debian etc.) instead of being part of
a JDK.
gf-arm64
FriendlyNeighborhoodShane 3 years ago
parent 637f3b768f
commit ad28359a70
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File

2
README.md
Unescape View File

@ -105,7 +105,7 @@ That's it! If it tells you that some dependency is missing, install it.
You can pass `update.sh` several extended regexes as arguments to only download specific files.
You can pass `build.sh` some specific pack's conf names instead of all to build only the specific packs.
If you have the Java SDK and `openssl` installed, the update script will dump the signing certificates of all downloaded APKs and repo jars to `resdl/util/certs`. It will compare all future downloads with those certs, and in case of any signature errors or mismatches, will warn you.
If you have `apksigner` and `openssl` installed, the update script will dump the signing certificates of all downloaded APKs and repo jars to `resdl/util/certs`. It will compare all future downloads with those certs, and in case of any signature errors or mismatches, will warn you.
If you have `aapt` installed, the update script will download the permission docs from the Android website, check the priv-apps for any new privileged permissions and tell you to add them to the whitelist in `res/system/etc/permissions/[package].xml` files.

8
res/util/func-resdl.sh
Unescape View File

@ -61,9 +61,9 @@ verifycerts() {
[ "$stuff_repo" ] || echo "$stuff_download" | grep -qE "^[ ]*[^ ]+.apk[ ]+" || return 0;
command -v "jarsigner" >/dev/null && command -v "openssl" >/dev/null || {
command -v "apksigner" >/dev/null && command -v "openssl" >/dev/null || {
echo " ";
echo " !! Not checking certificates (missing jarsigner or openssl)";
echo " !! Not checking certificates (missing apksigner or openssl)";
return 0;
}
@ -75,7 +75,7 @@ verifycerts() {
for repo in $(echo "$stuff_repo" | select_word 1); do
[ -f "$tmpdir/repos/$repo.jar" ] || continue;
certobject="repo/$repo.cer";
unzip -l "$tmpdir/repos/$repo.jar" "META-INF/*" | grep -q "META-INF/.*.RSA" && jarsigner -verify "$tmpdir/repos/$repo.jar" > /dev/null || {
apksigner verify --min-sdk-version=0 --max-sdk-version=0 "$tmpdir/repos/$repo.jar" > /dev/null || {
echo " !! Verification failed for repo ($repo)";
continue;
}
@ -98,7 +98,7 @@ verifycerts() {
for object in $(echo "$stuff_download" | grep -E "^[ ]*[^ ]+.apk[ ]+" | select_word 1); do
[ -f "$resdldir/$object" ] || continue;
certobject="$(dirname "$object")/$(basename "$object" .apk).cer";
unzip -l "$resdldir/$object" "META-INF/*" | grep -q "META-INF/.*.RSA" && jarsigner -verify "$resdldir/$object" > /dev/null || {
apksigner verify "$resdldir/$object" > /dev/null || {
echo " !! Verification failed for APK ($object)";
continue;
}

Write Preview
Loading…
Cancel
Save