From ad28359a705537f760b82a73372b76356220e4bd Mon Sep 17 00:00:00 2001 From: FriendlyNeighborhoodShane Date: Tue, 22 Jun 2021 20:16:01 +0530 Subject: [PATCH] func-resdl.sh: use apksigner instead of jarsigner for signature verification It's much more robust and complete than jarsigner and should catch more issues than it. I suspect the flags that I'm using to make it work for JARs (signature format v1) is a hack and not actually an intended feature but it works for now. It also likely has much more availability across platforms as it's a Java applet (separately packaged for Debian etc.) instead of being part of a JDK. --- README.md | 2 +- res/util/func-resdl.sh | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index bbf62fa..2a03e9e 100644 --- a/README.md +++ b/README.md @@ -105,7 +105,7 @@ That's it! If it tells you that some dependency is missing, install it. You can pass `update.sh` several extended regexes as arguments to only download specific files. You can pass `build.sh` some specific pack's conf names instead of all to build only the specific packs. -If you have the Java SDK and `openssl` installed, the update script will dump the signing certificates of all downloaded APKs and repo jars to `resdl/util/certs`. It will compare all future downloads with those certs, and in case of any signature errors or mismatches, will warn you. +If you have `apksigner` and `openssl` installed, the update script will dump the signing certificates of all downloaded APKs and repo jars to `resdl/util/certs`. It will compare all future downloads with those certs, and in case of any signature errors or mismatches, will warn you. If you have `aapt` installed, the update script will download the permission docs from the Android website, check the priv-apps for any new privileged permissions and tell you to add them to the whitelist in `res/system/etc/permissions/[package].xml` files. diff --git a/res/util/func-resdl.sh b/res/util/func-resdl.sh index 52ce9d0..278a2c1 100755 --- a/res/util/func-resdl.sh +++ b/res/util/func-resdl.sh @@ -61,9 +61,9 @@ verifycerts() { [ "$stuff_repo" ] || echo "$stuff_download" | grep -qE "^[ ]*[^ ]+.apk[ ]+" || return 0; - command -v "jarsigner" >/dev/null && command -v "openssl" >/dev/null || { + command -v "apksigner" >/dev/null && command -v "openssl" >/dev/null || { echo " "; - echo " !! Not checking certificates (missing jarsigner or openssl)"; + echo " !! Not checking certificates (missing apksigner or openssl)"; return 0; } @@ -75,7 +75,7 @@ verifycerts() { for repo in $(echo "$stuff_repo" | select_word 1); do [ -f "$tmpdir/repos/$repo.jar" ] || continue; certobject="repo/$repo.cer"; - unzip -l "$tmpdir/repos/$repo.jar" "META-INF/*" | grep -q "META-INF/.*.RSA" && jarsigner -verify "$tmpdir/repos/$repo.jar" > /dev/null || { + apksigner verify --min-sdk-version=0 --max-sdk-version=0 "$tmpdir/repos/$repo.jar" > /dev/null || { echo " !! Verification failed for repo ($repo)"; continue; } @@ -98,7 +98,7 @@ verifycerts() { for object in $(echo "$stuff_download" | grep -E "^[ ]*[^ ]+.apk[ ]+" | select_word 1); do [ -f "$resdldir/$object" ] || continue; certobject="$(dirname "$object")/$(basename "$object" .apk).cer"; - unzip -l "$resdldir/$object" "META-INF/*" | grep -q "META-INF/.*.RSA" && jarsigner -verify "$resdldir/$object" > /dev/null || { + apksigner verify "$resdldir/$object" > /dev/null || { echo " !! Verification failed for APK ($object)"; continue; }