BuildException, VerificationException
from .asynchronousfilereader import AsynchronousFileReader
+# this is the build-tools version, aapt has a separate version that
+# has to be manually set in test_aapt_version()
+MINIMUM_AAPT_VERSION = '26.0.0'
# A signature block file with a .DSA, .RSA, or .EC extension
CERT_PATH_REGEX = re.compile(r'^META-INF/.*\.(DSA|EC|RSA)$')
'r16': None,
},
'qt_sdk_path': None,
- 'build_tools': "25.0.2",
+ 'build_tools': MINIMUM_AAPT_VERSION,
'force_build_tools': False,
'java_paths': None,
'ant': "ant",
def setup_global_opts(parser):
+ try: # the buildserver VM might not have PIL installed
+ from PIL import PngImagePlugin
+ logger = logging.getLogger(PngImagePlugin.__name__)
+ logger.setLevel(logging.INFO) # tame the "STREAM" debug messages
+ except ImportError:
+ pass
+
parser.add_argument("-v", "--verbose", action="store_true", default=False,
help=_("Spew out even more information than normal"))
parser.add_argument("-q", "--quiet", action="store_true", default=False,
minor = m.group(2)
bugfix = m.group(3)
# the Debian package has the version string like "v0.2-23.0.2"
- if '.' not in bugfix and LooseVersion('.'.join((major, minor, bugfix))) < LooseVersion('0.2.2166767'):
- logging.warning(_("'{aapt}' is too old, fdroid requires build-tools-23.0.0 or newer!")
- .format(aapt=aapt))
+ too_old = False
+ if '.' in bugfix:
+ if LooseVersion(bugfix) < LooseVersion(MINIMUM_AAPT_VERSION):
+ too_old = True
+ elif LooseVersion('.'.join((major, minor, bugfix))) < LooseVersion('0.2.4062713'):
+ too_old = True
+ if too_old:
+ logging.warning(_("'{aapt}' is too old, fdroid requires build-tools-{version} or newer!")
+ .format(aapt=aapt, version=MINIMUM_AAPT_VERSION))
else:
logging.warning(_('Unknown version of aapt, might cause problems: ') + output)
vercode = None
package = None
- flavour = ""
+ flavour = None
if app.builds and 'gradle' in app.builds[-1] and app.builds[-1].gradle:
- flavour = app.builds[-1].gradle[-1]
+ flavour = app.builds[-1].gradle[-1]
if has_extension(path, 'gradle'):
- # first try to get version name and code from correct flavour
with open(path, 'r') as f:
- buildfile = f.read()
-
- regex_string = r"" + flavour + ".*?}"
- search = re.compile(regex_string, re.DOTALL)
- result = search.search(buildfile)
-
- if result is not None:
- resultgroup = result.group()
-
- if not package:
- matches = psearch_g(resultgroup)
- if matches:
- s = matches.group(2)
- if app_matches_packagename(app, s):
- package = s
- if not version:
- matches = vnsearch_g(resultgroup)
- if matches:
- version = matches.group(2)
- if not vercode:
- matches = vcsearch_g(resultgroup)
- if matches:
- vercode = matches.group(1)
- else:
- # fall back to parse file line by line
- with open(path, 'r') as f:
- for line in f:
- if gradle_comment.match(line):
- continue
- # Grab first occurence of each to avoid running into
- # alternative flavours and builds.
+ inside_flavour_group = 0
+ inside_required_flavour = 0
+ for line in f:
+ if gradle_comment.match(line):
+ continue
+
+ if inside_flavour_group > 0:
+ if inside_required_flavour > 0:
+ matches = psearch_g(line)
+ if matches:
+ s = matches.group(2)
+ if app_matches_packagename(app, s):
+ package = s
+
+ matches = vnsearch_g(line)
+ if matches:
+ version = matches.group(2)
+
+ matches = vcsearch_g(line)
+ if matches:
+ vercode = matches.group(1)
+
+ if '{' in line:
+ inside_required_flavour += 1
+ if '}' in line:
+ inside_required_flavour -= 1
+ else:
+ if flavour and (flavour in line):
+ inside_required_flavour = 1
+
+ if '{' in line:
+ inside_flavour_group += 1
+ if '}' in line:
+ inside_flavour_group -= 1
+ else:
+ if "productFlavors" in line:
+ inside_flavour_group = 1
if not package:
matches = psearch_g(line)
if matches:
.format(apkfilename=apkfile))
+def get_minSdkVersion_aapt(apkfile):
+ """Extract the minimum supported Android SDK from an APK using aapt
+
+ :param apkfile: path to an APK file.
+ :returns: the integer representing the SDK version
+ """
+ r = re.compile(r"^sdkVersion:'([0-9]+)'")
+ p = SdkToolsPopen(['aapt', 'dump', 'badging', apkfile], output=False)
+ for line in p.output.splitlines():
+ m = r.match(line)
+ if m:
+ return int(m.group(1))
+ raise FDroidException(_('Reading minSdkVersion failed: "{apkfilename}"')
+ .format(apkfilename=apkfile))
+
+
class PopenResult:
def __init__(self):
self.returncode = None
"""
with tempfile.TemporaryDirectory() as tmpdir:
tmp_apk = os.path.join(tmpdir, 'tmp.apk')
- os.rename(signed_apk, tmp_apk)
+ shutil.move(signed_apk, tmp_apk)
with ZipFile(tmp_apk, 'r') as in_apk:
with ZipFile(signed_apk, 'w') as out_apk:
for info in in_apk.infolist():
out_file.write(in_apk.read(f.filename))
+def sign_apk(unsigned_path, signed_path, keyalias):
+ """Sign and zipalign an unsigned APK, then save to a new file, deleting the unsigned
+
+ android-18 (4.3) finally added support for reasonable hash
+ algorithms, like SHA-256, before then, the only options were MD5
+ and SHA1 :-/ This aims to use SHA-256 when the APK does not target
+ older Android versions, and is therefore safe to do so.
+
+ https://issuetracker.google.com/issues/36956587
+ https://android-review.googlesource.com/c/platform/libcore/+/44491
+
+ """
+
+ if get_minSdkVersion_aapt(unsigned_path) < 18:
+ signature_algorithm = ['-sigalg', 'SHA1withRSA', '-digestalg', 'SHA1']
+ else:
+ signature_algorithm = ['-sigalg', 'SHA256withRSA', '-digestalg', 'SHA256']
+
+ p = FDroidPopen([config['jarsigner'], '-keystore', config['keystore'],
+ '-storepass:env', 'FDROID_KEY_STORE_PASS',
+ '-keypass:env', 'FDROID_KEY_PASS']
+ + signature_algorithm + [unsigned_path, keyalias],
+ envs={
+ 'FDROID_KEY_STORE_PASS': config['keystorepass'],
+ 'FDROID_KEY_PASS': config['keypass'], })
+ if p.returncode != 0:
+ raise BuildException(_("Failed to sign application"), p.output)
+
+ p = SdkToolsPopen(['zipalign', '-v', '4', unsigned_path, signed_path])
+ if p.returncode != 0:
+ raise BuildException(_("Failed to zipalign application"))
+ os.remove(unsigned_path)
+
+
def verify_apks(signed_apk, unsigned_apk, tmp_dir):
"""Verify that two apks are the same
"""
- if subprocess.call([config['jarsigner'], '-strict', '-verify', jar]) != 4:
- raise VerificationException(_("The repository's index could not be verified."))
+ error = _('JAR signature failed to verify: {path}').format(path=jar)
+ try:
+ output = subprocess.check_output([config['jarsigner'], '-strict', '-verify', jar],
+ stderr=subprocess.STDOUT)
+ raise VerificationException(error + '\n' + output.decode('utf-8'))
+ except subprocess.CalledProcessError as e:
+ if e.returncode == 4:
+ logging.debug(_('JAR signature verified: {path}').format(path=jar))
+ else:
+ raise VerificationException(error + '\n' + e.output.decode('utf-8'))
def verify_apk_signature(apk, min_sdk_version=None):
args = [config['apksigner'], 'verify']
if min_sdk_version:
args += ['--min-sdk-version=' + min_sdk_version]
- return subprocess.call(args + [apk]) == 0
+ if options.verbose:
+ args += ['--verbose']
+ try:
+ output = subprocess.check_output(args + [apk])
+ if options.verbose:
+ logging.debug(apk + ': ' + output.decode('utf-8'))
+ return True
+ except subprocess.CalledProcessError as e:
+ logging.error('\n' + apk + ': ' + e.output.decode('utf-8'))
else:
- logging.warning("Using Java's jarsigner, not recommended for verifying APKs! Use apksigner")
+ if not config.get('jarsigner_warning_displayed'):
+ config['jarsigner_warning_displayed'] = True
+ logging.warning(_("Using Java's jarsigner, not recommended for verifying APKs! Use apksigner"))
try:
verify_jar_signature(apk)
return True
- except Exception:
- pass
+ except Exception as e:
+ logging.error(e)
return False
with open(_java_security, 'w') as fp:
fp.write('jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024')
- return subprocess.call([config['jarsigner'], '-J-Djava.security.properties=' + _java_security,
- '-strict', '-verify', apk]) == 4
+ try:
+ cmd = [
+ config['jarsigner'],
+ '-J-Djava.security.properties=' + _java_security,
+ '-strict', '-verify', apk
+ ]
+ output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
+ except subprocess.CalledProcessError as e:
+ if e.returncode != 4:
+ output = e.output
+ else:
+ logging.debug(_('JAR signature verified: {path}').format(path=apk))
+ return True
+
+ logging.error(_('Old APK signature failed to verify: {path}').format(path=apk)
+ + '\n' + output.decode('utf-8'))
+ return False
apk_badchars = re.compile('''[/ :;'"]''')