From 0f4cbc7224409c8741dec9a2cc19f23c4d0aaacc Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Tue, 30 May 2017 14:52:33 +0200 Subject: [PATCH] allow APKs with same packageName/versionCode but different signer There are many APKs out in the wild that claim to be the same app and version and each other, but they are signed by different keys. fdroid should be able to index these, and work with them. This supports having the developer's signature via reproducible builds, random collections of APKs like repomaker, etc. --- fdroidserver/index.py | 13 ++++++++--- tests/repo/index.xml | 2 +- ...patch.current_1619_another-release-key.apk | Bin 0 -> 10541 bytes tests/run-tests | 22 ++++++++++++++++++ tests/stats/known_apks.txt | 1 + tests/update.TestCase | 2 +- 6 files changed, 35 insertions(+), 5 deletions(-) create mode 100644 tests/repo/obb.mainpatch.current_1619_another-release-key.apk diff --git a/fdroidserver/index.py b/fdroidserver/index.py index f7162092..d3c1a0b7 100644 --- a/fdroidserver/index.py +++ b/fdroidserver/index.py @@ -361,9 +361,16 @@ def make_v0(apps, apks, repodir, repodict, requestsdict): # Check for duplicates - they will make the client unhappy... for i in range(len(apklist) - 1): - if apklist[i]['versionCode'] == apklist[i + 1]['versionCode']: - raise FDroidException("duplicate versions: '%s' - '%s'" % ( - apklist[i]['apkName'], apklist[i + 1]['apkName'])) + first = apklist[i] + second = apklist[i + 1] + if first['versionCode'] == second['versionCode'] \ + and first['sig'] == second['sig']: + if first['hash'] == second['hash']: + raise FDroidException('"{0}/{1}" and "{0}/{2}" are exact duplicates!'.format( + repodir, first['apkName'], second['apkName'])) + else: + raise FDroidException('duplicates: "{0}/{1}" - "{0}/{2}"'.format( + repodir, first['apkName'], second['apkName'])) current_version_code = 0 current_version_file = None diff --git a/tests/repo/index.xml b/tests/repo/index.xml index 88507d52..ff958b7b 100644 --- a/tests/repo/index.xml +++ b/tests/repo/index.xml @@ -129,7 +129,7 @@ obb.mainpatch.current 2016-04-23 - 2016-04-23 + 2017-06-01 OBB Main/Patch Current obb.mainpatch.current.1619.png diff --git a/tests/repo/obb.mainpatch.current_1619_another-release-key.apk b/tests/repo/obb.mainpatch.current_1619_another-release-key.apk new file mode 100644 index 0000000000000000000000000000000000000000..1a494fe23bafc25c4915f95a9349575d4e4746d7 GIT binary patch literal 10541 zcmdsdWmsHIljz{??he7--3jgq?hZ4!1Pg)SM1kNQ2sS~3O&|~?!6CRy2noSm2G}#% z&G+Vg?|%2kz58oxo;uxKr%SrJp01wmqpyX6N(#cn!~}Iav}@9{7gmg+fezwZoSppq`GUPXZ~8%?>U155g$ZHo=G+qpjiL;Zp}2K1-G%N1dFW0z z7E-O-93$7`2KRC1Ld})ls8$`ifq?!#<2wmHXjrE)YhZ&BrD$Qqpxy`R~o@v!T3GA zuQQJzbS#0W*4twxLFMs5appaZ9_MXb^Ktu?%xg%!z9~rWo%@w-jWIZ5HBsfWNb3^Iw za4$iKivv2Q+Vo_yyrR?8B-7VrFM7lP+JE9PDC%=vXzX`E>Z39{Z)k+%xtkS4eU5q| z87#@ByVFR&lehoPg#U}Ee~!n2yR^a-OdjT2fiaNm?M4H$Sg|T3aMfD$xEyeyFp%~q z^Z6{?vojXZT{=Q~h1KeVL$+PWA}#=q5}6OefHLofPol9O@VAzRRcwhkAJ7bNRW>DI zga>^WtD7%+N+>=Z1kRp${xg12H6q)vu=tRw+cSN4<%{&wu&wYUN#O_Xy~h$RCjzn@ zp%1c%grisnKh3tY=qOzdqP|SM7-4;xakU)Jo_Txgu(c#f;+w-Nf-73cp&w7%7u7Y& zoEnv0AX6*(oMm#8uas9$3ce~sWM9D^h~@@<7c|EQZDSuPw=99 zJi;m>^yscqtB9ti;sb;42p;alKS&?-Vsc9I_jHiC6is%A|KJn#Unl7IV>)ADYO(H; zD6Msl+31*YQNG-{V(sZ0n{qfsv$Gk!bm+Z+9c5h?Jr?JNnWeb&UYueTqj$Xf3~JOt zd&A4tQqmw=#?z>Su`+}O(OuWE2u=XOLRN=7U@?zh;f`K4?2l8ABp;2esSZVy5166G zk;gPKirp;oBzhTGusGF(UFA4MZlY{Mq!ez2UTCRV2z&il?xMPC8hsr}GahFRV_W5Q zgQ?;`$_FC8!^8`nR(U;SgoihI&sJtneP_D{PFFHFdp4bTVU`3-&$@;9D-V3ht>r-c z9I%|;0gK?rAQ)`_kov9dY70^@+A5hyp2sQ~%D&}l3-w#q)imVc`k*o(*a@IP>4 zy)8NDCtuP8S(^nrr8L>ER->;}V?tEdtIdPcKroZlYIj)T#!`#(0!#Q+>jCcS{IXb{ zRoInu?@_kH%=PB`NF;qN49q{*K7C+S#0G&dK>#p;(qwxh$k0F_1kwT&Unf6)M_;=j zJ9|$jem4gjPrCrHgR7G-pEuYgL0?xL51Sfb2I1Y+P%#8bN(5q}0MF_2Az<}HZq(N{ zRt1`zOcW$!lzbYtDzf5Y64Fk-5i0UhsuElTxR{tY_(JOD91K)g0N~)FV*o2O1_2%p z4i5J19F&KRo}7e;o`H#mQ%r)7g#ZUrQ%g%xK_2LYPeQ>$ONNh&Lr+IXM9C<`K}$nT zg-1jttYXYaP0Yu~hf6@r$S2J}NyNa&M9nV9NJY%g&re24!zHGyEXsk4g^o=?Y89C; zC@4fpLoX zI8c({LA>07u>l5aNb`{p;1E(U&{L5R;9=|N>WPYokPs09J#nxw(b3U(cz6LD2r1|o zsL5!lDd=gbhzW4I&wg-p^>q;xELWdi@GEaF#!$+ z77in?6f+$a1sxj~BLyBl0i&S8T@^)H6-{MjWg=n{e0%~E6VvLqwV}ZQ1%<`6wKWeT zBg92T0Bc)e?SQX#wtt3(1ikO*+}qnbJ3oiR;Rgo?hX)7Yp&=ceAFtt8j~_iWx3Ki{ z^|7$B{t!;TF^yK(RTvAF@M99+C;qnTe^(s|MNALLL z^!VsdQbOYOo65#IsFjT!{QBnT@SuNizjl9J#tFw@yY3T^)*C<1oCon z4Na|`9q)nIaPSNs z)B64pHQubGWL~XB2MW~MhnSX|Wu!#bm`4F{d{rO+IL;@Jlf1 zTd-!+^}@7w@9OcQN--(DV#{rj+eFJb{L~ z!}Mq<`FyhPK_H|cV0w)2j5ydTfYjKX89#URqqELF@0OHkX^tW#;AiM~SU_lb|GtWU zY=*=$CMHQEO>;GJJ|+%%k9Uul<6oD^xIh!Rv@LbQm*8kPq9Tf()v9w+0zOvnd$iJd z%v!aVL7xOggv6o}viWT4>^CYVJ*KiUg$3^4H&=|Q_VS$OHS4fjFCDUY2d=Mo@%Hvd zPLyhEZf${JWYs%tLKn5tw-5G@?Lk_>SKEtCw;+A{&z;I~QD2E{ccC{P2(7%3$~8v)QRb?9#o3=iz;~2{8dbQ&D4!*BHC8px|W97 zr>rg!$?Q>K>o-3AwWaGhDRg73*vnW90tQ*Ir@g`}TUT(%;jx(qO{q$#y34&F0+doz z6lI9bEh?tR8Y?MQ>}R7=CCV?Q!U7-=vv*_4Ym+;`6o5c?RdrRMO16&>%jsX6%=vSp z7HlLCNE`XD<rB zP5>Ks1mc5G5Ge{0;OpSz$7kp3=KxFvG6?tAOTh0SBp{1@2TCBF{R@DZ`xnRnwO{~a z0n7rB7UTz#ZU+hgfq}X!K=lRjfxLm1%inkr zeL_GGpr1d$X9x842e<Sv6Sq}iJH_*Za83D5We{msX z`vEjukOn~W1bz?@BVZQ<=Nf}`CS1@TmTsXM8pQ_FMs(1UP8>oKjQ!d zLI))MHNS|qAK**hUo(n`1B9+-p!}^HsQ!|RC=oynpag*00D=L;0XYA=$O5)ifS!LB zI|$qCfN1ds;t34Yyns0cfe8M^0RgBsfMx%TBb;Ax`=4=S^G6&3A%si_A_QarZuSahJ!$&_`j)qsmY(;qw7^&bVA7hF zhN&udS)bN9sf$sWF{?@@-_c6roGpCuNo(na<&WmjxwhgvlQoW$PjY%SzB2ka&3NZX z@uh-vzrY_xe^5-Ga7(!{VDuX8RmhrgjbhhWfGeyt8(^PF%kMT9y=EkqyIO)>Tz?xH z+^t=y>W+iFPl>oOJ=tg)_VkIInr(-jjo(_ggzfBKcZB+E%7*_;&{S#g^>leL(eZo21`WWh0ai;ZWkZ%3b+)wVTQf@``ZypM-&^BYrp+g^1bPlZS zb!M-;S`lCI+7I356PSyqRuFbYp|d4iz;piKw(qmgbIx@xzAyI47QO9*hy(%j(ey=? zp~~V4pEqU>GDWA+%H9Y0hqs^(^y-X0wHg{)G@KRWX5@BUYZS;MSBx>|eMNoLd{i4$ z{-{XgTjU!$I3*kxh60TWimJtrKw;O25}^czb}9;>=tlXi5C@(qn8N-gdb$UoZ4 zmU0`}!Iqd74UO<2MyJDy&^b>tvK$8VQ3sk03V#%;5(v!E93$ZQD4~uKgK#T`SAj-B zyhefGI~&zexGl*H?z@K(HDsPB^PM0{<11Ez*iL+JoEa=IN>lV%l+_BpHwPtB@yfNW z_zVI5Lr!nP1(dAG2)HwMSkdvlf(*?_ya!3+ksvyYhazd;TA|0J%O6+NE3}0iHzO|i zXXeu&5o26CmbcYh`B-TqF>{|eLk)jK>IbyY3%(w{&c^()uv7}yabL1Xi)b33A2NB5 zb6GNerF0tgtX;U|Y3y-0lPu9VOQBecyvL>So56dww*}*6cDE1583Z<@yo?-lZQnU` zPZy@iDTn1cW(~xp%JAE}(TG;uH#a@-SLvC^=aj5=L=y<+VRn?3<(ir-cxkVb%}Mx^ z^QicakEKS6XBw32qKYz~=T!kEFBTP(jm9h(nI%l=6W;^PPk6`48G3PVrXN|cIAuA< zB!9tTBGFVUXLL;G!^$)oFX|vZvf=LQ4NtPWbpvBO$L<(5@cOl|=hvt9 zto2G_&p6gp()WyfU%tprTPSjj47UnN)(9TlHSoCz!G(wE<}!WTqW^Xl7`Y=*IC;cE z+`s%74yhbkteD%y-(ZM6*!qRP|MAxX0nyp=``$E?49iyhE)|d#X3Z zk}Y~u-)t0a2oL3-zr1qtx^eotoB-$WJ%m|j-_kD6S42iw3#EE|`h4`_=iSk?mq)|g zE!-RfyN}@t8uG;B^0ecdChuQ7)BgU}u_Rxs^f(Onbx8j5z$fXbKBdodN(B0EmmV87 zF;5Gx&s-$LyX=(sXnvoKSIY~?9+iEWuO#!9>Sx!6R|PIkS_@q@>;1P=nrxP(^@H`k z5+O2Ql=gVn7FHZ0SXlNHm+d9uWa_b4bQBI@sPjE*qXC1=g=tmfRa~cSffP)4Av(GN+49u zqm1y0XewVD``$VC%Ro7cz&Uq?wmeBj^Oop{LomNNRuhqh7m7!NxN(ysUhyuu&o|#? zT*r;sy-XHYZt%8{dHJ*kb2!I%f~#9|emfDb+1*wKhn>f^dgZx~54+E|sH~42+IV+}_&9OJ)5UOguJ=qjmf0MQoFc@Q>`v$XU-Azju`IVS$3r zZAp751UI7s&T2?iR_H9#%H5iR z>_>4Nvs8Vi@21BwRB{=)Smjil5ve^auQnUooN>#h*?kUou(ZFi%%guYUKcn=+trdE z|4y|9J+$FA3*P(VtAkT+cxz%=C8bAle)JsUoc6(q>E3-IwT_&$lTsbEvZ1PR8NX;L z2hqu4Ew1!7GwPix62VHGk(EJ{s{+R*rXpFTK2iF{#-nuxld4eXCRdYF?c))%kU$-W zxc(pox7+DfS?299y5P$=vx}vcKyewXr(b{6YFLff&r}BHF10D+4i-_Y->n<>rrELk zoR{JiojOt4$KtQ=VlE^p3&k0#m+DTwH`0AuwPPd9|IN7m_L%*&32c8mq_f@8mT*nr zu??RWg+mlxXKDr=25HTlR&$CsvWMSh`P=EVHn3l>WQiCpGd4zu9_&6R`PsYiAg#&j zGZI^9>O$#P+wT?+%g-oFcNN*~75hz1o^-?sp74!K1R)tMYioxSxUR`EvhAFR2-CEOr~>bzX>l z&SVbvbx&jt)+SPRPs}d#FcNM6_n%@%?U5e_mZvT!^$&nIwlM>ycKq7!`M@+I4C9I1 zD>s96*&;=})!!6@4+k#ZZ`3a>G+4=zxl4P}7aGsVnVw*)y2QK)aA;g3KQg-M!aUI> z+g_^+<${Fn6D+KTUSL6>-(Ly#928mcJspjuNzFW#;n2U375^mvooA>589%YAL-Bd& zBH9Sl7$un}GE=su6?&d?}0YCFgf`>R9(AqZWHb^Q$jbbh36ji1SZ^t z@bm{a5lwd%h;?mj-WBJGhq&514RiXGS-Ie!!Jy#w_O#Rn3NHwg{I@IBK5H*!N@X1m zwNn2bBFkuwlo8s zz=HDk@Q~a6lsWKizR^%fjl10ALR$6{AK*uQm(>vPMM(9k%BC7#OT5uq2{E*fAzn>U z_F7Gq5iC|OnJ7D3(us}tcCUh9x@9*rfH*EviAYg_t(T<1Up)j{8Q#g=!%j+kPnaXo;lTi8|G2WyxR_W4d?T zNhRxv1?i9Ef27R%m60PesB?)C>p*_LzG#z^EQ=MTB#S!7SAxfg4{{nB3{Llt3GzV6X(@_ z1IwyOGPR)CIaHMQW=|X@78;mn_)eO1lOP?+|g)0H>ci ze0vN7KOA~>B(}%AI?W_S^oC@7X0R+fyl420jMaEc)_Du=`MK?EQ@`5sOXACY)V3

D6 zID!}(z0JC~qu0{}_1t;xxtN%uqCB!VuZLt%bG0uZIU38-N{~`0<)}^Y9CJqMN+c08 zhvW-$qt7rJ&cs(}Cg{B?nly|e(0q%|SL-B{zGF|8#D{9yCqdHuY04DXBPJFW#SfDw zu5P5}CN~a#Z+K>Jp_41y)9UQMt$K&W*CCo9jYhFufYp@W;RD(O%>4XdI&H$ z(=?Nh(L4VLH>WkT8uNEC*CQx{=n$0PRVQTMcWIltlSXdVVKdQRFcluK6V-ZZYt_c{ zQ&py!UR2E^)FOZlMmxv)3JtEvCZe4n?it}9EF!ofNizoz| zJH|gJda8|4s}W=MZZL_0nLnroXGAq(rnA8&K&4TAyj*?8MQGdPC$P^6VZqs`rTrpe zHLykfMaXprNAfh|#2uP+eWz~*;wKdfONzXp%xrrW;v^ecxs0;I{j)_hYZm8Pw6IUe zVRZTaNXK0oA>7-(=Mm}?GZ;IEv0|+^^YH_7%Q%gr%eVpN*KJIgFt(N<)!_CD055H*lBvRf4t=@6~q^?(QW1lII31cg5il}%H= zd{;96GKYV&S>ZDg&g_CMA7(L1b#;@mQ@5Z7tytWo>}VbjwXa&2i-`dlfuYPOeZm#! zSV+g%>BO!v+ktrT5peFxv4DAa(%pZp9MtfmBV!%My~@ht>}K7YCmEG1{VvKgR>|j+ za%f7oNPRSM8^#gnZ=YC}jm^G)CcMs!-@e_!I3Urbgu$nua)#p_4-&mYr!dq*eUIFD!DBS67Q4ym)mF;n_d^_jk{_H>ur70$!a05OFN= zFV8Bg8XEH%sd)_#0bV8j?NuaHUSnd4g8QOx^wUVioHM8bQsrGhg?cs)a}6(c!C>EZ zzp1a!9u<|`KNfUi)xuMJ-YV0Smz5~NjxmVsgJf9OK^IHN^G$bJ#kwwN!Y8eBR;%IA z`di%1Cz`{Bczba7F83J-z#eL|O=CfPL4$!2QH2 zdHAWVsbPF3>YZp_rNs}hXtOeLoafaLxwq3Y&l=&R0hiS}@sGIU?RiL=lN2+%SV|4^ z=;v%_X!T^9e3`y5_Zj_^sQDBqB)f6SK-l}RcAh!rr)gflA2%22eJ>YJh)sI?9{W;1 z?pQ?V$ba6j{^{JmyM6d^shkmTq~i`84-)+!ZZ|Yi6n3@Oaaf;lKXSbq9{4oeP>>+H z0ANPK^RZ|14_~I3WIxTko0!)5kft!+N0G#@3BWc*5~CYrXLdDqcJj0~@($eKRd>pk zD09sZ>;iFhHCV!us#J%R-cb^?U4yz$3}PRl!x`z@1mY|r+Mhf!vM16;q9CY$TUk_? z97P)6$ID~+!rbyj<|`D7Xo)B`uMpdqgty(Twp3qZ{?z;wy{f1uJ ziyo_{=B&nUum)pik429y)!zlRR3sQ+Nd{AzQDtOPUQj(;v((l}PR6x>WOfLrRV7~1 zk9KInnO-JrKK`;x;XLU&L$`eaAFdlc|C+Zsj0+94T5j#>PmRWL)|Fg*aVC4{A3qzA z6p(&*K}YJ$o}(4&H&m6;@72hzAn6gXrtF;Cs(Q<-`}RWcqf3zHSd_(Bsqj-9)3q=# zX#l^(%e`T{Gs=`qJ-AZ`bj9a%&PRE5sqJG`eY4md4%Ow)jiz977!9dchKFeA5L)lq z7w9{(a96oz-*TT9j(f|Wrdl1#$sV+|qx)IQcZ_=d$fd3gz@EEng+cXg*x&m*BoP+m zXzuAgjuls~*C@;JKC^$e@m4=#vrsvT+g>Z?#uXxT6quj8NY*4R*f7CYITVrPK4VIx z&hD&+-rJLieu!T8fiQK$fyjaAB2+ebDO-#9ZGIk>nNfh;-iINli!E2TWGd3Ygj>1W z22BEKj`t3II~4iFp@)3SwU-U;;PLLTybdm#2jC^2uNMc)L3!cKksni+Bp4P0Qp_=y zLhs3kZhiG4@__mD*evJzo_&j~^V#JJb0}L`Ru#$ z!8TTB>h`QYdjGfHor{OEr{YgF!(=%m_vSh?E(T+Bkx6>MpYOfRpm|oO>A0hKl0uC^ z>bzKOtS1p3I$MiA|DtRmboj^X&A|cbGdcO2MKg%i(Xc?}%yD@CY-q~Myk;$ri22)t z)oF99yzrbk-&mdGq$n&mIe`)C30&>VSaOiY2AaFQi<`aU%FMg-q3w$#-wv5WuW~=D z(`(`AX;|6qBu8E3wfua$j5g1@SIf#NXVo>I{kOw!U4)1_57xAkM1)n@>mnl0XhDb^o^yN&achpLc(V zgZaO}2~dZS^zZIa|7p|T?+X8t0|K=G=jMOEIsB&;f9^>ThwOg=3`m!M9J&9K@z0ct z*s}ZuWek6$**`Wg|CI1&_CTcOzW|Bp4+;O3sQ=0R=S(9q%wG`9{7-Hm-{@> config.py +echo 'keypass = "r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI="' >> config.py +mkdir $REPOROOT/metadata +cp -a $WORKSPACE/tests/metadata/obb.mainpatch.current.txt $REPOROOT/metadata +echo "accepted_formats = ['txt']" >> config.py +cp $WORKSPACE/tests/repo/obb.mainpatch.current_1619.apk $REPOROOT/repo/ +cp $WORKSPACE/tests/repo/obb.mainpatch.current_1619_another-release-key.apk $REPOROOT/repo/ +$fdroid update --pretty +grep -F 'obb.mainpatch.current_1619.apk' repo/index.xml +grep -F 'obb.mainpatch.current_1619_another-release-key.apk' repo/index.xml +# die if there are exact duplicates +cp $WORKSPACE/tests/repo/obb.mainpatch.current_1619.apk $REPOROOT/repo/duplicate.apk +! $fdroid update + + #------------------------------------------------------------------------------# echo_header "setup new repo from scratch using ANDROID_HOME, putting APKs in repo first" diff --git a/tests/stats/known_apks.txt b/tests/stats/known_apks.txt index 94a40a74..ec777242 100644 --- a/tests/stats/known_apks.txt +++ b/tests/stats/known_apks.txt @@ -4,4 +4,5 @@ obb.main.twoversions_1101613.apk obb.main.twoversions 2015-10-12 obb.main.twoversions_1101615.apk obb.main.twoversions 2016-01-01 obb.main.twoversions_1101617.apk obb.main.twoversions 2016-06-20 obb.mainpatch.current_1619.apk obb.mainpatch.current 2016-04-23 +obb.mainpatch.current_1619_another-release-key.apk obb.mainpatch.current 2017-06-01 urzip-πÇÇπÇÇ现代汉语通用字-български-عربي1234.apk info.guardianproject.urzip 2016-06-23 diff --git a/tests/update.TestCase b/tests/update.TestCase index be1a7266..3742f965 100755 --- a/tests/update.TestCase +++ b/tests/update.TestCase @@ -204,7 +204,7 @@ class UpdateTest(unittest.TestCase): apps = fdroidserver.metadata.read_metadata(xref=True) knownapks = fdroidserver.common.KnownApks() apks, cachechanged = fdroidserver.update.scan_apks({}, 'repo', knownapks, False) - self.assertEqual(len(apks), 6) + self.assertEqual(len(apks), 7) apk = apks[0] self.assertEqual(apk['minSdkVersion'], '4') self.assertEqual(apk['targetSdkVersion'], '18') -- 2.30.2