From 70915a7445ba249aec9782b1a58a151939d96c34 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Mon, 9 Jan 2017 15:10:54 +0100
Subject: [PATCH] verify: fdroidserverid and buildserverid are part of the sig

There are two SHA1 git commit IDs that fdroidserver includes in the builds
it makes: fdroidserverid and buildserverid.  Originally, these were inserted
into AndroidManifest.xml, but that makes the build not reproducible. So
instead they are included as separate files in the APK's META-INF/ folder.
If those files exist in the signed APK, they will be part of the signature
and need to also be included in the unsigned APK for it to validate.
---
 fdroidserver/common.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index 103ce449..cf43769f 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -2014,6 +2014,14 @@ def verify_apks(signed_apk, unsigned_apk, tmp_dir):
     used to verify that the signature from the signed apk is also varlid for
     the unsigned one.  If the APK given as unsigned actually does have a
     signature, it will be stripped out and ignored.
+
+    There are two SHA1 git commit IDs that fdroidserver includes in the builds
+    it makes: fdroidserverid and buildserverid.  Originally, these were inserted
+    into AndroidManifest.xml, but that makes the build not reproducible. So
+    instead they are included as separate files in the APK's META-INF/ folder.
+    If those files exist in the signed APK, they will be part of the signature
+    and need to also be included in the unsigned APK for it to validate.
+
     :param signed_apk: Path to a signed apk file
     :param unsigned_apk: Path to an unsigned apk file expected to match it
     :param tmp_dir: Path to directory for temporary files
@@ -2024,7 +2032,8 @@ def verify_apks(signed_apk, unsigned_apk, tmp_dir):
     signed = ZipFile(signed_apk, 'r')
     meta_inf_files = ['META-INF/MANIFEST.MF']
     for f in signed.namelist():
-        if apk_sigfile.match(f):
+        if apk_sigfile.match(f) \
+           or f in ['META-INF/fdroidserverid', 'META-INF/buildserverid']:
             meta_inf_files.append(f)
     if len(meta_inf_files) < 3:
         return "Signature files missing from {0}".format(signed_apk)
-- 
2.30.2