Bug 57914 - Support apksigner in AndroidSignPackage
Summary: Support apksigner in AndroidSignPackage
Status: VERIFIED FIXED
Alias: None
Product: Android
Classification: Xamarin
Component: MSBuild (show other bugs)
Version: 7.4 (15.3)
Hardware: PC Windows
: High critical
Target Milestone: 15.6
Assignee: dean.ellis
URL:
Depends on:
Blocks:
 
Reported: 2017-07-03 18:31 UTC by Jon Douglas [MSFT]
Modified: 2018-01-12 07:23 UTC (History)
5 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
VERIFIED FIXED

Description Jon Douglas [MSFT] 2017-07-03 18:31:44 UTC
*Description:

As of build tools 24.0.3, Google has recommended that developers use "apksigner"

https://developer.android.com/studio/command-line/apksigner.html

However we currently only support jarsigner within this task.

https://github.com/xamarin/xamarin-android/blob/a35e52abed7468e359918f913270fafc8f5a1cfc/src/Xamarin.Android.Build.Tasks/Tasks/AndroidSignPackage.cs

This tool is used within the APK Signature Scheme v2:

https://source.android.com/security/apksigning/v2

Thus this tool is v1 scheme (jarsigner) and v2 scheme compatible.

It also has a few benefits such as:

-Faster app install times
-More protection against unauthorized alterations to APK files

https://developer.android.com/about/versions/nougat/android-7.0.html#apk_signature_v2

This would need to account for the follow workflows:

1. If you use apksigner, zipalign must only be performed before the APK file has been signed. If you sign your APK using apksigner and make further changes to the APK, its signature is invalidated.

2. If you use jarsigner, zipalign must only be performed after the APK file has been signed.

https://developer.android.com/studio/command-line/zipalign.html
Comment 1 Jon Douglas [MSFT] 2017-07-03 20:06:46 UTC
Another source: https://android.googlesource.com/platform/tools/apksig/
Comment 2 Jon Douglas [MSFT] 2017-07-05 16:21:22 UTC
Marking this issue as CONFIRMED as per internal talk. The task does not support anything but jarsigner currently.
Comment 3 Tom Opgenorth 2017-07-05 19:35:29 UTC
Also, note that apksigner is "missing" from 26.0.0 of the Android build tools - https://issuetracker.google.com/issues/62696222
Comment 4 Jon Douglas [MSFT] 2017-08-18 16:03:28 UTC
Looks like apksigner was fixed(re-added) as of the end of July. Looks like Google forgot to include it in the payload and now it's there. I can confirm it's now included in build-tools\26.0.1
Comment 5 Filip Ekberg 2017-10-09 19:54:35 UTC
The current implementation uses a weak algorithm, so it's really important to get this ASAP.

Meanwhile, I submitted a PR to work around the problem: https://github.com/xamarin/xamarin-android/pull/927 which is not at all something that's better than moving to apksigner!
Comment 6 dean.ellis 2017-10-12 12:40:35 UTC
PR is up for this https://github.com/xamarin/xamarin-android/pull/928
Comment 7 dean.ellis 2017-11-27 15:53:47 UTC
Fixed in xamarin-android/master/f6c58d6