Bug 57914 - Support apksigner in AndroidSignPackage
Summary: Support apksigner in AndroidSignPackage
Status: RESOLVED FIXED
Alias: None
Product: Android
Classification: Xamarin
Component: MSBuild (show other bugs)
Version: 7.4 (15.3)
Hardware: PC Windows
: High critical
Target Milestone: 15.6
Assignee: dean.ellis
URL:
Depends on:
Blocks:
 
Reported: 2017-07-03 18:31 UTC by Jon Douglas [MSFT]
Modified: 2017-11-27 15:53 UTC (History)
4 users (show)

See Also:
Tags:
Is this bug a regression?: ---
Last known good build:


Attachments

Description Jon Douglas [MSFT] 2017-07-03 18:31:44 UTC
*Description:

As of build tools 24.0.3, Google has recommended that developers use "apksigner"

https://developer.android.com/studio/command-line/apksigner.html

However we currently only support jarsigner within this task.

https://github.com/xamarin/xamarin-android/blob/a35e52abed7468e359918f913270fafc8f5a1cfc/src/Xamarin.Android.Build.Tasks/Tasks/AndroidSignPackage.cs

This tool is used within the APK Signature Scheme v2:

https://source.android.com/security/apksigning/v2

Thus this tool is v1 scheme (jarsigner) and v2 scheme compatible.

It also has a few benefits such as:

-Faster app install times
-More protection against unauthorized alterations to APK files

https://developer.android.com/about/versions/nougat/android-7.0.html#apk_signature_v2

This would need to account for the follow workflows:

1. If you use apksigner, zipalign must only be performed before the APK file has been signed. If you sign your APK using apksigner and make further changes to the APK, its signature is invalidated.

2. If you use jarsigner, zipalign must only be performed after the APK file has been signed.

https://developer.android.com/studio/command-line/zipalign.html
Comment 1 Jon Douglas [MSFT] 2017-07-03 20:06:46 UTC
Another source: https://android.googlesource.com/platform/tools/apksig/
Comment 2 Jon Douglas [MSFT] 2017-07-05 16:21:22 UTC
Marking this issue as CONFIRMED as per internal talk. The task does not support anything but jarsigner currently.
Comment 3 Tom Opgenorth 2017-07-05 19:35:29 UTC
Also, note that apksigner is "missing" from 26.0.0 of the Android build tools - https://issuetracker.google.com/issues/62696222
Comment 4 Jon Douglas [MSFT] 2017-08-18 16:03:28 UTC
Looks like apksigner was fixed(re-added) as of the end of July. Looks like Google forgot to include it in the payload and now it's there. I can confirm it's now included in build-tools\26.0.1
Comment 5 Filip Ekberg 2017-10-09 19:54:35 UTC
The current implementation uses a weak algorithm, so it's really important to get this ASAP.

Meanwhile, I submitted a PR to work around the problem: https://github.com/xamarin/xamarin-android/pull/927 which is not at all something that's better than moving to apksigner!
Comment 6 dean.ellis 2017-10-12 12:40:35 UTC
PR is up for this https://github.com/xamarin/xamarin-android/pull/928
Comment 7 dean.ellis 2017-11-27 15:53:47 UTC
Fixed in xamarin-android/master/f6c58d6

Note You need to log in before you can comment on or make changes to this bug.