Apksigner does not verify signature

≯℡__Kan透↙ 提交于 2021-01-21 09:16:11

问题


i was trying to verify the signature of the latest Gmail App (Version 8.11.25.224) with apksigner and it failed.

I used:

apksigner verifiy --verbose --print-certs <apk.file>

The result was:

DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1 Malformed additional attribute #1

I was searching for an explanation why this happend but I couldn't find any solution to this problem. I have experimented a little and if you add --min-sdk-version 28 to the options of apksigner command then the results are:

Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): false
Number of signers: 1
Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: f0fd...
Signer #1 certificate SHA-1 digest: 3891...
Signer #1 certificate MD5 digest: cde9...
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 2b06...
Signer #1 public key SHA-1 digest: b2da...
Signer #1 public key MD5 digest: a90c...

And if you use the jarsigner tool the results are:


WARNING:
This jar contains entries whoes certificate chain is invalid.
Reason: PKIX path bulding failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signers certificate's expiration date (2036-01-08) or after any future revocation date.

Re-run with the -verbose and -certs options for more details. I uploaded my Gmail APK file.


回答1:


This happens if an APK is signed with v3 signing scheme but the version of apksigner is outdated and not supporting this scheme. Read the warning:

apksigner version
    0.8    
apksigner verify --verbose "Signal-website-universal-release-4.50.5.apk"
    DOES NOT VERIFY
    ERROR: APK Signature Scheme v2 signer #1: Malformed additional attribute #1
    WARNING: APK Signature Scheme v2 signer #1: Unknown signature algorithm: 0x421

So, the signature algorithm is unknown to apksigner version 0.8. I wouldn't call it a bug (as Pierre does), but the error message could be more clear and it would be better if the old version is able to check at least the v2 signature. The most annoying point (mentioned by Freedo) is that Ubuntu still ships an old 0.8 apksigner package for all releases (packages.ubuntu.com) even the most recent Ubuntu 19.10 (eoan) and there is no ppa with a newer version. You need at least version 0.9 which is currently only part of the Android SDK build tools.

The easiest way for me was to install Android Studio and open it at least once to automatically download the latest Android SDK. Ubuntu 19.10 App Center did install it as snap and the SDK was then located in my home directory:

./Android/Sdk/build-tools/29.0.2/apksigner version
    0.9
./Android/Sdk/build-tools/29.0.2/apksigner verify --verbose --print-certs "Signal-website-universal-release-4.50.5.apk" 
    Verifies
    Verified using v1 scheme (JAR signing): true
    Verified using v2 scheme (APK Signature Scheme v2): true
    Verified using v3 scheme (APK Signature Scheme v3): true
    Number of signers: 1
    Signer #1 certificate DN: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
    Signer #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26
    Signer #1 certificate SHA-1 digest: 45989dc9ad8728c2aa9a82fa55503e34a8879374
    Signer #1 certificate MD5 digest: d90db364e32fa3a7bda4c290fb65e310
    Signer #1 key algorithm: RSA
    Signer #1 key size (bits): 1024
    Signer #1 public key SHA-256 digest: 75336a3cc9edb64202cd77cd4caa6396a9b5fc3c78c58660313c7098ea248a55
    Signer #1 public key SHA-1 digest: b46cbed18d6fbbe42045fdb93f5032c943d80266
    Signer #1 public key MD5 digest: 0f9c33bbd45db0218c86ac378067538d
    WARNING: META-INF/* not protected by signature.

There are a lot of warning about files in the META-INF folder, because the folder is excluded from the signature, contains a lot of version files and the certs. That's also the reason why it is not sufficient to just read the cert from the APK, like some some pages recommend.

Edit: See also "How to verify SHA256 fingerprint of APK"




回答2:


There are two bugs in apksigner when it comes to verifying the signature of APKs signed with v3 signing scheme. The next release of apksigner should have these two issues fixed.



来源:https://stackoverflow.com/questions/54782328/apksigner-does-not-verify-signature

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!