Signing issues with v2.3

[IzzySoft]

On the APK from the latest release (v2.3), apksigner throws an error:

ERROR: JAR signer CERT.RSA: JAR signature META-INF/CERT.SF indicates the APK is signed using APK Signature Scheme v2 but no such signature was found. Signature stripped?

This means two things: newer versions of fdroidserver (I have to upgrade mine soon as the version I run isn't supported by the latest Android clients) will reject the package – and devices running Nougat or above certainly will as well.

Could you please check and fix this? Thanks!

[gen2brain]

I have an idea what is wrong and how to fix, but that will happen in 2.4 release. Not sure when will I have time to add everything I planned. Desktop version have a few nice new features (link to download beta is somewhere in issues), plan is to add also those to Android version, and after that to release a 2.4

[IzzySoft]

Thanks for your reply, @gen2brain – good to know you've got an idea and are on it! As some other projects seem to have the same issue (I've opened a bunch of issues today), mind sharing what you suspect? That could then be passed on to the others as "starting point" and, if they respond and check, you could have some feedback on it which might help you as well.

[gen2brain]

I think is related to some android-studio update, where on build release new checkbox appeared, for v1 and v2 signing scheme, and by default just one is checked. Not sure, but think that could be it, both option should be checked, I had similar problem with other project.

That is just what I had in mind when I saw your issue, just my opinion, I am not sure etc.

[IzzySoft]

That sounds different. For apps using v2-only signing, fdroidserver throws a different error indicating it couldn't find any certs (there's an issue open on that already). So: if only v2 would be checked, this other error should pop up (which it doesn't). If only v1 is checked, there should be no "indicator" to v2 in the app.

Could of course be a bug in Android Studio. So if you (or someone else here) have a machine with a different version of Android Studio and could just compile the APK with that, then running apksigner verify against it should tell.

[gen2brain]

I don't have environment now to rebuild same apk, and same Android Studio, but bukanir-2.3.apk is from Oct 2016, I don't think there was a choice back then, so it should not detect v2 at all.

Edit: just rebuilding the app is probably most simple solution

[IzzySoft]

Could you try that? Thinking about it, several of the APKs I found with this issue seem to be in a close time range. So a good guess might be some bug in Android Studio back then while they started on that v2 stuff – and that bug might be already fixed in more recent versions.

[gen2brain]

Ok, rebuilt 2.3 with new Android Studio, of course it insisted on build tools and gradle update. Now apksigner verify reports just warnings:

WARNING: META-INF/rxjava.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/services/com.google.protobuf.GeneratedExtensionRegistryLoader not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

New build is here if you want to check https://bukanir.com/d/bukanir-2.3-rebuild.apk .

[IzzySoft]

Cool, thanks! Replaced the file in my repo. So it seems it indeed was a bug in a certain version of Android Studio – and a rebuild with a recent version is all that's needed. Thanks a lot! I'll spread the word to the other affected apps.

As for those warnings: They are no show-stopper, but still an annoyance. Not only for the reasons they give – but the current version of fdroidserver (the one I have to update to) spits them out at each run (being worked on) – a show-stopper for automated maintenance as one gets an error mail on each run, not only for new errors/warnings. But, I get a ton of those (200k log each run) – at least every 2nd app has this issue. Maybe keep a fix in mind for the upcoming v2.4? That would be great. No need to hurry, the main issue is solved 😉

[IzzySoft]

PS: You spoke of a v2.4, @gen2brain – is that still planned? Just wondering whether you gave up on this app.

[gen2brain]

Hey, I didn't give up yet, I use desktop app almost daily, just don't have time to work on the app. For now I just have plans, but not sure when will I have time to finish all that is planned.

[IzzySoft]

As long as you are still on it, it's not abandoned. And it's a hobby 😄 Thanks!

[IzzySoft]

Just wanted to give it a try, but all I get is "connection failed". Is the app currently "unusable"? Some required server not available (the one preset for "TPB host name")? Is there another host one could add instead – so I should point that out in the description?

[IzzySoft]

@gen2brain ping?

[gen2brain]

Sorry, I don't have time to work on this currently. It probably is unusable.

[IzzySoft]

Thanks for the clear answer! I've added a note that it's "currently unmaintained and probably unusable in its current state" (should show up with tomorrow's sync). If you prefer I remove it from my repo for now (and add it back when you found time to fix it again), just drop me a note.

[IzzySoft]

I see there's a new release, but somehow the APK is missing. Can you please attach it to the release? Thanks in advance!

[gen2brain]

There is no new release for Android. If I rewrite the torrent client to use the native Go library I might revive the Android version.