-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEAT] clear out old APK SourceStamp residue (stamp-cert-sha256) #2687
Comments
Probably fair to copy those files into original, but it appears the filename is not consistent. So gotta research a bit more. |
PR is up to handle this like original files. |
I see. So its injected by GooglePlay during signing, so not needed if you are resigning and should be removed - not copied. Re-opening. |
Was going to revisit this, but with Apktool that wants to maintain original apk as close as possible - unsure what to do about this. Since it breaks down to basically deleting a file we know is in the original apk. |
edit: this has been resolved. but I need to simplified my description here.
in the APK installation verification phase,
if the APK has a
SourceStamp file
,an additional check will be done to make sure it match a
SourceStamp block
in the APK signing block as well.when reverse-engineering APK-file,
a user must delete the file (
/stamp-cert-sha256
) from theunknown
folder,and remove the entry from
apktool.yml
'sunknownFiles:
section.a better way to to avoid copying the
SourceStamp file
back (or to keep it under/original/
folder).there are very few resources regarding this,
but the Android Open-Source Project has some basic code that explains how this works:
https://android.googlesource.com/platform/tools/apksig/+/master/src/main/java/com/android/apksig/ApkVerifier.java#320
https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/util/apk/SourceStampVerifier.java#89
this is what you'll see in the APK:
if you'll run:
java -jar apksigner.jar verify --print-certs --verbose --in "Google_googletts.google-speech-apk_20210914.01_p4.398601325.apk"
(for example),you'll get something like this:
(full)
a little more information.
Google Play uses it.
it is best to make sure it will not return to the APK,
delete the file, and its entry in apktool.yml.
the alternative is to change the the package identification.
BlueWallet/BlueWallet#3219
https://support.google.com/googleplay/android-developer/answer/9842756?hl=en#zippy=%2Capp-signing-key-requirements%2Cinstructions-for-apps-created-before-august%2Cupload-key-requirements%2Cupdate-keystores
https://www.exceptionlife.com/android/question/6517/installing-google-play-services-from-apkmirror-by-command-line
edit:
do a known issue part like this one:
suggest delete if user won't bothered by it..
I've recently discovered
assets/ysh/hook.apk
and https://wws.lanzoux.com/i5zOghl94ab so for the price of doubling the size of the apk, signatures no longer bothers me.making it as won't fix seems accurate.
good journey.
The text was updated successfully, but these errors were encountered: