Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEAT] clear out old APK SourceStamp residue (stamp-cert-sha256) #2687

Closed
ghost opened this issue Oct 26, 2021 · 4 comments
Closed

[FEAT] clear out old APK SourceStamp residue (stamp-cert-sha256) #2687

ghost opened this issue Oct 26, 2021 · 4 comments
Milestone
v2.6.1

Comments

@ghost
Copy link

ghost commented Oct 26, 2021
edited by ghost
Loading

edit: this has been resolved. but I need to simplified my description here.

in the APK installation verification phase,
if the APK has a SourceStamp file,
an additional check will be done to make sure it match a SourceStamp block in the APK signing block as well.

when reverse-engineering APK-file,
a user must delete the file (/stamp-cert-sha256) from the unknown folder,
and remove the entry from apktool.yml's unknownFiles: section.

a better way to to avoid copying the SourceStamp file back (or to keep it under /original/ folder).

there are very few resources regarding this,
but the Android Open-Source Project has some basic code that explains how this works:

https://android.googlesource.com/platform/tools/apksig/+/master/src/main/java/com/android/apksig/ApkVerifier.java#320

https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/util/apk/SourceStampVerifier.java#89

this is what you'll see in the APK:

if you'll run:
java -jar apksigner.jar verify --print-certs --verbose --in "Google_googletts.google-speech-apk_20210914.01_p4.398601325.apk" (for example),
you'll get something like this:

2022-03-24_012727

(full) 
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: true
Number of signers: 1
Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: f0fd6c5b410f25cb25c3b53346c8972fae30f8ee7411df910480ad6b2d60db83
Signer #1 certificate SHA-1 digest: 38918a453d07199354f8b19af05ec6562ced5788
Signer #1 certificate MD5 digest: cde9f6208d672b54b1dacc0b7029f5eb
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 2b06490d2d24305c6a90dbf74cc42f50183d207d572f8079e5d92fb2c2a0cda1
Signer #1 public key SHA-1 digest: b2da9ef7ec0f4474117fb0cba4dca3b795c0eab7
Signer #1 public key MD5 digest: a90ce510a96aa09bee6bf8d9da9b258b
Source Stamp Signer certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Source Stamp Signer certificate SHA-256 digest: 3257d599a49d2c961a471ca9843f59d341a405884583fc087df4237b733bbd6d
Source Stamp Signer certificate SHA-1 digest: b1af3a0bf998aeede1a8716a539e5a59da1d86d6
Source Stamp Signer certificate MD5 digest: 577b8a9fbc7e308321aec6411169d2fb
Source Stamp Signer key algorithm: RSA
Source Stamp Signer key size (bits): 4096
Source Stamp Signer public key SHA-256 digest: 4c53c1d28f2ecceadcb1351603f0b702615b3454b6e30070de759359f241b802
Source Stamp Signer public key SHA-1 digest: 188b067a9ee881bde55dabe0f8f7ecb320b1a091
Source Stamp Signer public key MD5 digest: 965afac83f033aa037a54482eb6922d5
WARNING: META-INF/services/com.google.protobuf.GeneratedExtensionRegistryLoader not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

a little more information.
Google Play uses it.
it is best to make sure it will not return to the APK,
delete the file, and its entry in apktool.yml.

the alternative is to change the the package identification.

BlueWallet/BlueWallet#3219

https://support.google.com/googleplay/android-developer/answer/9842756?hl=en#zippy=%2Capp-signing-key-requirements%2Cinstructions-for-apps-created-before-august%2Cupload-key-requirements%2Cupdate-keystores

https://www.exceptionlife.com/android/question/6517/installing-google-play-services-from-apkmirror-by-command-line



edit:

do a known issue part like this one:
suggest delete if user won't bothered by it..

I've recently discovered assets/ysh/hook.apk and https://wws.lanzoux.com/i5zOghl94ab so for the price of doubling the size of the apk, signatures no longer bothers me.

making it as won't fix seems accurate.

good journey.
@ghost ghost changed the title [FEAT] clear out old APK signature scheme v4 residue (apk-name.apk.idsig) [FEAT] clear out old APK signature scheme v4 residue (stamp-cert-sha256) Oct 26, 2021
@iBotPeaches
Copy link
Owner

Probably fair to copy those files into original, but it appears the filename is not consistent. So gotta research a bit more.

@iBotPeaches iBotPeaches mentioned this issue Nov 27, 2021
Merged
@iBotPeaches
Copy link
Owner

PR is up to handle this like original files.

@iBotPeaches iBotPeaches added this to the v2.6.1 milestone Nov 27, 2021
iBotPeaches added a commit that referenced this issue Nov 27, 2021
@iBotPeaches
docs: update changelog #2687
42b765f
@ghost ghost changed the title [FEAT] clear out old APK signature scheme v4 residue (stamp-cert-sha256) [FEAT] clear out old APK SourceStamp residue (stamp-cert-sha256) Mar 23, 2022
@iBotPeaches
Copy link
Owner

I see. So its injected by GooglePlay during signing, so not needed if you are resigning and should be removed - not copied. Re-opening.

@iBotPeaches iBotPeaches reopened this Sep 5, 2022
@iBotPeaches
Copy link
Owner

Was going to revisit this, but with Apktool that wants to maintain original apk as close as possible - unsure what to do about this. Since it breaks down to basically deleting a file we know is in the original apk.

@ghost ghost closed this as not planned Won't fix, can't repro, duplicate, stale Nov 21, 2022
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.6.1
Development

No branches or pull requests
1 participant
@iBotPeaches