apksigner Warning

[DiagonalArg]

Steps to reproduce

I wonder if the dev might be willing to repair this warning from apksigner. It would help support consistency with AppVerifier.

$ apksigner verify --print-certs URLCheck-2.17.apk 
Signer #1 certificate DN: CN=TrianguloY
Signer #1 certificate SHA-256 digest: bf1b69c14da2420ca72011f72cf4837458ec5d3cc4b538243437bc17c19201c6
Signer #1 certificate SHA-1 digest: 4135bf77f3e515cb284173cb3da30a4e6cce3eba
Signer #1 certificate MD5 digest: e67416e5e4e98a7b5501efd2a9a12da8
WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/version-control-info.textproto not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

$ apksigner verify --print-certs URLCheck-3.0.apk 
Signer #1 certificate DN: CN=TrianguloY
Signer #1 certificate SHA-256 digest: bf1b69c14da2420ca72011f72cf4837458ec5d3cc4b538243437bc17c19201c6
Signer #1 certificate SHA-1 digest: 4135bf77f3e515cb284173cb3da30a4e6cce3eba
Signer #1 certificate MD5 digest: e67416e5e4e98a7b5501efd2a9a12da8
WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/version-control-info.textproto not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

Expected behavior

No warning.

Actual behavior

warning

URLCheck version

2.1.7 and 3.0

Android version

Android 15

Android Custom/Specific ROM or Device

GrapheneOS

Other details

No response

Acknowledgements

• I have searched the existing issues and this is a new ticket, NOT a duplicate or related to another open issue.
• I have written a short but informative title.
• I will fill out all of the requested information in this form.

[TrianguloY]

I'll happily fix that (whenever possible) if I knew how!

That is the Github apk, which is built directly from a Github action. I don't use any libraries, and from what I could find, those are automatic files just for metadata, even if they were changed the app should not care, apparently.

The only thing I can think of is to use a different signing version (I know there are v1, v2, v3 and even v4?) and I don't really know which one I'm using.
Do you know of any parameters, perhaps in the build.gradle file, that I should add to fix this?

[DiagonalArg]

Thanks for responding. :)

I'll see if I can find out....

[DiagonalArg]

I'm not a dev, but I asked someone who is. He said, "I'm hesitant to give advise since I know almost nothing about his development. So take this w/a grain of salt..."

Here it is:

1. Identify the purpose of the file: META-INF/com/android/build/gradle/app-metadata.properties is likely a build configuration file generated by your Android project’s Gradle build script. It contains metadata about your app, such as its package name, version, & other build settings.

2. Remove or move the file: As the warning suggests, you can safely delete or move this file outside of the META-INF directory. This will prevent the APK signature verification tool (apksigner) from complaining about an unprotected JAR entry. To do this, you can:

• Delete the file manually from your project’s build/intermediates/merged_assets directory (or similar, depending on your project’s structure).
• Use a Gradle task or script to remove or move the file as part of your build process.

3. Alternatively, sign the file: If you need to keep the file for some reason (e.g., it’s used by your app), you can sign it using a digital signature. This will ensure that any modifications to the file will be detected during APK signature verification. To sign the file, you’ll need to:
   • Create a keystore (e.g., using keytool) & generate a certificate.
   • Use a tool like jarsigner or apksigner to sign the app-metadata.properties file with the certificate.

4. Verify the APK: After removing or signing the file, re-run the APK signing & verification process to ensure that the warning is no longer present.

Remember to carefully evaluate the impact of removing or signing this file, as it may affect your app’s build process or functionality. If you’re unsure, consider consulting your project’s documentation or seeking guidance from your team/lead.

[TrianguloY]

From what I could find, this is an issue with the APK signature v1, which doesn't signs files inside the META-INF folder. Signatures v2+ do sign them and have no issue.

A google search of "META-INF/com/android/build/gradle/app-metadata.properties" will give several answers to this, like https://stackoverflow.com/questions/77543352/a-file-not-protected-by-signature-unauthorized-modifications-to-this-jar-entry, signalapp/Signal-Android#13270, etc.

I'm interested however in which signing version I'm using, as I'm not specifying anything so it's probably the default. Is it v1 only? or v1+v2? Does the output of apksigner says something about this? (I think you need to add the --verbose flag)

If I'm only using v1, I should configure it to use both v1 and v2 (at least). If I'm already using v2 it should not be an issue, since devices that support v2 will verify everything, and for older devices that only support v1 I prefer to keep the compatibility instead of making them unable to install the app.

Perhaps I could also remove the files as you suggested, but they are automatically built files, and I prefer to avoid touching those.

[DiagonalArg]

LL you're using versions 1 & 2:

$ apksigner verify -v --print-certs URLCheck-3.0.apk 
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
Signer #1 certificate DN: CN=TrianguloY
Signer #1 certificate SHA-256 digest: bf1b69c14da2420ca72011f72cf4837458ec5d3cc4b538243437bc17c19201c6
Signer #1 certificate SHA-1 digest: 4135bf77f3e515cb284173cb3da30a4e6cce3eba
Signer #1 certificate MD5 digest: e67416e5e4e98a7b5501efd2a9a12da8
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 676104cf40e6f51563285ded3e162e89e997f9625faf4693a9b26f7d8d4acfda
Signer #1 public key SHA-1 digest: e3c7bf1e50e5db47f87157004777ca13ad11ae28
Signer #1 public key MD5 digest: 368f883f6ab09fff3b0093c3085ab2ee
WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/version-control-info.textproto not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

[DiagonalArg]

So, not sure what's going on.

but they are automatically built files, and I prefer to avoid touching those.

Makes sense.