I have a doubt about the purpose of this tool.

[IlluminatiWave]

I understand that this tool is for copying a signature from one apk to another (which presumably has no signature).

But from what I read in the bug reports, in the FAQ and my experience, it does not serve to copy the signature to an apk with modified files (if we change an image, however minimal it is, then the signature will no longer be valid). So it only works to copy from twin apk's but where one of them is not signed.

My question is, if it is not possible to modify and then sign an apk (whether the size is larger or smaller than the original), then what is the difference between simply creating a copy of an apk already signed (ie a copy of the apk backup).

My experience:

I was testing with an apk with encrypted resources (which I already decrypted. I won't give details), I wanted to test some things.

How the app behaves when it has the decrypted files (specifically if it reduces memory / battery consumption and workload). As well as if it is possible to make a debuggable apk. But if it's not possible to sign the apk when a file is changed, then any mod attempt won't work, that would even happen if you just grab the apk, decompile it with apktool, and recompile it with the command
apktool.bat b .com.android.apk -d (make debuggable)

I don't see what would be the point of re-signing an identical apk if you already have the original apk signed.

[obfusk]

As stated multiple times, apksigcopier is a tool for Reproducible Builds only. If you are not looking for a tool for Reproducible Builds, a tool that is meant for Reproducible Builds only is clearly not going to help you.

it does not serve to copy the signature to an apk with modified files

Indeed. As stated multiple times: "copying a signature to a modified APK will not work" and this is not a tool for doing anything of the sort.

I don't see what would be the point of re-signing an identical apk if you already have the original apk signed.

Again, as stated multiple times, this is a tool for Reproducible Builds only. That is its purpose: to allow verifying that different builds from the same source code produce identical results, to prove that two APKs -- one built and signed by the upstream developer, another one built by you (or some trusted third party) from the published source code -- are identical. Since you cannot create an identical signature without the private key, you need to copy it (and nothing else) as part of the build process instead to be able to create a bit-by-bit identical APK.

The motivation behind the Reproducible Builds project is [...] to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process. By promising identical results are always generated from a given source, this allows multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny.

The README explains this purpose:

apksigcopier is a tool that enables using an android APK signature as a build input (by copying it from a signed APK to an unsigned one), making it possible to create a (bit-by-bit identical) reproducible build from the source code without having access to the private key used to create the signature.