You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We’re using Discussions as a place to connect with users and other members of our community. We hope that you:
Ask questions you’re wondering about.
Share ideas and feedback.
Engage with other community members.
Welcome others and are open-minded. Remember that this is a community we build together.
Please note the following
apksigcopier is a tool that enables using an android APK signature as a build input (by copying it from a signed APK to an unsigned one), making it possible to create a (bit-by-bit identical) reproducible build from the source code without having access to the private key used to create the signature.
This is a tool for reproducible builds only. Its purpose is to allow verifying that different builds from the same source code produce identical results, to prove that two APKs -- one built and signed by the upstream developer, another one built by you (or some trusted third party) from the published source code -- are identical. Since you cannot create an identical signature without the private key, you need to copy it (and nothing else) as part of the build process instead to be able to create a bit-by-bit identical APK.
The motivation behind the Reproducible Builds project is [...] to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process. By promising identical results are always generated from a given source, this allows multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny.
Copying a signature to a modified APK will not work:
Copying a signature will succeed even if the signature is not valid for the target APK -- as long as the target APK is unsigned and not larger than the source APK it can be inserted successfully.
But a signature that is not valid for the target APK will never verify.
The error Unexpected metadata means the target APK was signed; you can only copy a signature to an unsigned APK.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
👋 Welcome!
We’re using Discussions as a place to connect with users and other members of our community. We hope that you:
Please note the following
This is a tool for reproducible builds only. Its purpose is to allow verifying that different builds from the same source code produce identical results, to prove that two APKs -- one built and signed by the upstream developer, another one built by you (or some trusted third party) from the published source code -- are identical. Since you cannot create an identical signature without the private key, you need to copy it (and nothing else) as part of the build process instead to be able to create a bit-by-bit identical APK.
Unexpected metadatameans the target APK was signed; you can only copy a signature to an unsigned APK.Beta Was this translation helpful? Give feedback.
All reactions