Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Apksigner does not verify signature

Tags:

android

apk

android-security

apksigner

i was trying to verify the signature of the latest Gmail App (Version 8.11.25.224) with apksigner and it failed.

I used:

apksigner verifiy --verbose --print-certs <apk.file>

The result was:

DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1 Malformed additional attribute #1

I was searching for an explanation why this happend but I couldn't find any solution to this problem. I have experimented a little and if you add --min-sdk-version 28 to the options of apksigner command then the results are:

Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): false
Number of signers: 1
Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: f0fd...
Signer #1 certificate SHA-1 digest: 3891...
Signer #1 certificate MD5 digest: cde9...
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 2b06...
Signer #1 public key SHA-1 digest: b2da...
Signer #1 public key MD5 digest: a90c...

And if you use the jarsigner tool the results are:


WARNING:
This jar contains entries whoes certificate chain is invalid.
Reason: PKIX path bulding failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signers certificate's expiration date (2036-01-08) or after any future revocation date.

Re-run with the -verbose and -certs options for more details. I uploaded my Gmail APK file.

like image 251
Xes Raw Avatar asked Feb 20 '19 08:02

Xes Raw

1 Answers

This happens if an APK is signed with v3 signing scheme but the version of apksigner is outdated and not supporting this scheme. Read the warning:

apksigner version
    0.8    
apksigner verify --verbose "Signal-website-universal-release-4.50.5.apk"
    DOES NOT VERIFY
    ERROR: APK Signature Scheme v2 signer #1: Malformed additional attribute #1
    WARNING: APK Signature Scheme v2 signer #1: Unknown signature algorithm: 0x421

So, the signature algorithm is unknown to apksigner version 0.8. I wouldn't call it a bug (as Pierre does), but the error message could be more clear and it would be better if the old version is able to check at least the v2 signature. The most annoying point (mentioned by Freedo) is that Ubuntu still ships an old 0.8 apksigner package for all releases (packages.ubuntu.com) even the most recent Ubuntu 19.10 (eoan) and there is no ppa with a newer version. You need at least version 0.9 which is currently only part of the Android SDK build tools.

The easiest way for me was to install Android Studio and open it at least once to automatically download the latest Android SDK. Ubuntu 19.10 App Center did install it as snap and the SDK was then located in my home directory:

./Android/Sdk/build-tools/29.0.2/apksigner version
    0.9
./Android/Sdk/build-tools/29.0.2/apksigner verify --verbose --print-certs "Signal-website-universal-release-4.50.5.apk" 
    Verifies
    Verified using v1 scheme (JAR signing): true
    Verified using v2 scheme (APK Signature Scheme v2): true
    Verified using v3 scheme (APK Signature Scheme v3): true
    Number of signers: 1
    Signer #1 certificate DN: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pittsburgh, ST=PA, C=US
    Signer #1 certificate SHA-256 digest: 29f34e5f27f211b424bc5bf9d67162c0eafba2da35af35c16416fc446276ba26
    Signer #1 certificate SHA-1 digest: 45989dc9ad8728c2aa9a82fa55503e34a8879374
    Signer #1 certificate MD5 digest: d90db364e32fa3a7bda4c290fb65e310
    Signer #1 key algorithm: RSA
    Signer #1 key size (bits): 1024
    Signer #1 public key SHA-256 digest: 75336a3cc9edb64202cd77cd4caa6396a9b5fc3c78c58660313c7098ea248a55
    Signer #1 public key SHA-1 digest: b46cbed18d6fbbe42045fdb93f5032c943d80266
    Signer #1 public key MD5 digest: 0f9c33bbd45db0218c86ac378067538d
    WARNING: META-INF/* not protected by signature.

There are a lot of warning about files in the META-INF folder, because the folder is excluded from the signature, contains a lot of version files and the certs. That's also the reason why it is not sufficient to just read the cert from the APK, like some some pages recommend.

Edit: See also "How to verify SHA256 fingerprint of APK"

like image 84
StackFi Neon Avatar answered Sep 21 '22 20:09

StackFi Neon
Sign in to Comment

Related questions

How to properly create an Intent to refer like Tez?
Ionic angular: opening links in (external) mobile browser
How to avoid duplicate data entry in a table in Room Db?
Error: resource android:attr/preserveIconSpacing is private
RecyclerView does not showing all items when its in a ScrollView
Android Studio 3.1.2 loads wrong project
Android NDK throwing signal sigsegv: invalid address in debug mode
Android GDPR Consent Form Error: request is not in EEA or unknown
Dagger 2 injecting two retrofit objects
How to make the icon background of an Android app transparent?
make clickable below page in stack flutter
Horizontally of circular images to show user profile picture
Android studio Gradle Tab
Way to save Map<String, String> to Room Database
java.awt.Desktop class
How to store and restore the scroll position of collapsing toolbar during fragment changes?
Error in Room Query to Return Subset of Columns
How to get string from resources strings into a fragment
Launching Intent from notification opening in picture-in-picture window
@BindingAdapter not working with Android Kotlin library

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!