[tbb-commits] [builders/tor-browser-build] branch master updated: Bug 40513: Add script for signing Android apks
gitolite role
git at cupani.torproject.org
Tue Jul 12 12:36:16 UTC 2022
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch master
in repository builders/tor-browser-build.
The following commit(s) were added to refs/heads/master by this push:
new 51acc45 Bug 40513: Add script for signing Android apks
51acc45 is described below
commit 51acc4567b8d902051944822d8700e64fc2a42aa
Author: Matthew Finkel <sysrqb at torproject.org>
AuthorDate: Tue May 31 15:08:02 2022 -0600
Bug 40513: Add script for signing Android apks
---
tools/signing/android-signing | 141 ++++++++++++++++++++++++++++++++++++++++++
tools/signing/pkcs11_java.cfg | 4 ++
2 files changed, 145 insertions(+)
diff --git a/tools/signing/android-signing b/tools/signing/android-signing
new file mode 100755
index 0000000..7c2ee50
--- /dev/null
+++ b/tools/signing/android-signing
@@ -0,0 +1,141 @@
+#!/bin/bash
+
+# Sign apk for each target architecture.
+# This script requires two command line arguments.
+# Usage: android-signing <version> <path/to/signing/key>
+
+# In addition, hard-coding the path to an Android SDK build-tools version, as
+# BUILD_TOOLS, is required.
+
+set -x
+set -e
+
+VERSION=$1
+SIGNING_KEY_PATH=$2
+
+# TODO set correctly.
+BUILD_TOOLS=/path/to/build-tools/version
+export PATH="${BUILD_TOOLS}:${PATH}"
+
+ARCHS="armv7 aarch64 x86 x86_64"
+
+# Sign individual apk
+sign_apk() {
+ INPUTAPK="$1"
+
+ # https://developer.android.com/studio/publish/app-signing#sign-manually
+ # After running `gradlew assembleRelease`, creates an unsigned-unaligned apk
+
+ # Aligning ensures that all uncompressed data starts with a particular byte
+ # alignment relative to the start of the file, which may reduce the amount
+ # of RAM consumed by an app.
+ # zipalign -v -p 4 my-app-unsigned.apk my-app-unsigned-aligned.apk
+ echo Aligning and signing ${INPUTAPK}
+
+ # Append the different stages of signing
+ UNSIGNED_UNALIGNED_APK=`echo "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
+ UNSIGNED_APK=`echo "${UNSIGNED_UNALIGNED_APK}" | sed 's/-unaligned//'`
+ SIGNED_APK=`echo "${UNSIGNED_APK}" | sed 's/-unsigned//'`
+
+ cp "${INPUTAPK}" "${UNSIGNED_UNALIGNED_APK}"
+
+ # Step 1: Align
+ zipalign -v -p 4 "${UNSIGNED_UNALIGNED_APK}" "${UNSIGNED_APK}"
+ if [ ! $? = 0 ]; then
+ echo "zipalign failed"
+ exit 1
+ fi
+ echo zipalign succeeded
+
+ # Step 2: Verify alignment
+ zipalign -vc 4 "${UNSIGNED_APK}"
+ if [ ! $? = 0 ]; then
+ echo "zipalign verify failed"
+ exit 1
+ fi
+ echo zipalign verify succeeded
+
+ # Step 3: Sign
+ # Use this command if reading key from file
+ apksigner sign --verbose -ks ${SIGNING_KEY_PATH} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}"
+
+ # Or, use below command if using a hardware token
+ # apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}"
+
+ if [ ! $? = 0 ]; then
+ echo "apksigner sign failed"
+ exit 1
+ fi
+ echo apksigner sign succeeded
+
+ # Step 4: Verify signature
+ apksigner verify --verbose "${SIGNED_APK}"
+ if [ ! $? = 0 ]; then
+ echo "apksigner verify failed"
+ exit 1
+ fi
+
+ echo apksigner verify succeeded
+}
+
+# Rename and verify signing certificate
+finalize() {
+ for arch in ${ARCHS}; do
+ mv tor-browser-${VERSION}-android-${arch}-multi{-qa,}.apk
+ done
+
+ for arch in ${ARCHS}; do
+ verified=`apksigner verify --print-certs --verbose tor-browser-${VERSION}-android-${arch}-multi.apk`
+ scheme_v1=
+ scheme_v2=
+ cert_digest=
+ pubkey_digest=
+
+ # Verify the expected signing key was used, Alpha verses Release based on the filename.
+ if `echo ${VERSION} | grep -q a`; then
+ scheme_v1="Verified using v1 scheme (JAR signing): true"
+ scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
+ cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
+ pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
+ else
+ scheme_v1="Verified using v1 scheme (JAR signing): true"
+ scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
+ cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
+ pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
+ fi
+ for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
+ if ! `echo "${verified}" | grep -q "${digest}"`; then
+ echo "Expected digest not found:"
+ echo ${digest}
+ echo "in:"
+ echo ${verified}
+ exit 1
+ fi
+ done
+ done
+
+ echo Done.
+}
+
+if [ -z "$VERSION" ]; then
+ echo Provide version number
+ exit
+fi
+
+if [ -z "${SIGNING_KEY_PATH}" ]; then
+ echo Provide the path to the signing key: release or alpha
+ exit
+fi
+
+if [ -z "$KSPASS" ]; then
+ echo "Enter keystore passphrase"
+ stty -echo; read KSPASS; stty echo
+ export KSPASS
+fi
+
+# Sign all packages
+for arch in ${ARCHS}; do
+ sign_apk tor-browser-${VERSION}-android-${arch}-multi-qa.apk
+done
+
+finalize
diff --git a/tools/signing/pkcs11_java.cfg b/tools/signing/pkcs11_java.cfg
new file mode 100644
index 0000000..2766a78
--- /dev/null
+++ b/tools/signing/pkcs11_java.cfg
@@ -0,0 +1,4 @@
+name = OpenSC-PKCS11
+description = SunPKCS11 via OpenSC
+library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
+slotListIndex = 0
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the tbb-commits
mailing list