Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to sign android app with all v1, v2, v3 & v4 signing schemes at once. #2908

Open
vballem opened this issue Oct 8, 2024 · 0 comments
Open

Unable to sign android app with all v1, v2, v3 & v4 signing schemes at once. #2908

vballem opened this issue Oct 8, 2024 · 0 comments

Comments

@vballem
Copy link

vballem commented Oct 8, 2024
edited
Loading

Hi,

I got a bug based on below URL reference from OWASAP that the apk must sign with all versions of signing schemes.

https://mas.owasp.org/MASTG/tests/android/MASVS-RESILIENCE/MASTG-TEST-0038/

However, I can't be to generate one. I tried with both Android Studio and CLI approaches.

I am unable to generate signed APK with all versions and also, I nowhere find from android documentation this is possible.

Also, how relevant was the suggestions from above URL w.r.t AAB format as google mandates now uploading app-bundles(.aab) which does not support these versions as its totally completely different approach.

Here is what I have followed to try to sign with all versions of signing-schema

  1. I tried below approaches with a very basic "hello world" sample project directly from Android studio template without no extra coded added.
  2. I have created a sample ". keystore" to sign the release build type variant app. even I tried with debug as well as this is to test.
  3. I tried signing with
    4. Android Studio like below
defaultConfig {
        minSdk = 29
        targetSdk = 34
    }

 signingConfigs {
            create("mykey") {
                  keyAlias = "my-key-alias"
                  keyPassword = "something"
                   storeFile = file("$projectDir/my-release-key.keystore")
                   storePassword = "something"
                  enableV1Signing = true
                  enableV2Signing = true
                  enableV3Signing = true
                  enableV4Signing = true
           }
     }

    buildTypes {
        release {
            signingConfig = signingConfigs.getByName("mykey")
            proguardFiles(getDefaultProguardFile("proguard-android-optimize.txt"), "proguard-rules.pro")
        }
    }
  1. CLI:
apksigner sign --ks my-release-key.keystore \
 --ks-key-alias my-key-alias \
 --out app-signed.apk \
 --v1-signing-enabled true \
 --v2-signing-enabled true  \
app-debug-unsigned.apk
  1. it generated, app-signed.pak
  2. verify the signature:
 apksigner verify --verbose app-signed.apk 
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): false
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1

I am willing to know based on which which sdk/version the suggestions are given for MASTG-TEST-0038

and how about with AAB case?.

Appreciate your help
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vballem