F-Droid relies on the standard tools for verifying the signatures of APKs, these are Oracle Java’s jarsigner and Google Android’s apksigner. Both of those tools recently disabled the MD5 algorithm used in the APK signatures which are an essential part of the security of the Android platform. That means that any APK signature that uses MD5 is now considered unsigned by jarsigner and apksigner, and unsigned APKs are considered uninstallable.
That means that apps that were built a long time ago now are no longer considered valid, so they will be moved to the archive. You will then be able to find all of these apps in the archive. Anyone who wants to reenable an app in the regular repo submit a merge requests to disable the build, wait 1-2 days until the server deletes the APK, then reenable the build to get a new build with a modern signature.
For technical, in-depth discussion of this issue, see:
So in other words apps that have not been updated in years will no longer be available on F-Droid until the creator of the app does something about it?
Many (maybe old or unmaintained) apps do not appear to be available any more via f-droid - neither in the default repo nor in the archive. Is this intended or a mistake? Some of these apps I use rather often (for instance the Barcode Scanner), so I would really appreciate it, if you could put them at least in the archive repository. Thanks in advance!
I noticed the following examples, but there are probably more:
Barcode Scanner is coming back, since there are new releases. Anything security-sensitive on that list like APG or HashPass should probably be no longer used. Its been archived because it hasn’t been updated in over 2 years, and the signature is no longer valid. That’s not great for a security app.
Anyone can submit a merge request or issue to rebuild an app:
jar: beginEntry META-INF/MANIFEST.MF
jar: done with meta!
jar: nothing to verify!
jar: beginEntry META-INF/MANIFEST.MF
jar: done with meta!
jar: nothing to verify!
jar: beginEntry META-INF/MANIFEST.MF
jar: beginEntry META-INF/2CC170C4.SF
jar: processEntry: processing block
jar: beginEntry META-INF/2CC170C4.RSA
jar: processEntry: processing block
jar: processEntry caught: java.security.SignatureException: Signature check failed. Disabled algorithm used: MD5withRSA
jar: done with meta!
jar: nothing to verify!
851 Mon Feb 16 07:38:32 CET 2015 META-INF/MANIFEST.MF
972 Mon Feb 16 07:38:32 CET 2015 META-INF/2CC170C4.SF
1332 Mon Feb 16 07:38:32 CET 2015 META-INF/2CC170C4.RSA
m 41 Mon Feb 16 06:07:18 CET 2015 META-INF/buildserverid
m 41 Mon Feb 16 06:07:20 CET 2015 META-INF/fdroidserverid
m 2192 Mon Feb 16 06:07:18 CET 2015 AndroidManifest.xml
m 3552 Mon Feb 16 06:07:18 CET 2015 res/drawable-hdpi-v4/ic_launcher.png
m 1514 Mon Feb 16 06:07:18 CET 2015 res/drawable-ldpi-v4/ic_launcher.png
m 2233 Mon Feb 16 06:07:18 CET 2015 res/drawable-mdpi-v4/ic_launcher.png
m 5163 Mon Feb 16 06:07:18 CET 2015 res/drawable-xhdpi-v4/ic_launcher.png
m 2636 Mon Feb 16 06:07:18 CET 2015 res/layout/main.xml
m 7748 Mon Feb 16 06:07:18 CET 2015 resources.arsc
m 21596 Mon Feb 16 06:07:18 CET 2015 classes.dex
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
- Signed by "CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK"
Digest algorithm: SHA1
Signature algorithm: MD5withRSA (weak), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
Since it is signed by F-Droid
Signed by "CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK"
what exactly should be done by the app author? Could you please advise?
If you are the author of the app that you want updated, the best thing
to do is to make an update to your app and tag it, or however you have
marked releases in the past. There is always something to fix in an
app, you could update the translation, fix any small issues. But
nothing actually needs to be changed if you don’t want. You could just
change the versionName and versionCode, and that’s enough.
…and if you are wondering how to access “the archive”, it’s a different repository that you must enable in your f-droid client: look into Settings → Repositories
MD5 APK signatures are still supported by Android and, for example, are accepted by Google Play when you upload an APK there.
What happened with jarsigner and apksigner is that these tools use Sun/Oracle’s PKCS #7 classes to verify JAR signatures of APKs. In recent versions of Java, these classes were switched to reject MD5 signatures by default, unless special command-line parameters are provided to the JVM.
apksigner has now switched to using its own PKCS #7 codebase which accepts MD5 signatures because Android does so. Unfortunately, apksigner version 0.8 which contains this change is not yet out (as of Aug 23 2017). It will be released in the next release of Android SDK Build Tools. If you’re desperate to try it out until then, the source code is at platform/tools/apksig - Git at Google.
Does this mean that MD5-signed apps will be moved back to the main repo after the upgrade to apksigner 0.8? If not, are there any other current plans to get them back in the default repo with secure signatures? @katjav stated in another thread that a failing rebuild might cause a loss of the last working apk for some apps: Osmand~: Contour lines and hillsides plugin? - #7 by katjav
I wonder if it is not possible to create snapshots of the relevant systems / databases to roll back to the current state when a build fails. Is anyone familiar with that? Because I do not know the F-Droid infrastructure and how new build are exactly published.
@klyubin thanks for the clarification! Since MD5 has been phased out in lots of other places, I imagine it’ll also eventually be phased out for APK signatures as well. So I don’t think its worthwhile for us to restore MD5-signed APKs now that they have already been archived, especially since we can rebuild APKs with new signatures.
@rolko APKs with MD5 signatures will not be automatically moved back from the archive since the official f-droid.org signing infrastructure still uses jarsigner not apksigner. F-Droid’s build metadata files should provide enough to rebuild an APK. Otherwise, it should be possible to go by the build date of an APK and use the versions from back then. As far as I can tell, Google maintains all the Android SDK downloads in their archive.