Many old, unmaintained apps have been archived

tomikmar · July 16, 2017, 10:10pm

I was going to ask some authors of my favourite apps for updating weak signatures, but I am not sure what exactly should be done.

For example, I checked the source of com.gmail.jerickson314.sdscanner_1.11.apk and I haven’t found md5 anywhere. When I tried

jarsigner -J-Djava.security.debug=jar -verbose -verify -certs com.gmail.jerickson314.sdscanner_1.11.apk

I received the following result:

jar: beginEntry META-INF/MANIFEST.MF
jar: done with meta!
jar: nothing to verify!
jar: beginEntry META-INF/MANIFEST.MF
jar: done with meta!
jar: nothing to verify!
jar: beginEntry META-INF/MANIFEST.MF
jar: beginEntry META-INF/2CC170C4.SF
jar: processEntry: processing block
jar: beginEntry META-INF/2CC170C4.RSA
jar: processEntry: processing block
jar: processEntry caught: java.security.SignatureException: Signature check failed. Disabled algorithm used: MD5withRSA
jar: done with meta!
jar: nothing to verify!

         851 Mon Feb 16 07:38:32 CET 2015 META-INF/MANIFEST.MF
         972 Mon Feb 16 07:38:32 CET 2015 META-INF/2CC170C4.SF
        1332 Mon Feb 16 07:38:32 CET 2015 META-INF/2CC170C4.RSA
 m        41 Mon Feb 16 06:07:18 CET 2015 META-INF/buildserverid
 m        41 Mon Feb 16 06:07:20 CET 2015 META-INF/fdroidserverid
 m      2192 Mon Feb 16 06:07:18 CET 2015 AndroidManifest.xml
 m      3552 Mon Feb 16 06:07:18 CET 2015 res/drawable-hdpi-v4/ic_launcher.png
 m      1514 Mon Feb 16 06:07:18 CET 2015 res/drawable-ldpi-v4/ic_launcher.png
 m      2233 Mon Feb 16 06:07:18 CET 2015 res/drawable-mdpi-v4/ic_launcher.png
 m      5163 Mon Feb 16 06:07:18 CET 2015 res/drawable-xhdpi-v4/ic_launcher.png
 m      2636 Mon Feb 16 06:07:18 CET 2015 res/layout/main.xml
 m      7748 Mon Feb 16 06:07:18 CET 2015 resources.arsc
 m     21596 Mon Feb 16 06:07:18 CET 2015 classes.dex

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

- Signed by "CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK"
    Digest algorithm: SHA1
    Signature algorithm: MD5withRSA (weak), 2048-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

  jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

Since it is signed by F-Droid

Signed by "CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK"

what exactly should be done by the app author? Could you please advise?