these apps will still be available from the archive.
Many (maybe old or unmaintained) apps do not appear to be available any more via f-droid - neither in the default repo nor in the archive. Is this intended or a mistake? Some of these apps I use rather often (for instance the Barcode Scanner), so I would really appreciate it, if you could put them at least in the archive repository. Thanks in advance!
I noticed the following examples, but there are probably more:
- APK Extractor
- AppAlarm Pro
- Barcode Scanner
- Call Recorder for Android
- Character Recognition
- CPAN Sidekick
- CPU Spy
- CPU Stats
- DoF Calculator
- Earth Live Wallpaper
- Earth Live Wallpaper Map Pack
- Expression Evaluator
- fooCam beta
- GApps Browser
- GetBack GPS
- Graph 89
- Great Freedom
- Hash Droid
- Here GPS Location
- Launch App Ops
- OCR Test
- OsmAnd Contour lines
- OsmAnd Parking
- Packet Sender
- PasswordMaker Pro
- Periodic Table
- Product Open Data
- Remote Droid
- Scid on the go
- Tux Rider
- Khan Academy viewer
- VX ConnectBot
- Word Power Made Easy
Barcode Scanner is coming back, since there are new releases. Anything security-sensitive on that list like APG or HashPass should probably be no longer used. Its been archived because it hasn’t been updated in over 2 years, and the signature is no longer valid. That’s not great for a security app.
Anyone can submit a merge request or issue to rebuild an app:
Today I noticed there was over 8+ MB to download in the archive. Has this issue finally been solved?
Looks like it, we are now back to a reasonable list of failing builds:
And Wiktionary is available from the archive.
I was going to ask some authors of my favourite apps for updating weak signatures, but I am not sure what exactly should be done.
For example, I checked the source of com.gmail.jerickson314.sdscanner_1.11.apk and I haven’t found md5 anywhere. When I tried
jarsigner -J-Djava.security.debug=jar -verbose -verify -certs com.gmail.jerickson314.sdscanner_1.11.apk
I received the following result:
jar: beginEntry META-INF/MANIFEST.MF jar: done with meta! jar: nothing to verify! jar: beginEntry META-INF/MANIFEST.MF jar: done with meta! jar: nothing to verify! jar: beginEntry META-INF/MANIFEST.MF jar: beginEntry META-INF/2CC170C4.SF jar: processEntry: processing block jar: beginEntry META-INF/2CC170C4.RSA jar: processEntry: processing block jar: processEntry caught: java.security.SignatureException: Signature check failed. Disabled algorithm used: MD5withRSA jar: done with meta! jar: nothing to verify! 851 Mon Feb 16 07:38:32 CET 2015 META-INF/MANIFEST.MF 972 Mon Feb 16 07:38:32 CET 2015 META-INF/2CC170C4.SF 1332 Mon Feb 16 07:38:32 CET 2015 META-INF/2CC170C4.RSA m 41 Mon Feb 16 06:07:18 CET 2015 META-INF/buildserverid m 41 Mon Feb 16 06:07:20 CET 2015 META-INF/fdroidserverid m 2192 Mon Feb 16 06:07:18 CET 2015 AndroidManifest.xml m 3552 Mon Feb 16 06:07:18 CET 2015 res/drawable-hdpi-v4/ic_launcher.png m 1514 Mon Feb 16 06:07:18 CET 2015 res/drawable-ldpi-v4/ic_launcher.png m 2233 Mon Feb 16 06:07:18 CET 2015 res/drawable-mdpi-v4/ic_launcher.png m 5163 Mon Feb 16 06:07:18 CET 2015 res/drawable-xhdpi-v4/ic_launcher.png m 2636 Mon Feb 16 06:07:18 CET 2015 res/layout/main.xml m 7748 Mon Feb 16 06:07:18 CET 2015 resources.arsc m 21596 Mon Feb 16 06:07:18 CET 2015 classes.dex s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope - Signed by "CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK" Digest algorithm: SHA1 Signature algorithm: MD5withRSA (weak), 2048-bit key WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
Since it is signed by F-Droid
Signed by "CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK"
what exactly should be done by the app author? Could you please advise?
If you are the author of the app that you want updated, the best thing
to do is to make an update to your app and tag it, or however you have
marked releases in the past. There is always something to fix in an
app, you could update the translation, fix any small issues. But
nothing actually needs to be changed if you don’t want. You could just
change the versionName and versionCode, and that’s enough.
…and if you are wondering how to access “the archive”, it’s a different repository that you must enable in your f-droid client: look into Settings -> Repositories
Hello! Could you please explain how can I do that? I mean where can I find this feature “Disable/Enable the build”?
MD5 APK signatures are still supported by Android and, for example, are accepted by Google Play when you upload an APK there.
What happened with
apksigner is that these tools use Sun/Oracle’s PKCS #7 classes to verify JAR signatures of APKs. In recent versions of Java, these classes were switched to reject MD5 signatures by default, unless special command-line parameters are provided to the JVM.
apksigner has now switched to using its own PKCS #7 codebase which accepts MD5 signatures because Android does so. Unfortunately,
0.8 which contains this change is not yet out (as of Aug 23 2017). It will be released in the next release of Android SDK Build Tools. If you’re desperate to try it out until then, the source code is at https://android.googlesource.com/platform/tools/apksig/.
Does this mean that MD5-signed apps will be moved back to the main repo after the upgrade to apksigner 0.8? If not, are there any other current plans to get them back in the default repo with secure signatures? @katjav stated in another thread that a failing rebuild might cause a loss of the last working apk for some apps: Osmand~: Contour lines and hillsides plugin?
I wonder if it is not possible to create snapshots of the relevant systems / databases to roll back to the current state when a build fails. Is anyone familiar with that? Because I do not know the F-Droid infrastructure and how new build are exactly published.
@klyubin thanks for the clarification! Since MD5 has been phased out in lots of other places, I imagine it’ll also eventually be phased out for APK signatures as well. So I don’t think its worthwhile for us to restore MD5-signed APKs now that they have already been archived, especially since we can rebuild APKs with new signatures.
@rolko APKs with MD5 signatures will not be automatically moved back from the archive since the official f-droid.org signing infrastructure still uses
apksigner. F-Droid’s build metadata files should provide enough to rebuild an APK. Otherwise, it should be possible to go by the build date of an APK and use the versions from back then. As far as I can tell, Google maintains all the Android SDK downloads in their archive.
I have an app on F-Droid that is affected by this issue and thus moved to the archive (https://f-droid.org/wiki/page/de.mreiter.countit). Could somebody please explain in detail the steps I need to take to trigger a new build for this so it moves back to main?
What if the build fails (which I deem very likely for a 3 year old app)? Will the old APK still be available in the archive? If not, is there any way to check in advance whether the app still builds?
The old APK is available in the archive. Check the old merge requests for how people have been doing this:
Thank you. I am aware that the old version is still in the archive. My question was, if I trigger a rebuild and that fails, will the old APK stay available in the archive or will it be removed?
I browsed the first three pages of merge requests but didn’t find one that was obviously aimed at just triggering a rebuild. Do you have a specific example?
If you disable a build, it will be deleted, whether it is in the main
repo or the archive.
Okay, so there is basically no safe way for me to get this back into the main repo. I’ll just leave it in the archive then.
I just tested the build, it still works. So I’ll disable the app and try to remember to renable it again. Please poke me if I don’t get around to it.
Is there any chance do get mathdroid - a really nice calculator app - reactivated? This app has the issue described here. (Unfortunately I dont understand anything about certificates and encryption, it is a very complicated topic to me.)
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.