-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
handles duplicate block IDs in APK Signing Block differently from Android/apksigner #1030
Comments
Note that the documentation clearly states to use the first v2/v3 block:
https://source.android.com/docs/security/features/apksigning/v2#v2-verification |
My suggestion for now would be to simply not overwrite any existing keys (block IDs) and raise a warning if any are found: if key in self._v2_blocks:
logger.warning("Duplicate block ID in APK Signing Block: {}".format(key))
else:
self._v2_blocks[key] = value For later, it might be useful to have a second API that parses and returns all blocks for anyone wanting to inspect (manipulated) APKs with duplicates (like my work-in-progress |
https://github.com/obfusk/fdroid-fakesigner-poc/blob/6c6dc25112a8b28a3802b6cba2921d7b91dac59e/fdroidserver.patch#L28 androguard/androguard#1030 refs #1128 (this is an excerpt of the original patch)
Thank you once again @obfusk for pointing this out. Completely agree it would be nice to store the duplicate blocks and provide also information about them so I added the label |
If you manipulate an APK's Signing Block to have e.g. duplicate v2 Signature Blocks, Android and
apksigner
will only see the first, butandroguard
will only see the last (since it uses the ID as a key for the_v2_blocks
dict and overwrites any previous block in that case).See https://www.openwall.com/lists/oss-security/2024/04/08/8.
The text was updated successfully, but these errors were encountered: