Recent searches
Search options
Administered by:
@IzzyOnDroid@floss.socialAnother #security patch has been applied at the #IzzyOnDroid #IzzySoftRepo to protect against what is described at https://www.openwall.com/lists/oss-security/2024/04/20/3
Though a full scan of the repo hasn't brought up a single affected APK, that doesn't mean any such cannot show up later – so better safe than sorry, right?
@IzzyOnDroid
Thank you for making Foss world more secure.
@IzzyOnDroid Why not adopt the apksigner itself instead of using a custom implementation?
@muntashir the description of the POC outlines this. https://github.com/obfusk/fdroid-fakesigner-poc?tab=readme-ov-file#observations
@IzzyOnDroid @muntashir using apksig is indeed what I recommended as a proper fix. I also have some code for doing just that. but using that would be a nontrivial patch to maintain and fdroidserver upstream doesn't want to go that route for some reason, insisting on using a pure python implementation (though AFAIK no complete one exists yet).
https://gist.github.com/obfusk/cfab950649631c3ece723b9eb277304b#file-signer-py
@IzzyOnDroid @obfusk Even apksig(ner) does not work for some apps as I reported earlier: https://issuetracker.google.com/issues/265528496
@muntashir @IzzyOnDroid oh, interesting. apksigner should still be able to validate the signature when manually passing min and max sdk (as it then doesn't parse the AXML, which can be entirely absent then). but such odd inconsistencies happen, yeah (like the res0/res1 androguard issue as well). I don't think my AXML parser handles the null chunk case correctly either. will check. thanks.