Skip to content

Instantly share code, notes, and snippets.

View obfusk's full-sized avatar
🏳️‍🌈
hacking ⇒ ¬sleeping 😸

FC (Fay) Stegerman obfusk

🏳️‍🌈
hacking ⇒ ¬sleeping 😸
135 followers · 58 following
View GitHub Profile
@obfusk
obfusk / README.md
Last active June 24, 2023 11:04
apksigcopier: signatures made by older AGP versions cannot be copied

Signatures made by older versions of AGP cannot be copied by apksigcopier because the signing method differs too much from that used by apksigner (and signflinger in newer versions).

It is unlikely that support for these signatures will be added.

ZIP entry ordering differences

The v1 (JAR) signature files are always added at the end of the ZIP file by apksigner and apksigcopier; these older versions add them in a different position and sometimes the order of the ZIP entries in the central directory doesn't match the order of the entries in the file.

v1 (JAR) signature file differences

@obfusk
obfusk / zfe-test.groovy
Last active February 22, 2023 20:01
use zipflinger to add files to an APK w/ a groovy script
import java.util.zip.ZipInputStream
def zis = new ZipInputStream(new FileInputStream(args[0]))
def entryCounter = 0
while (temp = zis.getNextEntry()) {
entryCounter++
if (!temp.name && !temp.size) {
println "Found virtual entry #${entryCounter}"
}
}
@obfusk
obfusk / AndroidManifest-in.xml
Created February 10, 2023 18:58
convert AndroidManifest.xml to binary XML w/ aapt2 link
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1" android:compileSdkVersion="29" android:compileSdkVersionCodename="10.0.0" package="com.example" platformBuildVersionCode="29" platformBuildVersionName="10.0.0">
<uses-sdk android:minSdkVersion="21" android:targetSdkVersion="29"/>
</manifest>
@obfusk
obfusk / sigblock.md
Last active February 7, 2023 11:36
APK Signing Block considerations

APK Signing Block considerations

Some considerations regarding the APK Signing Block and how F-Droid handles Reproducible Builds.

Block types

APK Signature Scheme Block

The signature part of the APK Signing Block can contain more than one signature.
AFAIK android and apksigner (unlike apksigtool) only check the one with the strongest supported signature algorithm ID, not all of them.

@obfusk
obfusk / VENV.md
Last active February 19, 2023 05:47
global venv

PEP 668 breaks --user

As a workaround, you can create a global venv that acts a lot like --user does now.

NB: this works for scripts that are part of the packages installed in the venv, but scripts that use e.g. #!/usr/bin/python3 will not be able to access the modules from the venv, only scripts called via ~/.venv/bin/python3 (or ~/.venv/bin/python, ~/.venv/bin/python3.11 etc.) will be able to access those.

Create venv

python3 -mvenv --system-site-packages --without-pip ~/.venv
@obfusk
obfusk / check-apk-signing-block.py
Last active February 9, 2024 22:38
check APK Signing Block for Google/unknown blocks
#!/usr/bin/python3
# encoding: utf-8
# SPDX-FileCopyrightText: 2024 FC (Fay) Stegerman <flx@obfusk.net>
# SPDX-FileCopyrightText: 2024 Izzy
# SPDX-License-Identifier: GPL-3.0-or-later
import argparse
import logging
import os
import sys
@obfusk
obfusk / add_zfe.py
Last active February 1, 2023 17:51
add zipflinger virtual entry to unsigned APK
#!/usr/bin/python3
# encoding: utf-8
# SPDX-FileCopyrightText: 2023 FC Stegerman <flx@obfusk.net>
# SPDX-License-Identifier: GPL-3.0-or-later
import argparse
from apksigcopier import copy_apk
@obfusk
obfusk / LICENSE.GPLv3
Last active May 31, 2024 23:19
-> https://github.com/obfusk/gradle-wrapper-verify | check gradle wrapper checksums
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
@obfusk
obfusk / README.md
Last active January 28, 2023 04:17
check RB by comparing sha256sum of unsigned APK against upstream

Remove

gradle:
  - yes

Add




  


  




    


          
    

      

        
        

          

              @obfusk
          

          

            
                obfusk
                / build.gradle
            
            

              Last active
              February 17, 2023 22:36
            

              
                sort baseline.profm in build.gradle using com.android.tools.profgen
              
          

        

      

        

  

    
    


        



  


  

        

          
          // NB: Android Studio can't find the imports; this does not affect the
        

        

          
          // actual build since Gradle can find them just fine.
        

        

          
          

        

        

          
          import com.android.tools.profgen.ArtProfileKt
        

        

          
          import com.android.tools.profgen.ArtProfileSerializer
        

        

          
          import com.android.tools.profgen.DexFile
        

        

          
          

        

        

          
          project.afterEvaluate {
        

        

          
              tasks.each { task ->
        

        

          
                  if (task.name.startsWith("compile") && task.name.endsWith("ReleaseArtProfile")) {