Pier Angelo Vendrame pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

2 changed files:

Changes:

  • projects/browser/build.android
    ... ... @@ -87,7 +87,7 @@ function generate_apk {
    87 87 
       popd
    88 88
    89 89 
       aligned_apk=$(basename $apk .apk)_aligned.apk
    90 
    -  zipalign -vp 4 repacked.apk $aligned_apk
    90 
    +  zipalign -P 16 4 repacked.apk $aligned_apk
    91 91
    92 92 
       # Sign a QA build. This .apk is not a debug version and doesn't contain a debug
    93 93 
       # flag in the manifest.

  • tools/signing/wrappers/sign-apk
    ... ... @@ -30,10 +30,6 @@ test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is
    30 30
    31 31 
     setup_build_tools() {
    32 32 
       abt_version=16
    33 
    -  # If signing 14.5, keep using android-12 build tools
    34 
    -  # (we can remove this when 15.0 is the stable release)
    35 
    -  ( test -z "$tbb_version" || echo "$tbb_version" | grep -q '^14\.5' ) && \
    36 
    -    abt_version=12
    37 33 
       build_tools_dir=/signing/android-build-tools
    38 34 
       test -f "$build_tools_dir"/android-$abt_version/apksigner || \
    39 35 
         exit_error "$build_tools_dir/android-$abt_version/apksigner is missing"
    ... ... @@ -41,49 +37,31 @@ setup_build_tools() {
    41 37 
     }
    42 38
    43 39 
     # Sign individual apk
    40 
    +# https://developer.android.com/studio/publish/app-signing#sign-manually
    44 41 
     sign_apk() {
    45 42 
         INPUTAPK="$1"
    46 43 
         OUTPUTAPK="$2"
    44 
    +    SIGNEDAPK=$(basename "${INPUTAPK}")
    47 45
    48 
    -    # https://developer.android.com/studio/publish/app-signing#sign-manually
    49 
    -    # After running `gradlew assembleRelease`, creates an unsigned-unaligned apk
    50 
    -
    51 
    -    # Aligning ensures that all uncompressed data starts with a particular byte
    52 
    -    # alignment relative to the start of the file, which may reduce the amount
    53 
    -    # of RAM consumed by an app.
    54 
    -    # zipalign -v -p 4 my-app-unsigned.apk my-app-unsigned-aligned.apk
    55 
    -    echo Aligning and signing ${INPUTAPK}
    56 
    -
    57 
    -    # Append the different stages of signing
    58 
    -    UNSIGNED_UNALIGNED_APK=`basename "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
    59 
    -    UNSIGNED_APK=`echo "${UNSIGNED_UNALIGNED_APK}" | sed 's/-unaligned//'`
    60 
    -    SIGNED_APK=`echo "${UNSIGNED_APK}" | sed 's/-unsigned//'`
    61 
    -
    62 
    -    # ${INPUTAPK} is full path. We copy to local tmp directory.
    63 
    -    cp "${INPUTAPK}" "${UNSIGNED_UNALIGNED_APK}"
    64 
    -
    65 
    -    # Step 1: Align
    66 
    -    zipalign -v -p 4 "${UNSIGNED_UNALIGNED_APK}" "${UNSIGNED_APK}"
    67 
    -    if [ ! $? = 0 ]; then
    68 
    -        echo "zipalign failed"
    69 
    -        exit 1
    70 
    -    fi
    71 
    -    echo zipalign succeeded
    72 
    -
    73 
    -    # Step 2: Verify alignment
    74 
    -    zipalign -vc 4 "${UNSIGNED_APK}"
    46 
    +    # Verify alignment before signing
    47 
    +    # APKs have various requirements for being published on the Play Store.
    48 
    +    # The input APKs should be ready before starting this process.
    49 
    +    echo Verifying ${INPUTAPK}
    50 
    +    zipalign -c -P 16 4 "${INPUTAPK}"
    75 51 
         if [ ! $? = 0 ]; then
    76 52 
             echo "zipalign verify failed"
    77 53 
             exit 1
    78 54 
         fi
    79 55 
         echo zipalign verify succeeded
    80 56
    81 
    -    # Step 3: Sign
    57 
    +    # Sign
    58 
    +    echo Signing ${INPUTAPK}
    59 
    +
    82 60 
         # Use this command if reading key from file
    83 
    -    apksigner sign --verbose -ks ${android_signing_key_path} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}"
    61 
    +    apksigner sign --verbose -ks ${android_signing_key_path} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNEDAPK}" "${INPUTAPK}"
    84 62
    85 63 
         # Or, use below command if using a hardware token
    86 
    -    # apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}"
    64 
    +    # apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 --debuggable-apk-permitted=false --out "${SIGNEDAPK}" "${INPUTAPK}"
    87 65
    88 66 
         if [ ! $? = 0 ]; then
    89 67 
             echo "apksigner sign failed"
    ... ... @@ -91,15 +69,16 @@ sign_apk() {
    91 69 
         fi
    92 70 
         echo apksigner sign succeeded
    93 71
    94 
    -    # Step 4: Verify signature
    95 
    -    apksigner verify --verbose "${SIGNED_APK}"
    72 
    +    # Verify signature
    73 
    +    apksigner verify --verbose "${SIGNEDAPK}"
    96 74 
         if [ ! $? = 0 ]; then
    97 75 
             echo "apksigner verify failed"
    98 76 
             exit 1
    99 77 
         fi
    100 
    -
    101 
    -    mv -f "${SIGNED_APK}" "$OUTPUTAPK"
    102 78 
         echo apksigner verify succeeded
    79 
    +
    80 
    +    mv -f "${SIGNEDAPK}" "${OUTPUTAPK}"
    81 
    +    echo ${OUTPUTAPK} signed
    103 82 
     }
    104 83
    105 84 
     setup_build_tools


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications · Help Notification message regarding https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/effe112015fcc395c84093fc4d8756f0dd28c5b6...3213be31bbafa9eda053ee4de44d8801b84c1d72 at 1761826839