Pier Angelo Vendrame pushed to branch maint-15.0 at The Tor Project / Applications / tor-browser-build Commits: dbe953b4 by Pier Angelo Vendrame at 2025-10-30T13:32:23+01:00 Bug 41620: Do not rerun zipalign when signing. APKs are already aligned during the build step. - - - - - 78db8a09 by Pier Angelo Vendrame at 2025-10-30T13:32:24+01:00 Bug 41621: Remove support for older android tools while signing. We had some conditional check to use Android tools version 12 when signing Tor Browser 14.5.x. Now that it's EOL, we do not need it anymore. - - - - - 2244a6f1 by Pier Angelo Vendrame at 2025-10-30T13:32:24+01:00 Bug 41617: Align .so pages to 16KiB with zipalign. Apps are required to support 16KiB page size. We already build our binaries so that they comply with this requirement, but we also need to pass the specific argument to zipalign before signing, for it to actually work. - - - - - 2 changed files: - projects/browser/build.android - tools/signing/wrappers/sign-apk Changes: ===================================== projects/browser/build.android ===================================== @@ -87,7 +87,7 @@ function generate_apk { popd aligned_apk=$(basename $apk .apk)_aligned.apk - zipalign -vp 4 repacked.apk $aligned_apk + zipalign -P 16 4 repacked.apk $aligned_apk # Sign a QA build. This .apk is not a debug version and doesn't contain a debug # flag in the manifest. ===================================== tools/signing/wrappers/sign-apk ===================================== @@ -30,10 +30,6 @@ test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is setup_build_tools() { abt_version=16 - # If signing 14.5, keep using android-12 build tools - # (we can remove this when 15.0 is the stable release) - ( test -z "$tbb_version" || echo "$tbb_version" | grep -q '^14\.5' ) && \ - abt_version=12 build_tools_dir=/signing/android-build-tools test -f "$build_tools_dir"/android-$abt_version/apksigner || \ exit_error "$build_tools_dir/android-$abt_version/apksigner is missing" @@ -41,49 +37,31 @@ setup_build_tools() { } # Sign individual apk +# https://developer.android.com/studio/publish/app-signing#sign-manually sign_apk() { INPUTAPK="$1" OUTPUTAPK="$2" + SIGNEDAPK=$(basename "${INPUTAPK}") - # https://developer.android.com/studio/publish/app-signing#sign-manually - # After running `gradlew assembleRelease`, creates an unsigned-unaligned apk - - # Aligning ensures that all uncompressed data starts with a particular byte - # alignment relative to the start of the file, which may reduce the amount - # of RAM consumed by an app. - # zipalign -v -p 4 my-app-unsigned.apk my-app-unsigned-aligned.apk - echo Aligning and signing ${INPUTAPK} - - # Append the different stages of signing - UNSIGNED_UNALIGNED_APK=`basename "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'` - UNSIGNED_APK=`echo "${UNSIGNED_UNALIGNED_APK}" | sed 's/-unaligned//'` - SIGNED_APK=`echo "${UNSIGNED_APK}" | sed 's/-unsigned//'` - - # ${INPUTAPK} is full path. We copy to local tmp directory. - cp "${INPUTAPK}" "${UNSIGNED_UNALIGNED_APK}" - - # Step 1: Align - zipalign -v -p 4 "${UNSIGNED_UNALIGNED_APK}" "${UNSIGNED_APK}" - if [ ! $? = 0 ]; then - echo "zipalign failed" - exit 1 - fi - echo zipalign succeeded - - # Step 2: Verify alignment - zipalign -vc 4 "${UNSIGNED_APK}" + # Verify alignment before signing + # APKs have various requirements for being published on the Play Store. + # The input APKs should be ready before starting this process. + echo Verifying ${INPUTAPK} + zipalign -c -P 16 4 "${INPUTAPK}" if [ ! $? = 0 ]; then echo "zipalign verify failed" exit 1 fi echo zipalign verify succeeded - # Step 3: Sign + # Sign + echo Signing ${INPUTAPK} + # Use this command if reading key from file - apksigner sign --verbose -ks ${android_signing_key_path} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}" + apksigner sign --verbose -ks ${android_signing_key_path} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNEDAPK}" "${INPUTAPK}" # Or, use below command if using a hardware token - # apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}" + # apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 --debuggable-apk-permitted=false --out "${SIGNEDAPK}" "${INPUTAPK}" if [ ! $? = 0 ]; then echo "apksigner sign failed" @@ -91,15 +69,16 @@ sign_apk() { fi echo apksigner sign succeeded - # Step 4: Verify signature - apksigner verify --verbose "${SIGNED_APK}" + # Verify signature + apksigner verify --verbose "${SIGNEDAPK}" if [ ! $? = 0 ]; then echo "apksigner verify failed" exit 1 fi - - mv -f "${SIGNED_APK}" "$OUTPUTAPK" echo apksigner verify succeeded + + mv -f "${SIGNEDAPK}" "${OUTPUTAPK}" + echo ${OUTPUTAPK} signed } setup_build_tools View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/5... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/5... You're receiving this email because of your account on gitlab.torproject.org.