Skip to content

Sign unsigned APKs instead of the QA-signed ones

If I understand correctly, we start from the QA-signed APKs.

Then we re-align them and apply the new signature.

However, this doesn't allow to use apksigcopier to copy our official signatures to APK independently built. It would be very nice to be able to do so, as the final step of reproducing the builds.

apksigcopier complains about metadata being already in the APK, but it would work with unsigned APKs. apksigner instead couldn't care less of a signature being already there. Moreover, us running zipalign again makes everything more complicated.

I think the changes would to the signing script could be trivial, but it depends on the way we want to address this.

Exporting a signed APK for QA is very useful in my opinion, because it avoids testers the step to self-sign the APK, which requires some tools, a computer (whereas with an already signed APK you can even download it on the Android device) etc...

However, exporting both the signed and unsigned APKs (the easiest solution) would increase the size taken by each build by 400MB for minimal changes.

Stripping the signature seems to be very difficult.

So, as a solution, I think we could try to run bsdiff:

time bsdiff signed.apk aligned.apk unsign.bspatch

________________________________________________________
Executed in   14.29 secs    fish           external
   usr time   14.24 secs  177.00 micros   14.24 secs
   sys time    0.04 secs  153.00 micros    0.04 secs

ll unsign.bspatch 
-rw-r--r-- 1 piero piero 282 27 feb 09.41 unsign.bspatch

time bspatch signed.apk unsigned.apk unsign.bspatch 

________________________________________________________
Executed in  213.61 millis    fish           external
   usr time  177.25 millis  145.00 micros  177.11 millis
   sys time   36.37 millis  143.00 micros   36.23 millis

So, it adds 15 seconds to the build (which is more than I expected, but still extremely feasible), but with 282 bytes we'd be okay.

It will also require us to add the bsdiff package to the signing machines, but I guess it's fine.

I could do the build part, but maybe it's better if someone who can also sign does everything together.

/cc @Mynacol

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information