Investigate unsigned kotlin_module files (#40179) · Issues · The Tor Project / Applications / Tor Browser

Investigate unsigned kotlin_module files

$ apksigner verify --print-certs --verbose tor-browser-tbb-nightly.2020.10.07-android-x86-multi.apk
Verifies
[...]
WARNING: META-INF/activity-ktx_release.kotlin_module not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.activity_activity-ktx.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.activity_activity.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.appcompat_appcompat-resources.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.appcompat_appcompat.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.arch.core_core-runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.asynclayoutinflater_asynclayoutinflater.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.biometric_biometric.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.browser_browser.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.cardview_cardview.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.coordinatorlayout_coordinatorlayout.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

Indeed, the apk contains:

$ unzip -l tor-browser-tbb-nightly.2020.10.07-android-x86-multi.apk
[...]
       89  1970-01-01 00:00   META-INF/activity-ktx_release.kotlin_module
        6  1970-01-01 00:00   META-INF/androidx.activity_activity-ktx.version
        6  1970-01-01 00:00   META-INF/androidx.activity_activity.version
       11  1970-01-01 00:00   META-INF/androidx.appcompat_appcompat-resources.version
       11  1970-01-01 00:00   META-INF/androidx.appcompat_appcompat.version
        6  1970-01-01 00:00   META-INF/androidx.arch.core_core-runtime.version
        6  1970-01-01 00:00   META-INF/androidx.asynclayoutinflater_asynclayoutinflater.version
       14  1970-01-01 00:00   META-INF/androidx.biometric_biometric.version
        6  1970-01-01 00:00   META-INF/androidx.browser_browser.version
        6  1970-01-01 00:00   META-INF/androidx.cardview_cardview.version
        6  1970-01-01 00:00   META-INF/androidx.coordinatorlayout_coordinatorlayout.version
[...]

$ unzip -l tor-browser-tbb-nightly.2020.10.07-android-x86-multi-qa.apk | grep -c 'META-INF/[a-z_-]*.kotlin_module'
113

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information