Investigate unsigned kotlin_module files
$ apksigner verify --print-certs --verbose tor-browser-tbb-nightly.2020.10.07-android-x86-multi.apk
Verifies
[...]
WARNING: META-INF/activity-ktx_release.kotlin_module not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.activity_activity-ktx.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.activity_activity.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.appcompat_appcompat-resources.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.appcompat_appcompat.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.arch.core_core-runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.asynclayoutinflater_asynclayoutinflater.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.biometric_biometric.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.browser_browser.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.cardview_cardview.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.coordinatorlayout_coordinatorlayout.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
Indeed, the apk contains:
$ unzip -l tor-browser-tbb-nightly.2020.10.07-android-x86-multi.apk
[...]
89 1970-01-01 00:00 META-INF/activity-ktx_release.kotlin_module
6 1970-01-01 00:00 META-INF/androidx.activity_activity-ktx.version
6 1970-01-01 00:00 META-INF/androidx.activity_activity.version
11 1970-01-01 00:00 META-INF/androidx.appcompat_appcompat-resources.version
11 1970-01-01 00:00 META-INF/androidx.appcompat_appcompat.version
6 1970-01-01 00:00 META-INF/androidx.arch.core_core-runtime.version
6 1970-01-01 00:00 META-INF/androidx.asynclayoutinflater_asynclayoutinflater.version
14 1970-01-01 00:00 META-INF/androidx.biometric_biometric.version
6 1970-01-01 00:00 META-INF/androidx.browser_browser.version
6 1970-01-01 00:00 META-INF/androidx.cardview_cardview.version
6 1970-01-01 00:00 META-INF/androidx.coordinatorlayout_coordinatorlayout.version
[...]
$ unzip -l tor-browser-tbb-nightly.2020.10.07-android-x86-multi-qa.apk | grep -c 'META-INF/[a-z_-]*.kotlin_module'
113