Apktool icon indicating copy to clipboard operation
Apktool copied to clipboard

Published 20 hours ago verified publisher icon iBotPeaches

[FEAT] clear out old APK SourceStamp residue (stamp-cert-sha256)

Open eladkarako opened this issue 2 years ago • 4 comments

edit: this has been resolved. but I need to simplified my description here.

in the APK installation verification phase,
if the APK has a SourceStamp file,
an additional check will be done to make sure it match a SourceStamp block in the APK signing block as well.

when reverse-engineering APK-file,
a user must delete the file (/stamp-cert-sha256) from the unknown folder,
and remove the entry from apktool.yml's unknownFiles: section.

a better way to to avoid copying the SourceStamp file back (or to keep it under /original/ folder).

there are very few resources regarding this,
but the Android Open-Source Project has some basic code that explains how this works:

https://android.googlesource.com/platform/tools/apksig/+/master/src/main/java/com/android/apksig/ApkVerifier.java#320

https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/util/apk/SourceStampVerifier.java#89

this is what you'll see in the APK:

if you'll run:
java -jar apksigner.jar verify --print-certs --verbose --in "Google_googletts.google-speech-apk_20210914.01_p4.398601325.apk" (for example),
you'll get something like this:

2022-03-24_012727
(full) 
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: true
Number of signers: 1
Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: f0fd6c5b410f25cb25c3b53346c8972fae30f8ee7411df910480ad6b2d60db83
Signer #1 certificate SHA-1 digest: 38918a453d07199354f8b19af05ec6562ced5788
Signer #1 certificate MD5 digest: cde9f6208d672b54b1dacc0b7029f5eb
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 2b06490d2d24305c6a90dbf74cc42f50183d207d572f8079e5d92fb2c2a0cda1
Signer #1 public key SHA-1 digest: b2da9ef7ec0f4474117fb0cba4dca3b795c0eab7
Signer #1 public key MD5 digest: a90ce510a96aa09bee6bf8d9da9b258b
Source Stamp Signer certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Source Stamp Signer certificate SHA-256 digest: 3257d599a49d2c961a471ca9843f59d341a405884583fc087df4237b733bbd6d
Source Stamp Signer certificate SHA-1 digest: b1af3a0bf998aeede1a8716a539e5a59da1d86d6
Source Stamp Signer certificate MD5 digest: 577b8a9fbc7e308321aec6411169d2fb
Source Stamp Signer key algorithm: RSA
Source Stamp Signer key size (bits): 4096
Source Stamp Signer public key SHA-256 digest: 4c53c1d28f2ecceadcb1351603f0b702615b3454b6e30070de759359f241b802
Source Stamp Signer public key SHA-1 digest: 188b067a9ee881bde55dabe0f8f7ecb320b1a091
Source Stamp Signer public key MD5 digest: 965afac83f033aa037a54482eb6922d5
WARNING: META-INF/services/com.google.protobuf.GeneratedExtensionRegistryLoader not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

eladkarako avatar Oct 26 '21 02:10 eladkarako

Probably fair to copy those files into original, but it appears the filename is not consistent. So gotta research a bit more.

iBotPeaches avatar Nov 01 '21 11:11 iBotPeaches

PR is up to handle this like original files.

iBotPeaches avatar Nov 27 '21 12:11 iBotPeaches

a little more information.
Google Play uses it.
it is best to make sure it will not return to the APK,
delete the file, and its entry in apktool.yml.

the alternative is to change the the package identification.

https://github.com/BlueWallet/BlueWallet/issues/3219

https://support.google.com/googleplay/android-developer/answer/9842756?hl=en#zippy=%2Capp-signing-key-requirements%2Cinstructions-for-apps-created-before-august%2Cupload-key-requirements%2Cupdate-keystores

https://www.exceptionlife.com/android/question/6517/installing-google-play-services-from-apkmirror-by-command-line

eladkarako avatar Sep 04 '22 20:09 eladkarako

I see. So its injected by GooglePlay during signing, so not needed if you are resigning and should be removed - not copied. Re-opening.

iBotPeaches avatar Sep 05 '22 11:09 iBotPeaches

Was going to revisit this, but with Apktool that wants to maintain original apk as close as possible - unsure what to do about this. Since it breaks down to basically deleting a file we know is in the original apk.

iBotPeaches avatar Nov 21 '22 12:11 iBotPeaches