termux-app
termux-app copied to clipboard
termux
[Bug]: F-Droid signatures
Problem description
I got Termux:GUI included into F-Droid, but it seems the signing key was changed between the last Termux update and the inclusion, leading to signature errors. I created an issue here because that would also be a problem when an update to Termux or any other plugin is released, because the new releases will be signed with the different key. A solution would be to create dummy updates for the app and all plugins at the same time that just bump the version, so they are all signed with the new key. Users would then have to uninstall all plugins, update the app and then reinstall the plugins, but I think it's better to do that in a controlled way than just having an uninstallable Termux or plugin update.
Here are the apk signatures:
$ keytool -printcert -jarfile com.termux.gui_4.apk
Signer #1:
Signature:
Owner: CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK
Issuer: CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK
Serial number: 51024fec
Valid from: Thu Dec 16 08:14:42 CET 2021 until: Mon May 03 09:14:42 CEST 2049
Certificate fingerprints:
SHA1: 13:F1:BF:EB:1F:12:3D:DA:FC:88:D3:03:B2:0D:B9:E2:30:BD:5C:8E
SHA256: 7D:C2:91:1E:6B:90:D2:D8:0E:71:BC:B4:C9:06:AE:F3:CB:A7:4C:10:3B:5B:14:5A:76:40:49:C9:6F:D4:AD:D2
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A3 BF 73 28 6F 57 3A 0A 37 CE 97 5E 12 99 40 F4 ..s(oW:.7..^..@.
0010: 34 C7 CF B7 4...
]
]
$ keytool -printcert -jarfile com.termux_117.apk
Signer #1:
Signature:
Owner: CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK
Issuer: CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK
Serial number: cd73f88
Valid from: Mon Oct 26 08:35:59 CET 2015 until: Fri Mar 13 08:35:59 CET 2043
Certificate fingerprints:
SHA1: E8:75:4A:2C:61:43:92:07:1D:27:02:1B:BC:DF:B8:DD:A7:E0:71:1C
SHA256: 22:8F:B2:CF:E9:08:31:C1:49:9E:C3:CC:AF:61:E9:6E:8E:1C:E7:07:66:B9:47:46:72:CE:42:73:34:D4:1C:42
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 90 7C B4 50 85 65 90 90 99 E3 58 04 AB FD CF CC ...P.e....X.....
0010: B9 06 C8 22 ..."
]
]
$ keytool -printcert -jarfile com.termux.api_49.apk
Signer #1:
Signature:
Owner: CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK
Issuer: CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK
Serial number: cd73f88
Valid from: Mon Oct 26 08:35:59 CET 2015 until: Fri Mar 13 08:35:59 CET 2043
Certificate fingerprints:
SHA1: E8:75:4A:2C:61:43:92:07:1D:27:02:1B:BC:DF:B8:DD:A7:E0:71:1C
SHA256: 22:8F:B2:CF:E9:08:31:C1:49:9E:C3:CC:AF:61:E9:6E:8E:1C:E7:07:66:B9:47:46:72:CE:42:73:34:D4:1C:42
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 90 7C B4 50 85 65 90 90 99 E3 58 04 AB FD CF CC ...P.e....X.....
0010: B9 06 C8 22 ..."
]
]
There is also another app on F-Droid with plugins that use sharedUserId that has the same problem: https://gitlab.com/fdroid/fdroiddata/-/issues/2457
The concrete error in logcat is this:
2021-12-17 11:59:38.527 503-546/? I/PackageManager: Integrity check passed for file:///data/app/vmdl23637881.tmp
2021-12-17 11:59:38.928 503-546/? E/PackageManager: Adding duplicate app id: 10157 name=com.termux.gui
2021-12-17 11:59:38.929 503-546/? W/PackageManager: Reconciliation failed...
com.android.server.pm.PackageManagerService$ReconcileFailure: Reconcile failed: Package com.termux.gui has no signatures that match those in shared user com.termux; ignoring!
at com.android.server.pm.PackageManagerService.reconcilePackagesLocked(PackageManagerService.java:16484)
Steps to reproduce the behavior.
Try to install Termux:GUI from F-Droid.
What is the expected behavior?
It installs like any other plugin.
System information
- Termux application version: 0.117
- Android OS version: Any
- Device model: Any
Hm, will users even be able to install the next released version of termux-app, or will the next apk be incompatible with the current one?
Just curious: does F-Droid allows for third parties to publish their APK and use signature key of other application? If so, F-Droid has problems... However from what I see here, that's expected behavior. Your Termux:GUI does not belong to @termux and therefore may not use shared signature. No one should be able to release add-on outside of @termux with a signature of Termux app.
On side note: applications with shared user and signature can access private data of each other.
I read the f-droid docs further and apparently it generates a signing key for each application, but that can be overwritten.
That seems to be set up for the other plugins so they all have a matching signature, so the signature incompatibility only applies to Termux:GUI.
That means that at the moment Termux:GUI is only compatible with the Github builds.
Can I move it to @termux and look into how to get it signed with the right key?
I use the shared user id to secure the plugin so only Termux can access it, permission-based security is out of the question because I can't just add a new permission to an app (Termux) that doesn't request it in its manifest.
I tried looking at other apps that use have plug-in/add-on apps. There's not really many to compare with, but for at least one they seem to have solved it by not signing the apks at all (or maybe it is for an unrelated reason, they are almost 10 years old): jp.co.kayo.android.localplayer, jp.co.kayo.android.localplayer.ds.ampache, jp.co.kayo.android.localplayer.ds.podcast
Can I move it to @termux and look into how to get it signed with the right key?
Sounds like a plan, I think your plugin would be a nice addition!
@tareksander Yes, you can transfer it. Also we will need to do something with https://www.f-droid.org/en/packages/com.termux.gui/ to let F-Droid pick new source and use shared key.
I moved the repo now. I already have a PR open at f-droid for this and updated the repo URL, and I can link this thread if they want proof that the Termux authors allow the app to be signed with the same key.
@dontknowhy What do you mean exactly?
Termux uses shared user installation mode for application and all add-ons, which means:
- All applications can access private directories of each other.
- For security reasons signature key must be same for all applications sharing the same user (user here means Linux UID assigned to Android application sandbox).
Play Store, F-Droid and GitHub are three primary installation sources and each has own signature key.
Therefore you can't install or upgrade Termux application or add-ons from Play Store over existing F-Droid or GitHub installations or in any other combination. Source must be same. To switch installation source everything (app + plugins) must be completely uninstalled first.
Third party plugins do not have access to release keys used by Play Store or F-Droid. GitHub uses insecure development key which was intentionally added to this repository (termux-app) as well as to repositories of add-ons (termux-api, termux-styling, etc) to make preview of app development snapshots easier.
@tareksander This needs a fix:
https://github.com/termux/termux-gui/blob/f8abd21af5dc2676a82055b4285f5ddeca409440/app/build.gradle#L44-L49
You are using ~~leaked~~ development key for release signature.
What if there was some sort of manager app for updating/administration of termux and it's addons and components?
@tareksander This needs a fix:
https://github.com/termux/termux-gui/blob/f8abd21af5dc2676a82055b4285f5ddeca409440/app/build.gradle#L44-L49
You are using ~leaked~ development key for release signature.
I fixed that now, but I don't think that solves the f-droid signature problem.
What if there was some sort of manager app for updating/administration of termux and it's addons and components?
That would only work if the app would sign and install apks itself, and having the signing key on your device is a bad idea.
I fixed that now, but I don't think that solves the f-droid signature problem.
It fixes local builds signature, i.e. ./gradlew assembleRelease. Release builds are normally unsigned or signed with release key which shouldn't be same as debug one.
F-Droid handles apps differently. Perhaps resolving issue may require deleting and then re-publishing the app. Have you reported the issue to F-Droid? If so, would be better to provide link here.
Signature issue won't be resolved automatically and needs intervention from F-Droid staff side.
I have this MR over at f-droid. It seems signing apps with the same key can't be done with the metadata and requires special handling in the signing process.
Going slightly off topic, but is this signature issue the reason for why Termux 0.118 isn't on F-Droid yet?
The termux-app v0.118.0 is already on F-Droid. Pull down from the top in the Updates tab for the update to show if using F-Droid app.
https://www.reddit.com/r/termux/comments/s266li/dev_termux_v01180_release/
What if there was some sort of manager app for updating/administration of termux and it's addons and components?
This could work to put termux back on the play store! Just make a repo of signed things with a secure key (as opposed to the device key) and download and install them in a small downloader/manager app. The 2nd app could even be bypassed by manually downloading...
This could work to put termux back on the play store!
No it couldn't. An app from Play Store may not download/install another app, according to the policy. That's why F-Droid cannot be installed from Google Play.
There's a bit different issue with Play Store. It requires applications to be compiled with target API level more than 29. But that's completely unsuitable for Termux application. If target API level is higher than 28, it becomes completely unusable on devices running Android 10 and higher. That's all due to new SELinux policies taking place.
https://github.com/termux/termux-packages/wiki/Termux-and-Android-10
Another issue is that we don't have access to Play Store account where Termux is published. We will need to change application name and package name (application id) in order to be able publish it into the new account.
