From 854ad03dd8743b73c7eaed8e9969ed12e206470d Mon Sep 17 00:00:00 2001 From: FriendlyNeighborhoodShane Date: Sat, 29 Jul 2023 05:54:38 +0530 Subject: [PATCH] res/util/func-resdl.sh: use apksigner for cert dump Avoids a dependency on openssl. --- README.md | 8 ++++---- res/util/func-resdl.sh | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 1fed2d7..3fb6f94 100644 --- a/README.md +++ b/README.md @@ -132,10 +132,10 @@ specific files. You can pass `build.sh` some specific pack's conf names instead of all to build only the specific packs. -If you have `apksigner` and `openssl` installed, the update script will dump -the signing certificates of all downloaded APKs and repo jars to -`resdl/util/certs`. It will compare all future downloads with those certs, and -in case of any signature errors or mismatches, will warn you. +If you have `apksigner` installed, the update script will dump the signing +certificates of all downloaded APKs and repo jars to `resdl/util/certs`. It +will compare all future downloads with those certs, and in case of any +signature errors or mismatches, will warn you. If you have `aapt` installed, the update script will download the permission docs from the Android website, check the priv-apps for any new privileged diff --git a/res/util/func-resdl.sh b/res/util/func-resdl.sh index c2e0e22..fcb0715 100755 --- a/res/util/func-resdl.sh +++ b/res/util/func-resdl.sh @@ -61,9 +61,9 @@ verifycerts() { [ "$stuff_repo" ] || echo "$stuff_download" | grep -qE "^[ ]*[^ ]+.apk[ ]+" || return 0; - command -v "apksigner" >/dev/null && command -v "openssl" >/dev/null || { + command -v "apksigner" >/dev/null || { echo " "; - echo " !! Not checking certificates (missing apksigner or openssl)"; + echo " !! Not checking certificates (missing apksigner)"; return 0; } @@ -82,10 +82,10 @@ verifycerts() { [ -f "$certdir/$certobject" ] || { echo " -- Adding cert for new repo ($repo)"; mkdir -p "$certdir/$(dirname "$certobject")"; - unzip -p "$tmpdir/repos/$repo.jar" "META-INF/*.RSA" | openssl pkcs7 -inform der -print_certs > "$certdir/$certobject"; + apksigner verify --min-sdk-version=19 --max-sdk-version=19 --print-certs-pem "$tmpdir/repos/$repo.jar" | grep -v '^WARNING: ' > "$certdir/$certobject"; continue; } - unzip -p "$tmpdir/repos/$repo.jar" "META-INF/*.RSA" | openssl pkcs7 -inform der -print_certs > "$tmpdir/tmp.cer"; + apksigner verify --min-sdk-version=19 --max-sdk-version=19 --print-certs-pem "$tmpdir/repos/$repo.jar" | grep -v '^WARNING: ' > "$tmpdir/tmp.cer"; [ "$(diff -w "$tmpdir/tmp.cer" "$certdir/$certobject")" ] && { echo " !! Cert mismatch for repo ($repo)"; cp -f "$tmpdir/tmp.cer" "$certdir/$certobject.new"; @@ -105,10 +105,10 @@ verifycerts() { [ -f "$certdir/$certobject" ] || { echo " -- Adding cert for new APK ($object)"; mkdir -p "$certdir/$(dirname "$certobject")"; - unzip -p "$resdldir/$object" "META-INF/*.RSA" | openssl pkcs7 -inform der -print_certs > "$certdir/$certobject"; + apksigner verify --print-certs-pem "$resdldir/$object" | grep -v '^WARNING: ' > "$certdir/$certobject"; continue; } - unzip -p "$resdldir/$object" "META-INF/*.RSA" | openssl pkcs7 -inform der -print_certs > "$tmpdir/tmp.cer"; + apksigner verify --print-certs-pem "$resdldir/$object" | grep -v '^WARNING: ' > "$tmpdir/tmp.cer"; [ "$(diff -w "$tmpdir/tmp.cer" "$certdir/$certobject")" ] && { echo " !! Cert mismatch for APK ($object)"; cp -f "$tmpdir/tmp.cer" "$certdir/$certobject.new";