From 0d5fde334df7fb8d130b52c78d6e5d30825f37a3 Mon Sep 17 00:00:00 2001 From: Marcus Hoffmann Date: Wed, 7 Oct 2020 16:02:08 +0200 Subject: [PATCH] fix keytool not working with default smartcardoptions This broke in 74af61f255fc492fbdfe061e71084b86f58bcc28. Keytool has still a different opinion from both apksigner and jarsigner about the providerName argument. apksigner doesn't support it at all, jarsigner ignores it but keytool fails without it. :-/ So we add it back to the default argument list but filter it out before calling apksigner. --- examples/config.py | 2 +- fdroidserver/common.py | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/examples/config.py b/examples/config.py index 7b43976c..fc30af15 100644 --- a/examples/config.py +++ b/examples/config.py @@ -131,7 +131,7 @@ The repository of older versions of applications from the main demo repository. # You should not need to change these at all, unless you have a very # customized setup for using smartcards in Java with keytool/jarsigner -# smartcardoptions = "-storetype PKCS11 \ +# smartcardoptions = "-storetype PKCS11 -providerName SunPKCS11-OpenSC \ # -providerClass sun.security.pkcs11.SunPKCS11 \ # -providerArg opensc-fdroid.cfg" diff --git a/fdroidserver/common.py b/fdroidserver/common.py index 610e0f74..4131f5af 100644 --- a/fdroidserver/common.py +++ b/fdroidserver/common.py @@ -323,7 +323,8 @@ def read_config(opts, config_file='config.py'): config['smartcardoptions'] = re.sub(r'\s+', r' ', config['smartcardoptions']).split(' ') elif not smartcardoptions and 'keystore' in config and config['keystore'] == 'NONE': # keystore='NONE' means use smartcard, these are required defaults - config['smartcardoptions'] = ['-storetype', 'PKCS11', '-providerClass', + config['smartcardoptions'] = ['-storetype', 'PKCS11', '-providerName', + 'SunPKCS11-OpenSC', '-providerClass', 'sun.security.pkcs11.SunPKCS11', '-providerArg', 'opensc-fdroid.cfg'] @@ -3082,15 +3083,21 @@ def sign_apk(unsigned_path, signed_path, keyalias): apk = _get_androguard_APK(unsigned_path) if apk.get_effective_target_sdk_version() >= 30: if config['keystore'] == 'NONE': - # NOTE: apksigner doesn't like -providerName/--provider-name at all, don't use + # NOTE: apksigner doesn't like -providerName/--provider-name at all, don't use that. # apksigner documents the options as --ks-provider-class and --ks-provider-arg # those seem to be accepted but fail when actually making a signature with # weird internal exceptions. Those options actually work. # From: https://geoffreymetais.github.io/code/key-signing/#scripting + apksigner_smartcardoptions = config['smartcardoptions'].copy() + if '-providerName' in apksigner_smartcardoptions: + pos = config['smartcardoptions'].index('-providerName') + # remove -providerName and it's argument + del apksigner_smartcardoptions[pos] + del apksigner_smartcardoptions[pos] replacements = {'-storetype': '--ks-type', '-providerClass': '--provider-class', '-providerArg': '--provider-arg'} - signing_args = [replacements.get(n, n) for n in config['smartcardoptions']] + signing_args = [replacements.get(n, n) for n in apksigner_smartcardoptions] else: signing_args = ['--key-pass', 'env:FDROID_KEY_PASS'] if not find_apksigner():