Shadowsocks-android: APKs using deprecated MD5 signature

@Mygod Any comments?

I didn't find any source about this.

Might be relevant: https://source.android.com/security/apksigning/v2

There is absolutely nothing I can do about this one lol.

I just checked again and this error message doesn't seem to come from AOSP. However it's indeed insecure to use MD5 as a hash function for signatures.

@Mygod It's probably your signing key (which would also well explain why both apps are affected in the same way). Can you verify that? And, if you know how to upgrade the key, hints are welcome behind the link as well :wink:

As for v2 signing: that's a different issue altogether. If you go that path, make sure to keep v1 signing along or your apps won't be able to install on Android < 7/Nougat.

Ah, and the message comes from apksigner verify <package>.apk – sorry for not having stated that more clearly. apksigner is used by recent versions of fdroidserver to make sure the packages are valid. As for MD5 (and other deprecated signing algorithms), that's just a warning and one can tell it via the config to accept the package nevertheless. Still, as you've pointed out correctly, "it's indeed insecure to use MD5 as a hash function for signatures".

So: Nothing "urgently to fix yesterday" – but to keep in mind for "not postponing too long" :wink:

I think we have the same problem as https://github.com/zxing/zxing/issues/900#issuecomment-341115661.

Since our key has been used for 7 years, so maybe there is nothing I can do unless creating a new app and resign it with a new key.

@madeye I don't know if there's a way to "upgrade" a key. I vaguely remember there was a procedure for GPG keys (I had a comparable issue with my Debian repo a while ago), so updates won't break (if you change to a completely new key, Android wouldn't accept new versions of your app as updates due to different signature) – one reason I've linked your issues, so if one finds out the solution can be shared.

@IzzySoft Could you also submit this issue to Google (maybe AOSP issue tracker)? I think it should be a common issue for many "old" applications.

I avoid Google as best as I can (which is why I run my own F-Droid compatible repo, where you also can find ShadowSocks in) – they've already collected enough details on me (yes, I'm a "tin foil"). I wouldn't even know where to submit such an issue. And not being an Android dev, how should I verify if any solution they propose works out? But feel free to do so yourself!

Besides: Most folks won't check those issues "pro-actively" but rather do a web-search for the error message. Those will find these Github issues then as easy as any others :wink:

@madeye and @Mygod AdGuard just managed to solve this issue for their app (see here). Their solution might apply to Zxing as well. Quoting:

The solution was clearly one of the:

• Transition from Maven to Gradle build system.
• Update of Android SDK and build tools.

But no change in certificates and keys was made.

Worth a look I'd say (a quick glance informs me you're not using Gradle, so it might apply).

In that case fixed via #1478. Could you try out apk from the beta branch and confirm that this issue has been fixed? It should use v2Signing by default. Also you could report this bug to sbt-android. :)

@Mygod do you have a link to that APK? And what sbt-android should I report to?

https://github.com/shadowsocks/shadowsocks-android/issues/1410#issuecomment-350546197

That's our old build toolchain.

Yes, the MD5 error is gone from that. Though it spits a bunch of warnings for those META-INF/*.version files you might wish to remove from the release build, example:

WARNING: META-INF/android.arch.lifecycle_runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.

As I'm not directly involved with Scala (I'm just running a repo, I'm not an Android dev myself) I'd rather not report there. Wouldn't know what exactly to tell them, and also already got enough things to catch up with :wink: But feel free to reference.

Please remind me to check the next release (just to make sure) and report back here, so we can (probably) close this issue. Thanks!

I think those files are injected by Gradle and they are not used in any way (maybe used for debugging purposes or sanity checks). So it wouldn't be an issue at all even if some malicious attacker would like to change those files. Maybe you would want to report this bug to the Android-Gradle build system.

Our next 4.4.0+ release will almost definitely use Gradle so it's safe to close this issue now.

I lack the background to report it there – but feel free to say I'd annoy you too much and you want that fixed so I'm shut up :rofl:

Thanks again!

No not at all. Feel free to reopen this issue or submit another issue if you ever happen to find another issue. And I feel like sbt-android isn't being actively maintained any more (one of the main reasons to rewrite this project in Kotlin) so I'm not bothered to open an issue there.

Thank you for the good find.