我在签署Android应用程序包时收到以下消息：

Signing file D:/dev/repos/examples/src/MyApp/build-MyAppQt-Android_Qt_6_6_0_arm64_v8a_release_Clang_arm64_v8a-Release/android-build//build/outputs/bundle/release/android-build-release.aab
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.activity_activity.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.annotation_annotation-experimental.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.appcompat_appcompat-resources.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.appcompat_appcompat.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.arch.core_core-runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.browser_browser.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.core_core-ktx.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.core_core.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.cursoradapter_cursoradapter.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.customview_customview.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.datastore_datastore.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.drawerlayout_drawerlayout.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.fragment_fragment.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.interpolator_interpolator.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.lifecycle_lifecycle-livedata-core.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.lifecycle_lifecycle-livedata.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.lifecycle_lifecycle-runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.lifecycle_lifecycle-service.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.lifecycle_lifecycle-viewmodel.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.loader_loader.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.privacysandbox.ads_ads-adservices-java.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.privacysandbox.ads_ads-adservices.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.recyclerview_recyclerview.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.room_room-runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.savedstate_savedstate.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.sqlite_sqlite-framework.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.sqlite_sqlite.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.startup_startup-runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.tracing_tracing.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.transition_transition.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.vectordrawable_vectordrawable-animated.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.vectordrawable_vectordrawable.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.versionedparcelable_versionedparcelable.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.viewpager2_viewpager2.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.viewpager_viewpager.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.work_work-runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/com.google.dagger_dagger.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/kotlinx_coroutines_core.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
Android package built successfully in 97.909 ms.
-- File: D:/dev/repos/examples/src/MyApp/build-MyAppQt-Android_Qt_6_6_0_arm64_v8a_release_Clang_arm64_v8a-Release/android-build//build/outputs/apk/release/android-build-release-signed.apk

字符串
忽略它们并在Google Play上发布应用程序是否安全？
为什么这些文件没有签名？
我的build.gradle：

buildscript {
    ext.kotlin_version = '1.8.0'
    repositories {
        google()
        mavenCentral()
    }
    dependencies {
        classpath 'com.android.tools.build:gradle:7.4.1'
        classpath("org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version")
    }
}
repositories {
    google()
    mavenCentral()
}
apply plugin: 'com.android.application'
dependencies {
    // implementation(platform("org.jetbrains.kotlin:kotlin-bom:1.8.0"))
    implementation fileTree(dir: 'libs', include: ['*.jar', '*.aar'])
    implementation 'com.yandex.android:mobileads:6.2.0'
    implementation 'com.yandex.ads.mediation:mobileads-google:22.4.0.0'
    // implementation 'com.google.android.gms:play-services-ads:21.5.0'
    implementation "com.android.billingclient:billing:6.0.1"
    // From the template
    implementation 'androidx.core:core:1.10.1'
}
android {
    /*******************************************************
    * The following variables:
    * - androidBuildToolsVersion,
    * - androidCompileSdkVersion
    * - qtAndroidDir - holds the path to qt android files
    *                   needed to build any Qt application
    *                   on Android.
    *
    * are defined in gradle.properties file. This file is
    * updated by QtCreator and androiddeployqt tools.
    * Changing them manually might break the compilation!
    *******************************************************/
    //androiddeployqt.exe fails without package attribute in the mainifest.
    //namespace 'net.geographx.LinesGame'
    compileSdkVersion androidCompileSdkVersion.toInteger()
    buildToolsVersion androidBuildToolsVersion
    ndkVersion androidNdkVersion
    sourceSets {
        main {
            manifest.srcFile 'AndroidManifest.xml'
            java.srcDirs = [qtAndroidDir + '/src', 'src', 'yandex-ad-src', 'java']
            aidl.srcDirs = [qtAndroidDir + '/src', 'src', 'aidl']
            res.srcDirs = [qtAndroidDir + '/res', 'res']
            resources.srcDirs = ['resources']
            renderscript.srcDirs = ['src']
            assets.srcDirs = ['assets']
            jniLibs.srcDirs = ['libs']
    }
    }
    tasks.withType(JavaCompile) {
        options.incremental = true
    }
    compileOptions {
        sourceCompatibility JavaVersion.VERSION_1_8
        targetCompatibility JavaVersion.VERSION_1_8
    }
    // From the template
    // Extract native libraries from the APK
    packagingOptions.jniLibs.useLegacyPackaging true
    lintOptions {
        abortOnError false
    }
    // Do not compress Qt binary resources file
    aaptOptions {
        noCompress 'rcc'
    }
    defaultConfig {
        minSdkVersion qtMinSdkVersion
        targetSdkVersion qtTargetSdkVersion
        ndk.abiFilters = qtTargetAbiList.split(",")
        //For debug builds native-debug-symbols.zip size is 432MB.
        //Use SYMBOL_TABLE to upload debug builds.
        ndk.debugSymbolLevel "FULL"
    }
    //The build type becomes release when we sign the bundle,
    //otherwize the build type is debug with both Debug and RelWithDebInfo.
    //With SYMBOL_TABLE we have .sym in native-debug-symbols.zip and
    //with FULL we have .dbg.
    /*
    buildTypes {
        release {
            //Full debug for uploading production and beta builds.
            ndk.debugSymbolLevel "FULL"
        }
        debug {
            //Small debug info for uploading internal testing builds.
            ndk.debugSymbolLevel "SYMBOL_TABLE"
        }
    }
    */
}

型
我不确定什么是确切的签名命令，因为QT创建者没有在构建日志中显示它。

摘要

您遇到的警告仅适用于APK签名v1，但由于APK文件还包含v2和v3签名，因此您可以安全地忽略此消息，因为较新的签名方案可以检测到对APK文件的每次修改。
然而，即使签名可以被验证，并不意味着APK文件是真实的。它仍然可以在修改后重新签名，因此，您应该仔细比较证书摘要，（使用apksigner verify --verbose --print-certs验证时显示）要验证的APK的证书摘要，并将其与同一应用开发者的其他APK文件进行比较。有关如何比较APK的缩写。

详细说明

首先，你可以看到你得到的是一个警告，而不是一个错误。如果APK文件的相关文件（s）将被修改，验证将失败，你会得到一个错误消息。
要理解警告消息，您需要对Java和Java签名（APK签名v1）的工作原理有一点了解。这个旧的签名存储在JAR中的两个文件中：META-INF/CERT.SF和META-INF/CERT.RSA。当然，签名不能对它所写入的文件进行签名，因此这些文件被签名排除在外。
此外，META-INF目录是MANIFEST.MF的位置-该文件仅与桌面上的Java相关，但Android根本不使用。
在META-INF目录中可以有其他文件，考虑到标准的Java目录布局，不应将任何代码存储在META-INF目录中的文件内。
由于所有这些，Sun作为Java的最初发明者决定将META-INF目录从Java代码签名中排除。几年后，Google只是将Java签名用于APK文件，现在称为APK签名v1。
因此，对于APK签名v1，META-INF目录中的文件不包含在签名中，因此，如果您仅验证
由于对APK签名本身的几次攻击（例如在APK中多次包含相同的文件和不同的内容），Google决定开发一个全新的APK签名，它不应用于APK内容，而是应用于整个APK文件本身。这是APK签名v2及其后续版本的开始。
这些新的APK签名方案确实可以一次对完整的APK内容进行签名，而不排除APK文件中存储的单个文件。
返回ypur APK。您已经发布了apksigner输出：

Signing file D:/dev/repos/examples/src/MyApp/build-MyAppQt-Android_Qt_6_6_0_arm64_v8a_release_Clang_arm64_v8a-Release/android-build//build/outputs/bundle/release/android-build-release.aab
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
...

字符串
如您所见，APK文件不仅由v1签名签名，还由v2和v3签名签名。这意味着警告仅适用于由v1方案创建的签名。您可以通过修改位于META-INF目录中的文件内的单个字符来轻松验证。这些文件通常以未压缩的形式存储在APK文件中。您可以在一个十六进制编辑器，修改属于该文件的部分中的一个字符（它是APK中的第一个ZIP条目），然后再次验证APK。您将得到如下所示的结果：

java -jar apksigner.jar verify --verbose "modifie_android-build-release.aab"
DOES NOT VERIFY
ERROR: APK Signature Scheme v3 signer #1: APK integrity check failed. CHUNKED_SHA256 digest mismatch. Expected: <ac8a15569352655a22f13d3c565c2c0e5c62dc70c8f6f8c10f6fbfa63decb19b>, actual: <aa5622cd904500c38424562ef4b5be9e5716d10a85985a41f35e4ed834cee8fe>
ERROR: APK Signature Scheme v3 signer #1: APK integrity check failed. VERITY_CHUNKED_SHA256 digest mismatch. Expected: <56eeebd545733fd6408cd6a30b8bcf98a557076167902b6d9502b5aca86b78e89b42220000000000>, actual: <c37e1e1436cfd62f89592c48211ffb6ad2f1dff0f69d2203072f1e6c3872a5919b42220000000000>

型
如您所见，现在APK签名被视为无效。完整的APK签名验证系统由Google提供，例如：Google Android APK签名v3.0验证方案
根据我的理解，除了v1之外的所有签名在修改过的APK文件上都应该失败。所以如果你使用JDK中的旧jarsigner检查APK，它将通过验证测试。

展开查看全部

gradle 一个不受签名保护的文件,对该目录项的未经授权的修改将不会被检测到

1条答案

摘要

详细说明

相关问题

热门标签

最新问答