我在签署Android应用程序包时收到以下消息:
Signing file D:/dev/repos/examples/src/MyApp/build-MyAppQt-Android_Qt_6_6_0_arm64_v8a_release_Clang_arm64_v8a-Release/android-build//build/outputs/bundle/release/android-build-release.aab
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.activity_activity.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.annotation_annotation-experimental.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.appcompat_appcompat-resources.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.appcompat_appcompat.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.arch.core_core-runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.browser_browser.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.core_core-ktx.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.core_core.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.cursoradapter_cursoradapter.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.customview_customview.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.datastore_datastore.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.drawerlayout_drawerlayout.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.fragment_fragment.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.interpolator_interpolator.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.lifecycle_lifecycle-livedata-core.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.lifecycle_lifecycle-livedata.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.lifecycle_lifecycle-runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.lifecycle_lifecycle-service.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.lifecycle_lifecycle-viewmodel.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.loader_loader.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.privacysandbox.ads_ads-adservices-java.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.privacysandbox.ads_ads-adservices.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.recyclerview_recyclerview.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.room_room-runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.savedstate_savedstate.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.sqlite_sqlite-framework.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.sqlite_sqlite.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.startup_startup-runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.tracing_tracing.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.transition_transition.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.vectordrawable_vectordrawable-animated.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.vectordrawable_vectordrawable.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.versionedparcelable_versionedparcelable.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.viewpager2_viewpager2.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.viewpager_viewpager.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.work_work-runtime.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/com.google.dagger_dagger.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/kotlinx_coroutines_core.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
Android package built successfully in 97.909 ms.
-- File: D:/dev/repos/examples/src/MyApp/build-MyAppQt-Android_Qt_6_6_0_arm64_v8a_release_Clang_arm64_v8a-Release/android-build//build/outputs/apk/release/android-build-release-signed.apk字符串
忽略它们并在Google Play上发布应用程序是否安全?
为什么这些文件没有签名?
我的build.gradle:
buildscript {
ext.kotlin_version = '1.8.0'
repositories {
google()
mavenCentral()
}
dependencies {
classpath 'com.android.tools.build:gradle:7.4.1'
classpath("org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version")
}
}
repositories {
google()
mavenCentral()
}
apply plugin: 'com.android.application'
dependencies {
// implementation(platform("org.jetbrains.kotlin:kotlin-bom:1.8.0"))
implementation fileTree(dir: 'libs', include: ['*.jar', '*.aar'])
implementation 'com.yandex.android:mobileads:6.2.0'
implementation 'com.yandex.ads.mediation:mobileads-google:22.4.0.0'
// implementation 'com.google.android.gms:play-services-ads:21.5.0'
implementation "com.android.billingclient:billing:6.0.1"
// From the template
implementation 'androidx.core:core:1.10.1'
}
android {
/*******************************************************
* The following variables:
* - androidBuildToolsVersion,
* - androidCompileSdkVersion
* - qtAndroidDir - holds the path to qt android files
* needed to build any Qt application
* on Android.
*
* are defined in gradle.properties file. This file is
* updated by QtCreator and androiddeployqt tools.
* Changing them manually might break the compilation!
*******************************************************/
//androiddeployqt.exe fails without package attribute in the mainifest.
//namespace 'net.geographx.LinesGame'
compileSdkVersion androidCompileSdkVersion.toInteger()
buildToolsVersion androidBuildToolsVersion
ndkVersion androidNdkVersion
sourceSets {
main {
manifest.srcFile 'AndroidManifest.xml'
java.srcDirs = [qtAndroidDir + '/src', 'src', 'yandex-ad-src', 'java']
aidl.srcDirs = [qtAndroidDir + '/src', 'src', 'aidl']
res.srcDirs = [qtAndroidDir + '/res', 'res']
resources.srcDirs = ['resources']
renderscript.srcDirs = ['src']
assets.srcDirs = ['assets']
jniLibs.srcDirs = ['libs']
}
}
tasks.withType(JavaCompile) {
options.incremental = true
}
compileOptions {
sourceCompatibility JavaVersion.VERSION_1_8
targetCompatibility JavaVersion.VERSION_1_8
}
// From the template
// Extract native libraries from the APK
packagingOptions.jniLibs.useLegacyPackaging true
lintOptions {
abortOnError false
}
// Do not compress Qt binary resources file
aaptOptions {
noCompress 'rcc'
}
defaultConfig {
minSdkVersion qtMinSdkVersion
targetSdkVersion qtTargetSdkVersion
ndk.abiFilters = qtTargetAbiList.split(",")
//For debug builds native-debug-symbols.zip size is 432MB.
//Use SYMBOL_TABLE to upload debug builds.
ndk.debugSymbolLevel "FULL"
}
//The build type becomes release when we sign the bundle,
//otherwize the build type is debug with both Debug and RelWithDebInfo.
//With SYMBOL_TABLE we have .sym in native-debug-symbols.zip and
//with FULL we have .dbg.
/*
buildTypes {
release {
//Full debug for uploading production and beta builds.
ndk.debugSymbolLevel "FULL"
}
debug {
//Small debug info for uploading internal testing builds.
ndk.debugSymbolLevel "SYMBOL_TABLE"
}
}
*/
}型
我不确定什么是确切的签名命令,因为QT创建者没有在构建日志中显示它。
1条答案
按热度按时间atmip9wb1#
摘要
您遇到的警告仅适用于APK签名v1,但由于APK文件还包含v2和v3签名,因此您可以安全地忽略此消息,因为较新的签名方案可以检测到对APK文件的每次修改。
然而,即使签名可以被验证,并不意味着APK文件是真实的。它仍然可以在修改后重新签名,因此,您应该仔细比较证书摘要,(使用
apksigner verify --verbose --print-certs验证时显示)要验证的APK的证书摘要,并将其与同一应用开发者的其他APK文件进行比较。有关如何比较APK的缩写。详细说明
首先,你可以看到你得到的是一个警告,而不是一个错误。如果APK文件的相关文件(s)将被修改,验证将失败,你会得到一个错误消息。
要理解警告消息,您需要对Java和Java签名(APK签名v1)的工作原理有一点了解。这个旧的签名存储在JAR中的两个文件中:
META-INF/CERT.SF和META-INF/CERT.RSA。当然,签名不能对它所写入的文件进行签名,因此这些文件被签名排除在外。此外,META-INF目录是
MANIFEST.MF的位置-该文件仅与桌面上的Java相关,但Android根本不使用。在META-INF目录中可以有其他文件,考虑到标准的Java目录布局,不应将任何代码存储在META-INF目录中的文件内。
由于所有这些,Sun作为Java的最初发明者决定将META-INF目录从Java代码签名中排除。几年后,Google只是将Java签名用于APK文件,现在称为APK签名v1。
因此,对于APK签名v1,META-INF目录中的文件不包含在签名中,因此,如果您仅验证
由于对APK签名本身的几次攻击(例如在APK中多次包含相同的文件和不同的内容),Google决定开发一个全新的APK签名,它不应用于APK内容,而是应用于整个APK文件本身。这是APK签名v2及其后续版本的开始。
这些新的APK签名方案确实可以一次对完整的APK内容进行签名,而不排除APK文件中存储的单个文件。
返回ypur APK。您已经发布了apksigner输出:
字符串
如您所见,APK文件不仅由v1签名签名,还由v2和v3签名签名。这意味着警告仅适用于由v1方案创建的签名。您可以通过修改位于
META-INF目录中的文件内的单个字符来轻松验证。这些文件通常以未压缩的形式存储在APK文件中。您可以在一个十六进制编辑器,修改属于该文件的部分中的一个字符(它是APK中的第一个ZIP条目),然后再次验证APK。您将得到如下所示的结果:型
如您所见,现在APK签名被视为无效。完整的APK签名验证系统由Google提供,例如:Google Android APK签名v3.0验证方案
根据我的理解,除了v1之外的所有签名在修改过的APK文件上都应该失败。所以如果你使用JDK中的旧jarsigner检查APK,它将通过验证测试。