<!-- {{{1
File : README.md
Maintainer : FC Stegerman <flx@obfusk.net>
Date : 2023-02-08
Copyright : Copyright (C) 2023 FC Stegerman
Version : v1.1.1
License : GPLv3+
}}}1 -->
[](https://github.com/obfusk/apksigcopier/releases)
[](https://pypi.python.org/pypi/apksigcopier)
[](https://pypi.python.org/pypi/apksigcopier)
[](https://github.com/obfusk/apksigcopier/actions?query=workflow%3ACI)
[](https://www.gnu.org/licenses/gpl-3.0.html)
<a href="https://repology.org/project/apksigcopier/versions">
<img src="https://repology.org/badge/vertical-allrepos/apksigcopier.svg?header="
alt="Packaging status" align="right" />
</a>
<a href="https://repology.org/project/python:apksigcopier/versions">
<img src="https://repology.org/badge/vertical-allrepos/python:apksigcopier.svg?header="
alt="Packaging status" align="right" />
</a>
# apksigcopier
## copy/extract/patch android apk signatures & compare apks
`apksigcopier` is a tool for copying [android APK
signatures](https://source.android.com/docs/security/features/apksigning)
from a signed APK to an unsigned one (in order to verify [reproducible
builds](https://f-droid.org/docs/Reproducible_Builds/)). It can also
be used to compare two APKs with different signatures. Its
command-line tool offers four operations:
* copy signatures directly from a signed to an unsigned APK
* extract signatures from a signed APK to a directory
* patch previously extracted signatures onto an unsigned APK
* compare two APKs with different signatures
### Extract
```bash
$ mkdir meta
$ apksigcopier extract signed.apk meta
$ ls -1 meta
8BEA2A77.RSA
8BEA2A77.SF
APKSigningBlock
APKSigningBlockOffset
MANIFEST.MF
```
### Patch
```bash
$ apksigcopier patch meta unsigned.apk out.apk
```
### Copy (Extract & Patch)
```bash
$ apksigcopier copy signed.apk unsigned.apk out.apk
```
### Compare (Copy & Verify)
Compare two APKs by copying the signature from the first to a copy of the second
and checking if the resulting APK verifies.
This command requires `apksigner`.
```bash
$ apksigcopier compare foo-from-fdroid.apk foo-built-locally.apk
$ apksigcopier compare --unsigned foo.apk foo-unsigned.apk
```
NB: copying from an APK v1-signed with `signflinger` to an APK signed with
`apksigner` works, whereas the reverse fails; see the [FAQ](#faq).
### Help
```bash
$ apksigcopier --help
$ apksigcopier copy --help # extract --help, patch --help, etc.
$ man apksigcopier # requires the man page to be installed
```
### Environment Variables
The following environment variables can be set to `1`, `yes`, or
`true` to override the default behaviour:
* set `APKSIGCOPIER_EXCLUDE_ALL_META=1` to exclude all metadata files
* set `APKSIGCOPIER_COPY_EXTRA_BYTES=1` to copy extra bytes after data (e.g. a v2 sig)
* set `APKSIGCOPIER_SKIP_REALIGNMENT=1` to skip realignment of ZIP entries
## Python API
```python
>>> from apksigcopier import do_extract, do_patch, do_copy, do_compare
>>> do_extract(signed_apk, output_dir, v1_only=NO)
>>> do_patch(metadata_dir, unsigned_apk, output_apk, v1_only=NO)
>>> do_copy(signed_apk, unsigned_apk, output_apk, v1_only=NO)
>>> do_compare(first_apk, second_apk, unsigned=False)
```
You can use `False`, `None`, and `True` instead of `NO`, `AUTO`, and
`YES` respectively.
The following global variables (which default to `False`), can be set
to override the default behaviour:
* set `exclude_all_meta=True` to exclude all metadata files
* set `copy_extra_bytes=True` to copy extra bytes after data (e.g. a v2 sig)
* set `skip_realignment=True` to skip realignment of ZIP entries
## FAQ
### What kind of signatures does apksigcopier support?
It currently supports v1 + v2 + v3 (which is a variant of v2).
It should also support v4, since these are stored in a separate file
(and require a complementary v2/v3 signature).
When using the `extract` command, the v2/v3 signature is saved as
`APKSigningBlock` + `APKSigningBlockOffset`.
### How does patching work?
First it copies the APK exactly like `apksigner` would when signing it,
including re-aligning ZIP entries and skipping existing v1 signature files.
Then it adds the extracted v1 signature files (`.SF`, `.RSA`/`.DSA`/`.EC`,
`MANIFEST.MF`) to the APK, using the correct ZIP metadata (either the same
metadata as `apksigner` would, or from `differences.json`).
And lastly it inserts the extracted APK Signing Block at the correct offset
(adding zero padding if needed) and updates the central directory (CD) offset in
the end of central directory (EOCD) record.
For more information about the ZIP file format, see e.g. [the Wikipedia
article](https://en.wikipedia.org/wiki/ZIP_%28file_format%29).
### What does the "APK Signing Block offset < central directory offset" error mean?
It means that `apksigcopier` can't insert the APK Signing Block at the required
location, since that offset is in the middle of the ZIP data (instead of right
after the data, before the central directory).
In other words: the APK you are trying to copy the signature to is larger than
the one the signature was copied from. Thus the signature cannot be copied (and
could never have been valid for the APK you are trying to copy it to).
In the context of verifying [reproducible builds](https://reproducible-builds.org),
getting this error almost certainly means the build was not reproducible.
### What about APKs signed by gradle/zipflinger/signflinger instead of apksigner?
Compared to APKs signed by `apksigner`, APKs signed with a v1 signature by
`zipflinger`/`signflinger` (e.g. using `gradle`) have different ZIP metadata --
`create_system`, `create_version`, `external_attr`, `extract_version`,
`flag_bits` -- and `compresslevel` for the v1 signature files (`.SF`,
`.RSA`/`.DSA`/`.EC`, `MANIFEST.MF`); they also usually have a 132-byte virtual
entry at the start as well.
Recent versions of `apksigcopier` will detect these ZIP metadata differences and
the virtual entry (if any); `extract` will save them in a `differences.json`
file (if they exist), which `patch` will read (if it exists); `copy` and
`compare` simply pass the same information along internally.
#### CAVEAT for compare
NB: because `compare` copies from the first APK to the second, it will fail when
only the second APK is v1-signed with `zipflinger`/`signflinger`; e.g.
```bash
$ compare foo-signflinger.apk foo-apksigner.apk # copies virtual entry; works
$ compare foo-apksigner.apk foo-signflinger.apk # only 2nd APK has virtual entry
DOES NOT VERIFY
[...]
Error: failed to verify /tmp/.../output.apk.
```
### What are these virtual entries?
A virtual entry is a ZIP entry with an empty filename, an extra field filled
with zero bytes, and no corresponding central directory entry (so it should be
effectively invisible to most ZIP tools).
When `zipflinger` deletes an entry it leaves a "hole" in the archive when there
remain non-deleted entries after it. It later fills these "holes" with virtual
entries.
There is usually a 132-byte virtual entry at the start of an APK signed with a
v1 signature by `signflinger`/`zipflinger`; almost certainly this is a default
manifest ZIP entry created at initialisation, deleted (from the central
directory but not from the file) during v1 signing, and eventually replaced by a
virtual entry.
Depending on what value of `Created-By` and `Built-By` were used for the default
manifest, this virtual entry may be a different size; `apksigcopier` supports
any size between 30 and 4096 bytes.
<!--
## Tab Completion
NB: the syntax for the environment variable changed in click >= 8.0,
use e.g. `source_bash` instead of `bash_source` for older versions.
For Bash, add this to `~/.bashrc`:
```bash
eval "$(_APKSIGCOPIER_COMPLETE=bash_source apksigcopier)"
```
For Zsh, add this to `~/.zshrc`:
```zsh
eval "$(_APKSIGCOPIER_COMPLETE=zsh_source apksigcopier)"
```
For Fish, add this to `~/.config/fish/completions/apksigcopier.fish`:
```fish
eval (env _APKSIGCOPIER_COMPLETE=fish_source apksigcopier)
```
-->
## Installing
### Debian
Official packages are available in
[Debian](https://packages.debian.org/apksigcopier) and
[Ubuntu](https://packages.ubuntu.com/apksigcopier).
```bash
$ apt install apksigcopier
```
You can also manually build a Debian package using the `debian/sid`
branch, or download a pre-built `.deb` via GitHub releases.
### NixOS & Arch Linux
Official packages are also available in
[nixpkgs](https://search.nixos.org/packages?query=apksigcopier) and
[Arch Linux](https://archlinux.org/packages/community/any/apksigcopier/)
(and derivatives).
### Using pip
```bash
$ pip install apksigcopier
```
NB: depending on your system you may need to use e.g. `pip3 --user`
instead of just `pip`.
### From git
NB: this installs the latest development version, not the latest
release.
```bash
$ git clone https://github.com/obfusk/apksigcopier.git
$ cd apksigcopier
$ pip install -e .
```
NB: you may need to add e.g. `~/.local/bin` to your `$PATH` in order
to run `apksigcopier`.
To update to the latest development version:
```bash
$ cd apksigcopier
$ git pull --rebase
```
## Dependencies
* Python >= 3.7 + click.
* The `compare` command also requires `apksigner`.
### Debian/Ubuntu
```bash
$ apt install python3-click
$ apt install apksigner # only needed for the compare command
```
## License
[](https://www.gnu.org/licenses/gpl-3.0.html)
<!-- vim: set tw=70 sw=2 sts=2 et fdm=marker : -->
Raw data
{
"_id": null,
"home_page": "https://github.com/obfusk/apksigcopier",
"name": "apksigcopier",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": "",
"keywords": "android apk reproducible signing compare",
"author": "FC Stegerman",
"author_email": "flx@obfusk.net",
"download_url": "https://files.pythonhosted.org/packages/4e/04/892192c74942af8c1221b97f8525fe67766743ecb1e147eb81098d80d1fa/apksigcopier-1.1.1.tar.gz",
"platform": null,
"description": "<!-- {{{1\n\n File : README.md\n Maintainer : FC Stegerman <flx@obfusk.net>\n Date : 2023-02-08\n\n Copyright : Copyright (C) 2023 FC Stegerman\n Version : v1.1.1\n License : GPLv3+\n\n}}}1 -->\n\n[](https://github.com/obfusk/apksigcopier/releases)\n[](https://pypi.python.org/pypi/apksigcopier)\n[](https://pypi.python.org/pypi/apksigcopier)\n[](https://github.com/obfusk/apksigcopier/actions?query=workflow%3ACI)\n[](https://www.gnu.org/licenses/gpl-3.0.html)\n\n<a href=\"https://repology.org/project/apksigcopier/versions\">\n <img src=\"https://repology.org/badge/vertical-allrepos/apksigcopier.svg?header=\"\n alt=\"Packaging status\" align=\"right\" />\n</a>\n\n<a href=\"https://repology.org/project/python:apksigcopier/versions\">\n <img src=\"https://repology.org/badge/vertical-allrepos/python:apksigcopier.svg?header=\"\n alt=\"Packaging status\" align=\"right\" />\n</a>\n\n# apksigcopier\n\n## copy/extract/patch android apk signatures & compare apks\n\n`apksigcopier` is a tool for copying [android APK\nsignatures](https://source.android.com/docs/security/features/apksigning)\nfrom a signed APK to an unsigned one (in order to verify [reproducible\nbuilds](https://f-droid.org/docs/Reproducible_Builds/)). It can also\nbe used to compare two APKs with different signatures. Its\ncommand-line tool offers four operations:\n\n* copy signatures directly from a signed to an unsigned APK\n* extract signatures from a signed APK to a directory\n* patch previously extracted signatures onto an unsigned APK\n* compare two APKs with different signatures\n\n### Extract\n\n```bash\n$ mkdir meta\n$ apksigcopier extract signed.apk meta\n$ ls -1 meta\n8BEA2A77.RSA\n8BEA2A77.SF\nAPKSigningBlock\nAPKSigningBlockOffset\nMANIFEST.MF\n```\n\n### Patch\n\n```bash\n$ apksigcopier patch meta unsigned.apk out.apk\n```\n\n### Copy (Extract & Patch)\n\n```bash\n$ apksigcopier copy signed.apk unsigned.apk out.apk\n```\n\n### Compare (Copy & Verify)\n\nCompare two APKs by copying the signature from the first to a copy of the second\nand checking if the resulting APK verifies.\n\nThis command requires `apksigner`.\n\n```bash\n$ apksigcopier compare foo-from-fdroid.apk foo-built-locally.apk\n$ apksigcopier compare --unsigned foo.apk foo-unsigned.apk\n```\n\nNB: copying from an APK v1-signed with `signflinger` to an APK signed with\n`apksigner` works, whereas the reverse fails; see the [FAQ](#faq).\n\n### Help\n\n```bash\n$ apksigcopier --help\n$ apksigcopier copy --help # extract --help, patch --help, etc.\n\n$ man apksigcopier # requires the man page to be installed\n```\n\n### Environment Variables\n\nThe following environment variables can be set to `1`, `yes`, or\n`true` to override the default behaviour:\n\n* set `APKSIGCOPIER_EXCLUDE_ALL_META=1` to exclude all metadata files\n* set `APKSIGCOPIER_COPY_EXTRA_BYTES=1` to copy extra bytes after data (e.g. a v2 sig)\n* set `APKSIGCOPIER_SKIP_REALIGNMENT=1` to skip realignment of ZIP entries\n\n## Python API\n\n```python\n>>> from apksigcopier import do_extract, do_patch, do_copy, do_compare\n>>> do_extract(signed_apk, output_dir, v1_only=NO)\n>>> do_patch(metadata_dir, unsigned_apk, output_apk, v1_only=NO)\n>>> do_copy(signed_apk, unsigned_apk, output_apk, v1_only=NO)\n>>> do_compare(first_apk, second_apk, unsigned=False)\n```\n\nYou can use `False`, `None`, and `True` instead of `NO`, `AUTO`, and\n`YES` respectively.\n\nThe following global variables (which default to `False`), can be set\nto override the default behaviour:\n\n* set `exclude_all_meta=True` to exclude all metadata files\n* set `copy_extra_bytes=True` to copy extra bytes after data (e.g. a v2 sig)\n* set `skip_realignment=True` to skip realignment of ZIP entries\n\n## FAQ\n\n### What kind of signatures does apksigcopier support?\n\nIt currently supports v1 + v2 + v3 (which is a variant of v2).\n\nIt should also support v4, since these are stored in a separate file\n(and require a complementary v2/v3 signature).\n\nWhen using the `extract` command, the v2/v3 signature is saved as\n`APKSigningBlock` + `APKSigningBlockOffset`.\n\n### How does patching work?\n\nFirst it copies the APK exactly like `apksigner` would when signing it,\nincluding re-aligning ZIP entries and skipping existing v1 signature files.\n\nThen it adds the extracted v1 signature files (`.SF`, `.RSA`/`.DSA`/`.EC`,\n`MANIFEST.MF`) to the APK, using the correct ZIP metadata (either the same\nmetadata as `apksigner` would, or from `differences.json`).\n\nAnd lastly it inserts the extracted APK Signing Block at the correct offset\n(adding zero padding if needed) and updates the central directory (CD) offset in\nthe end of central directory (EOCD) record.\n\nFor more information about the ZIP file format, see e.g. [the Wikipedia\narticle](https://en.wikipedia.org/wiki/ZIP_%28file_format%29).\n\n### What does the \"APK Signing Block offset < central directory offset\" error mean?\n\nIt means that `apksigcopier` can't insert the APK Signing Block at the required\nlocation, since that offset is in the middle of the ZIP data (instead of right\nafter the data, before the central directory).\n\nIn other words: the APK you are trying to copy the signature to is larger than\nthe one the signature was copied from. Thus the signature cannot be copied (and\ncould never have been valid for the APK you are trying to copy it to).\n\nIn the context of verifying [reproducible builds](https://reproducible-builds.org),\ngetting this error almost certainly means the build was not reproducible.\n\n### What about APKs signed by gradle/zipflinger/signflinger instead of apksigner?\n\nCompared to APKs signed by `apksigner`, APKs signed with a v1 signature by\n`zipflinger`/`signflinger` (e.g. using `gradle`) have different ZIP metadata --\n`create_system`, `create_version`, `external_attr`, `extract_version`,\n`flag_bits` -- and `compresslevel` for the v1 signature files (`.SF`,\n`.RSA`/`.DSA`/`.EC`, `MANIFEST.MF`); they also usually have a 132-byte virtual\nentry at the start as well.\n\nRecent versions of `apksigcopier` will detect these ZIP metadata differences and\nthe virtual entry (if any); `extract` will save them in a `differences.json`\nfile (if they exist), which `patch` will read (if it exists); `copy` and\n`compare` simply pass the same information along internally.\n\n#### CAVEAT for compare\n\nNB: because `compare` copies from the first APK to the second, it will fail when\nonly the second APK is v1-signed with `zipflinger`/`signflinger`; e.g.\n\n```bash\n$ compare foo-signflinger.apk foo-apksigner.apk # copies virtual entry; works\n$ compare foo-apksigner.apk foo-signflinger.apk # only 2nd APK has virtual entry\nDOES NOT VERIFY\n[...]\nError: failed to verify /tmp/.../output.apk.\n```\n\n### What are these virtual entries?\n\nA virtual entry is a ZIP entry with an empty filename, an extra field filled\nwith zero bytes, and no corresponding central directory entry (so it should be\neffectively invisible to most ZIP tools).\n\nWhen `zipflinger` deletes an entry it leaves a \"hole\" in the archive when there\nremain non-deleted entries after it. It later fills these \"holes\" with virtual\nentries.\n\nThere is usually a 132-byte virtual entry at the start of an APK signed with a\nv1 signature by `signflinger`/`zipflinger`; almost certainly this is a default\nmanifest ZIP entry created at initialisation, deleted (from the central\ndirectory but not from the file) during v1 signing, and eventually replaced by a\nvirtual entry.\n\nDepending on what value of `Created-By` and `Built-By` were used for the default\nmanifest, this virtual entry may be a different size; `apksigcopier` supports\nany size between 30 and 4096 bytes.\n\n<!--\n## Tab Completion\n\nNB: the syntax for the environment variable changed in click >= 8.0,\nuse e.g. `source_bash` instead of `bash_source` for older versions.\n\nFor Bash, add this to `~/.bashrc`:\n\n```bash\neval \"$(_APKSIGCOPIER_COMPLETE=bash_source apksigcopier)\"\n```\n\nFor Zsh, add this to `~/.zshrc`:\n\n```zsh\neval \"$(_APKSIGCOPIER_COMPLETE=zsh_source apksigcopier)\"\n```\n\nFor Fish, add this to `~/.config/fish/completions/apksigcopier.fish`:\n\n```fish\neval (env _APKSIGCOPIER_COMPLETE=fish_source apksigcopier)\n```\n-->\n\n## Installing\n\n### Debian\n\nOfficial packages are available in\n[Debian](https://packages.debian.org/apksigcopier) and\n[Ubuntu](https://packages.ubuntu.com/apksigcopier).\n\n```bash\n$ apt install apksigcopier\n```\n\nYou can also manually build a Debian package using the `debian/sid`\nbranch, or download a pre-built `.deb` via GitHub releases.\n\n### NixOS & Arch Linux\n\nOfficial packages are also available in\n[nixpkgs](https://search.nixos.org/packages?query=apksigcopier) and\n[Arch Linux](https://archlinux.org/packages/community/any/apksigcopier/)\n(and derivatives).\n\n### Using pip\n\n```bash\n$ pip install apksigcopier\n```\n\nNB: depending on your system you may need to use e.g. `pip3 --user`\ninstead of just `pip`.\n\n### From git\n\nNB: this installs the latest development version, not the latest\nrelease.\n\n```bash\n$ git clone https://github.com/obfusk/apksigcopier.git\n$ cd apksigcopier\n$ pip install -e .\n```\n\nNB: you may need to add e.g. `~/.local/bin` to your `$PATH` in order\nto run `apksigcopier`.\n\nTo update to the latest development version:\n\n```bash\n$ cd apksigcopier\n$ git pull --rebase\n```\n\n## Dependencies\n\n* Python >= 3.7 + click.\n* The `compare` command also requires `apksigner`.\n\n### Debian/Ubuntu\n\n```bash\n$ apt install python3-click\n$ apt install apksigner # only needed for the compare command\n```\n\n## License\n\n[](https://www.gnu.org/licenses/gpl-3.0.html)\n\n<!-- vim: set tw=70 sw=2 sts=2 et fdm=marker : -->\n",
"bugtrack_url": null,
"license": "GPLv3+",
"summary": "copy/extract/patch android apk signatures & compare apks",
"version": "1.1.1",
"split_keywords": [
"android",
"apk",
"reproducible",
"signing",
"compare"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "46568396b514b13012e8cd229fd501c34130155d07a4786c56bdd07ad3ce21f6",
"md5": "cdb61cfd4d805e285b179cd5f39ad918",
"sha256": "0834bb7d6f3607bb0994cf8cd2e26b8f0c9d481e13b75872e0fa9cec052e519b"
},
"downloads": -1,
"filename": "apksigcopier-1.1.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "cdb61cfd4d805e285b179cd5f39ad918",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.7",
"size": 28867,
"upload_time": "2023-02-08T08:51:20",
"upload_time_iso_8601": "2023-02-08T08:51:20.386652Z",
"url": "https://files.pythonhosted.org/packages/46/56/8396b514b13012e8cd229fd501c34130155d07a4786c56bdd07ad3ce21f6/apksigcopier-1.1.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "4e04892192c74942af8c1221b97f8525fe67766743ecb1e147eb81098d80d1fa",
"md5": "bd5ba40a0cf465ba4830fd8704eeb6a9",
"sha256": "ea5d3482128f2bcfa8307356f5bed4f4240a559d702acb117bf777955f64c851"
},
"downloads": -1,
"filename": "apksigcopier-1.1.1.tar.gz",
"has_sig": false,
"md5_digest": "bd5ba40a0cf465ba4830fd8704eeb6a9",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7",
"size": 33936,
"upload_time": "2023-02-08T08:51:22",
"upload_time_iso_8601": "2023-02-08T08:51:22.383568Z",
"url": "https://files.pythonhosted.org/packages/4e/04/892192c74942af8c1221b97f8525fe67766743ecb1e147eb81098d80d1fa/apksigcopier-1.1.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-02-08 08:51:22",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "obfusk",
"github_project": "apksigcopier",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "apksigcopier"
}
JSON
