REAndroid
Failed to collect certificates from /system/app/Bluetooth/Bluetooth.apk using APK Signature Scheme v3
My operation is as follows:
- Extract /system/app/Bluetooth. apk from the rooted pixel first generation AOSP Android 10 system (command: adb pull/system/app/Bluetooth. apk.)
- Decompilation: Java jar \APKEditor-1.3.9.jar d -dex -f -i . \Bluetooth.apk
- Compile back: Java jar \APKEditor-1.3.9.jar b -f -i . \Bluetooth_decompile_xml
- Coverage push back: adb push \Bluetooth_decompile_xml_out.apk /system/app/Bluetooth.apk
- System restart: adb reboot
- View logs and filter PackageManager: 1971-09-22 07:57:34.519 944-944 PackageManager system_server I /system/app/Bluetooth changed; collecting certs 1971-09-22 07:57:34.525 944-944 PackageManager system_server W Failed to scan /system/app/Bluetooth: Failed to collect certificates from /system/app/Bluetooth/Bluetooth.apk using APK Signature Scheme v3
Question: I have checked the AOSP source code and found android.util.apk There is an exception thrown in ApksignatureVerifier.verify: throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES, "Failed to collect certificates from " + apkPath + " using APK Signature Scheme v3", e); come from: http://aospxref.com/android-10.0.0_r47/xref/frameworks/base/core/java/android/util/apk/ApkSignatureVerifier.java#103
My question: I have tested that if the signature is completely consistent, simply using adb push to replace the original system app with a modified one with the same signature but inconsistent signatures can still be used normally I would like to ask if this is due to insufficient processing of V3 signatures in the project, or is it related to the Mismatch in zip data descriptors issue mentioned in the issue? Is there any way to handle it directly?
-
"Signature restore" function on APKEditor is not same as signing apk, it just places V2 & V3 signing blocks on zip structure. Here is general structure of signed apk:
[Local File Headers][V2 signing block][V3 signing block][Central Entry headers][End block] -
V2 & V3 blocks contains certificate and SHA digest of
[Local File Headers](which is lost during any modding), in order to conclude the apk is signed a system must do SHA digest of[Local File Headers]in android this done bySignatureVerifier -
Apps/services like google sign-in first sends the apk to
SignatureVerifierthen trusts the certificate on V2/V3. So you need to disableSignatureVerifier
BTW: Since Bluetooth.apk is a system app you can sign with any of your key
However, after trying it out, I used the 2.15.0 version of the "MT Manager" app to modify the app without re signing it. I found that there was no need to modify the system properties and the app could be replaced directly to run successfully.
Sorry hard to believe this, can you drop both apks (original and modified) here ?
I checked the AOSP source code and found the "com. android. server. pm. permission. PermissionManagerial Service. grantSignaturePermission"
How about modifying PermissionManagerial class so that grantSignaturePermission returns true for your specific package, e.g
private boolean grantSignaturePermission(String perm, PackageParser.Package pkg,
BasePermission bp, PermissionsState origPermissions) {
boolean oemPermission = bp.isOEM();
if(pkg.packageName.equals("com.android.bluetooth")){
return true;
}
.....
Finally, I would like to ask you another question. Do you know of any recommended open source projects or solutions that can almost perfectly achieve the operation of modifying an app without re signing and keeping the app's signature unchanged?
I don't think it exist at all. As I tried to explain above, V2 & V3 blocks contains SHA-256 digest against certificates. So any change on the file results different SHA digest.
V2 blocks had some weakness but closed by V3, but if you discovered any logic for tampering signature blocks APKEditor is very suitable to implement.
Sorry, I made a mistake. I tried later, but MT management didn't work either