Support APK Signature Scheme V2

Connor.jackson · September 10, 2020, 1:33am

Description of the feature request

Android apps targeting Android 11 are now required to sign APKs with APK Signature Scheme V2, otherwise the build will be invalid. See: Behavior changes: Apps targeting Android 11 | Android Developers

Use case / for what or how I would use it

This would be added to the Android Sign step in Bitrise. Google will probably force applications to target Android 11 sometime in the Fall of 2021, so this support will need to be integrated else users will not be able to generate builds any longer.

pklauser · September 10, 2020, 4:04pm

I recommend setting the signing config through the android Gradle plugin and skipping the Bitrise-signing step altogether, for exactly situations like this.

A skeleton example for a prod-specific signing would be something like:

android{
    if (System.getenv("KEYSTORE_NAME") != null) {
        signingConfigs {
            prodConfig {
                keyAlias(System.getenv("BITRISEIO_ANDROID_KEYSTORE_ALIAS"))
                keyPassword(System.getenv("BITRISEIO_ANDROID_KEYSTORE_PRIVATE_KEY_PASSWORD"))
                storeFile file("$rootDir" + "/" + System.getenv("KEYSTORE_NAME"))
                storePassword(System.getenv("BITRISEIO_ANDROID_KEYSTORE_PASSWORD"))
            }
        }
    }
...

    buildTypes {
        release {
            if (System.getenv("KEYSTORE_NAME") != null) {
                signingConfig signingConfigs.prodConfig
            }
        }
    }
}

I also want to note that if you’re using Google Play Signing, I don’t think this is an issue, it’s unclear to me how exactly that plays in here right now.

AdamMc331 · September 11, 2020, 9:00pm

I tried to download a build shared from Bitrise today on my Pixel 4 and it didn’t work. Someone running on Android 10 was able to download it just fine. Do you think this is the root cause? Will try pklauser’s solution as well.

AdamMc331 · September 11, 2020, 9:23pm

This worked out for us. Thanks!

FWIgor · September 16, 2020, 7:51pm

For those that may be blocked by this (given the recent enforcement on Google Play API), and has a constraint on their workflow that requires the usage of the sign step, I’ve created a PR with a possible solution, that may work as a solution until a proper support is added by Bitrise, or change the signature process to be done by gradle configuration

github.com/bitrise-steplib/steps-sign-apk

Usage of APK Signer to sign APK files and avoid issues on Android 11

bitrise-steplib:master ← FutureWorkshops:feature/apk_signer

opened 07:24PM - 16 Sep 20 UTC

igorcferreira

+553 -41

**Checklist:** - [x] Edited the bitrise.yml to include more tests - [x] Run …`bitrise run test_apk` locally - [x] Run `bitrise run test_aab` locally - [x] Tested the solution on a real case - [x] Tested the solution on an old configuration **Related issue:** #28 **Problem that this PR tries to solve:** If an Android application has the target SDK as `30` (Android 11) and uses this step to sign an APK file, the output signed APK file cannot uploaded to Google Play since the signature scheme is invalid (v1). Any attempt to upload the binary will result in the error `MIN_SIG_SCHEME_FOR_TARGET_SDK_NOT_MET`: > Failed to upload APKs: failed to upload apk, error: googleapi: Error 403: APK signature is invalid or does not exist. Error from apksigner: ERROR: MIN_SIG_SCHEME_FOR_TARGET_SDK_NOT_MET: Target SDK version 30 requires a minimum of signature scheme v2; the APK is not signed with this or a later signature scheme, forbidden The source of the issue is that this step still uses `jarsigner`, and modern Android system requires that the binary is signed using `ApkSignerTool` from the Android build tools. **Approach:** This PR adds a configuration that allows the user of the step and the system to choose the tool used to sign the item based on the file type (AAB is signed with jarsigner and APK is signed with ApkSignerTool). This logic can also be disabled using the new `use_apk_signer` configuration. Also, as stated on [Android's documentation](https://developer.android.com/studio/command-line/apksigner), the APK file cannot be modified after signed by ApkSignerTool, otherwise its signature is invalidated: > Caution: If you sign your APK using apksigner and make further changes to the APK, the APK's signature is invalidated. Therefore, you must use tools such as zipalign before signing your APK. This requires that the ZipAlign instruction to be perform BEFORE signature on APKs and AFTER signature on AABs A new file named `apksigner.go` was created with code to serve as an interface to Android's ApkSignerTool binary. After that, the `main.go` file edited to have the zip align and signature out of the main fuction, so the code can decide which order and method to call. **Impact on existing systems:** By default, the new logic is disabled. So, old configurations should still use jarsigner as before, so there should be no impact on those. **Check errors:** If the Bitrise teams wants to see the issues on a real project, here are some URLs that can be used to fetch more details: * [MIN_SIG_SCHEME_FOR_TARGET_SDK_NOT_MET error](https://app.bitrise.io/build/b95c15414936f918#?tab=log) * [JRE 9 error](https://app.bitrise.io/build/f7fe1aab52467e57#?tab=log) * [Successful build](https://app.bitrise.io/build/37dcdcc90f900457#?tab=log) **New variables:** - signer_scheme: This allows the user of the step to enforce a specific ApkSignerTool scheme. Currently, they can be `automatic`, `v2`, `v3`, or `v4`. The default value is `automatic` - debuggable_permitted: A flag that allows the step to fail for cases where someone tries to sign an APK that has debug enabled. This flag can be used to ensure good practices. The default value is `true` - use_apk_signer: A flag that controls if the APKs should be signed using ApkSignerTool or continue with the old jarsigner. **Considerations:** On the Android SDK v30, the ApkSignerTool is compiled using Java 9. So, it requires that the machine has JRE 9 or above installed. At the time of this PR, the default Android images on Bitrise have only Java 8 installed. So, it is required to download/install JRE 9 before running this step. It would be good if Bitrise could update the docker images with JRE 9 already pre-installed. There is no need for the full JDK, only JRE **Usage:** ```yml - apt-get-install@0: inputs: - upgrade: 'no' - packages: openjdk-9-jre - git::https://github.com/FutureWorkshops/steps-sign-apk.git@feature/apk_signer: inputs: - keystore_url: $APP_KEYSTORE_URL - keystore_password: "$KEYSTORE_PASSWORD" - keystore_alias: "$KEYSTORE_ALIAS" - private_key_password: "$KEYALIAS_PASSWORD" - use_apk_signer: 'true' ``` **P.s.:** Thanks for the support and tooling. I hope this can be merged soon, to help all the developers blocked by this issue. If I made some mistake (in my English or my code), I'm sorry. I'm available to do corrections or the answer any question that the team may have. You can contact me by this PR history, FWIgor on Bitrise, and icastanheda on Twitter.

Cristan · August 12, 2021, 8:28am

I got it working using this:

signingConfigs {
    if (System.getenv("BITRISEIO_ANDROID_KEYSTORE_URL") != null) {
        bitrise {
            def downloadedKeystorePath = System.getenv("DOWNLOADED_KEYSTORE_PATH")
            if (downloadedKeystorePath == null) {
                println "Environment variable DOWNLOADED_KEYSTORE_PATH not set."
                println "Please create a File Downloader step and download \$BITRISEIO_ANDROID_KEYSTORE_URL into \$DOWNLOADED_KEYSTORE_PATH"
                println "The value of \$DOWNLOADED_KEYSTORE_PATH can be something like \$HOME/keystores/android.keystore " +
                        "with the `replace variables` checkmark checked."
            }
            storeFile file(downloadedKeystorePath)
            keyAlias System.getenv("BITRISEIO_ANDROID_KEYSTORE_ALIAS")
            keyPassword System.getenv("BITRISEIO_ANDROID_KEYSTORE_PRIVATE_KEY_PASSWORD")
            storePassword System.getenv("BITRISEIO_ANDROID_KEYSTORE_PASSWORD")
        }
    }

buildTypes {
    release {
        if (System.getenv("BITRISEIO_ANDROID_KEYSTORE_URL") != null) {
            signingConfig signingConfigs.bitrise
        }

damien.murphy · August 20, 2022, 9:58pm

This has been released

https://github.com/bitrise-steplib/steps-sign-apk/pull/54

Topic		Replies	Views
[Android] Sign APK Step Error: unsupported protocol scheme "". Fail using existing release .keystore file Tooling Issues step , code-signing , android	5	3973	August 24, 2018
Cannot sign the apk Builds android	2	4643	September 5, 2018
APK signing failed - Issue with input: [no KeystoreURL parameter specified] Builds	2	2081	January 11, 2018
BitRise can't seem to find the .jks key I uploaded. My build always failed. I need help Question & Answer android	2	1198	May 6, 2020
Can't create a release apk with keystore file Builds android	9	14888	February 24, 2021

Support APK Signature Scheme V2

Description of the feature request

Use case / for what or how I would use it

Related Topics