various improvements #389
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: [push, pull_request, workflow_dispatch] | |
jobs: | |
build: | |
runs-on: ubuntu-22.04 | |
strategy: | |
matrix: | |
python-version: | |
- '3.8' | |
- '3.9' | |
- '3.10' | |
- '3.11' | |
- '3.12' | |
- '3.13' | |
# - '3.14.0-alpha - 3.14' | |
- pypy3.8 | |
- pypy3.9 | |
- pypy3.10 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
persist-credentials: false | |
submodules: true | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Install dependencies | |
run: | | |
sudo apt-get update # || sudo apt-get update | |
# sudo apt-get upgrade -y | |
sudo apt-get install -y apksigner | |
python3 -m pip install --upgrade pip | |
python3 -m pip install flake8 pylint coverage | |
- name: Install mypy | |
run: python3 -m pip install mypy | |
continue-on-error: | |
${{ contains(matrix.python-version, 'alpha') || | |
contains(matrix.python-version, 'pypy') }} | |
- name: Install | |
run: make install | |
- name: Test | |
run: make test-cli doctest | |
- name: Lint | |
run: make lint | |
continue-on-error: | |
${{ contains(matrix.python-version, 'alpha') }} | |
- name: Extra lint | |
run: make lint-extra | |
continue-on-error: | |
${{ contains(matrix.python-version, 'alpha') || | |
contains(matrix.python-version, 'pypy') }} | |
- name: Test coverage | |
run: make coverage | |
- name: Cache mastodon build | |
uses: actions/cache@v4 | |
with: | |
path: mastodon-release-unsigned.apk | |
key: v1.1.3-20221121 | |
- name: Cache mastodon download | |
uses: actions/cache@v4 | |
with: | |
path: mastodon-release.apk | |
key: v1.1.3-20221121 | |
- name: Build mastodon | |
run: | | |
set -x | |
if [ ! -e mastodon-release-unsigned.apk ]; then | |
sudo apt-get install -y openjdk-17-jdk-headless | |
export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64 | |
git clone -b v1.1.3 https://github.com/mastodon/mastodon-android.git | |
cd mastodon-android | |
test "$( git rev-parse HEAD )" = 8b40643e6306edadebba2a08f017da7cf1d3bf6f | |
touch local.properties | |
./gradlew assembleRelease | |
mv mastodon/build/outputs/apk/release/mastodon-release-unsigned.apk ../ | |
fi | |
- name: Download mastodon | |
run: | | |
set -x | |
[ -e mastodon-release.apk ] || wget -O mastodon-release.apk -- \ | |
https://github.com/mastodon/mastodon-android/releases/download/v1.1.3/mastodon-release.apk | |
sha256sum -c <<< '1ec636336a79ada1a3526323c90bb9fbfe5dc32b2984bb724998b5f47c822165 mastodon-release.apk' | |
- name: Download build-tools | |
run: | | |
set -x | |
wget -O build-tools.zip -- https://dl.google.com/android/repository/build-tools_r35_linux.zip | |
sha256sum -c <<< 'bd3a4966912eb8b30ed0d00b0cda6b6543b949d5ffe00bea54c04c81e1561d88 build-tools.zip' | |
unzip -q build-tools.zip | |
mv android-15 build-tools | |
- name: Copy APK | |
run: | | |
set -x | |
cp mastodon-release-unsigned.apk signed-dummy.apk | |
cp mastodon-release-unsigned.apk signed-dummy-v1.apk | |
cp mastodon-release-unsigned.apk signed-dummy-jarsigner.apk | |
- name: Generate dummy keystore | |
run: | | |
set -x | |
keytool -genkey -keystore ci-ks -alias dummy -keyalg RSA \ | |
-keysize 4096 -sigalg SHA512withRSA -validity 10000 \ | |
-storepass dummy-password -dname CN=dummy | |
- name: Sign APKs | |
run: | | |
set -x | |
apksigner sign -v --ks ci-ks --ks-key-alias dummy \ | |
--ks-pass pass:dummy-password signed-dummy.apk | |
apksigner sign -v --ks ci-ks --ks-key-alias dummy \ | |
--ks-pass pass:dummy-password \ | |
--v2-signing-enabled=false --v3-signing-enabled=false signed-dummy-v1.apk | |
PASS=dummy-password jarsigner -keystore ci-ks -storepass:env PASS \ | |
-sigalg SHA256withRSA -digestalg SHA-256 signed-dummy-jarsigner.apk dummy | |
- name: Copy signatures (dummy) | |
run: | | |
set -x | |
mkdir meta-dummy | |
apksigcopier extract signed-dummy.apk meta-dummy | |
ls -hlA meta-dummy | |
apksigcopier patch meta-dummy mastodon-release-unsigned.apk patched-dummy.apk | |
apksigcopier copy signed-dummy.apk mastodon-release-unsigned.apk copied-dummy.apk | |
apksigcopier copy --v1-only=auto signed-dummy-v1.apk \ | |
mastodon-release-unsigned.apk copied-dummy-v1.apk | |
apksigcopier copy --v1-only=yes signed-dummy-jarsigner.apk \ | |
mastodon-release-unsigned.apk copied-dummy-jarsigner.apk | |
- name: Copy signatures (upstream) | |
run: | | |
set -x | |
mkdir meta-upstream | |
apksigcopier extract mastodon-release.apk meta-upstream | |
ls -hlA meta-upstream | |
! test -e meta-upstream/differences.json | |
! test -e meta-upstream/MANIFEST.MF | |
zipinfo -l meta-upstream/v1signature.zip | |
zipinfo -v meta-upstream/v1signature.zip | head | |
apksigcopier patch meta-upstream mastodon-release-unsigned.apk patched-upstream.apk | |
apksigcopier copy mastodon-release.apk mastodon-release-unsigned.apk copied-upstream.apk | |
- name: Copy signatures (upstream, legacy) | |
run: | | |
set -x | |
mkdir meta-upstream-legacy | |
apksigcopier extract --legacy mastodon-release.apk meta-upstream-legacy | |
ls -hlA meta-upstream-legacy | |
cat meta-upstream-legacy/differences.json | |
test -e meta-upstream-legacy/MANIFEST.MF | |
! test -e meta-upstream-legacy/v1signature.zip | |
apksigcopier patch meta-upstream-legacy mastodon-release-unsigned.apk \ | |
patched-upstream-legacy.apk | |
apksigcopier copy --legacy mastodon-release.apk mastodon-release-unsigned.apk \ | |
copied-upstream-legacy.apk | |
- name: Compare APKs (dummy) | |
run: | | |
set -x | |
cmp signed-dummy.apk patched-dummy.apk | |
cmp signed-dummy.apk copied-dummy.apk | |
cmp signed-dummy-v1.apk copied-dummy-v1.apk | |
cmp signed-dummy-jarsigner.apk copied-dummy-jarsigner.apk || true | |
- name: Compare APKs (upstream) | |
run: | | |
set -x | |
cmp mastodon-release.apk patched-upstream.apk | |
cmp mastodon-release.apk copied-upstream.apk | |
- name: Compare APKs (upstream, legacy) | |
run: | | |
set -x | |
cmp mastodon-release.apk patched-upstream-legacy.apk | |
cmp mastodon-release.apk copied-upstream-legacy.apk | |
- name: Checksums | |
run: sha512sum *.apk | sort | |
- name: Verify APKs | |
run: | | |
set -x | |
for apk in mastodon-release.apk signed*.apk patched*.apk copied*.apk; do | |
if [[ "$apk" == *jarsigner* ]] || [[ "$apk" == *v1* ]]; then | |
jarsigner -verify -strict "$apk" || test $? = 4 | |
else | |
apksigner verify --verbose --print-certs "$apk" | grep -v ^WARNING: | |
fi | |
done | |
- name: apksigcopier compare | |
run: | | |
set -x | |
apksigcopier compare mastodon-release.apk patched-upstream.apk | |
apksigcopier compare mastodon-release.apk copied-upstream.apk | |
apksigcopier compare mastodon-release.apk --unsigned mastodon-release-unsigned.apk | |
apksigcopier compare mastodon-release.apk signed-dummy.apk | |
apksigcopier compare mastodon-release.apk copied-dummy.apk | |
# copying from an APK v1-signed with signflinger to an APK | |
# signed with apksigner works, whereas the reverse fails | |
! apksigcopier compare signed-dummy.apk mastodon-release.apk | |
! apksigcopier compare copied-dummy.apk mastodon-release.apk | |
- name: apksigcopier compare (build-tools) | |
run: | | |
set -x | |
export PATH="${PWD}/build-tools:${PATH}" | |
test "$( command -v apksigner )" = "${PWD}/build-tools/apksigner" | |
apksigcopier compare mastodon-release.apk patched-upstream.apk | |
apksigcopier compare mastodon-release.apk copied-upstream.apk | |
apksigcopier compare mastodon-release.apk --unsigned mastodon-release-unsigned.apk | |
apksigcopier compare mastodon-release.apk signed-dummy.apk | |
apksigcopier compare mastodon-release.apk copied-dummy.apk | |
- name: apksigcopier compare (legacy) | |
run: | | |
set -x | |
apksigcopier compare --legacy mastodon-release.apk patched-upstream.apk | |
apksigcopier compare --legacy mastodon-release.apk copied-upstream.apk | |
apksigcopier compare --legacy mastodon-release.apk --unsigned mastodon-release-unsigned.apk | |
apksigcopier compare --legacy mastodon-release.apk signed-dummy.apk | |
apksigcopier compare --legacy mastodon-release.apk copied-dummy.apk | |
- name: Test APKs | |
run: make test-apks | |
- name: Test more APKs | |
run: | | |
set -x | |
_dir="${PWD}" | |
git clone https://github.com/obfusk/test-apks-more.git | |
cd test-apks-more | |
git checkout 48d260325fe4c393c4851711348481d2cc024940 | |
git clone -b v0.3.0 https://github.com/obfusk/reproducible-apk-tools.git | |
./test.sh | |
export PATH="${_dir}/build-tools:${PATH}" | |
test "$( command -v apksigner )" = "${_dir}/build-tools/apksigner" | |
./test.sh |