Skip to content

various improvements #389

various improvements

various improvements #389

Workflow file for this run

name: CI
on: [push, pull_request, workflow_dispatch]
jobs:
build:
runs-on: ubuntu-22.04
strategy:
matrix:
python-version:
- '3.8'
- '3.9'
- '3.10'
- '3.11'
- '3.12'
- '3.13'
# - '3.14.0-alpha - 3.14'
- pypy3.8
- pypy3.9
- pypy3.10
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
submodules: true
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
sudo apt-get update # || sudo apt-get update
# sudo apt-get upgrade -y
sudo apt-get install -y apksigner
python3 -m pip install --upgrade pip
python3 -m pip install flake8 pylint coverage
- name: Install mypy
run: python3 -m pip install mypy
continue-on-error:
${{ contains(matrix.python-version, 'alpha') ||
contains(matrix.python-version, 'pypy') }}
- name: Install
run: make install
- name: Test
run: make test-cli doctest
- name: Lint
run: make lint
continue-on-error:
${{ contains(matrix.python-version, 'alpha') }}
- name: Extra lint
run: make lint-extra
continue-on-error:
${{ contains(matrix.python-version, 'alpha') ||
contains(matrix.python-version, 'pypy') }}
- name: Test coverage
run: make coverage
- name: Cache mastodon build
uses: actions/cache@v4
with:
path: mastodon-release-unsigned.apk
key: v1.1.3-20221121
- name: Cache mastodon download
uses: actions/cache@v4
with:
path: mastodon-release.apk
key: v1.1.3-20221121
- name: Build mastodon
run: |
set -x
if [ ! -e mastodon-release-unsigned.apk ]; then
sudo apt-get install -y openjdk-17-jdk-headless
export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
git clone -b v1.1.3 https://github.com/mastodon/mastodon-android.git
cd mastodon-android
test "$( git rev-parse HEAD )" = 8b40643e6306edadebba2a08f017da7cf1d3bf6f
touch local.properties
./gradlew assembleRelease
mv mastodon/build/outputs/apk/release/mastodon-release-unsigned.apk ../
fi
- name: Download mastodon
run: |
set -x
[ -e mastodon-release.apk ] || wget -O mastodon-release.apk -- \
https://github.com/mastodon/mastodon-android/releases/download/v1.1.3/mastodon-release.apk
sha256sum -c <<< '1ec636336a79ada1a3526323c90bb9fbfe5dc32b2984bb724998b5f47c822165 mastodon-release.apk'
- name: Download build-tools
run: |
set -x
wget -O build-tools.zip -- https://dl.google.com/android/repository/build-tools_r35_linux.zip
sha256sum -c <<< 'bd3a4966912eb8b30ed0d00b0cda6b6543b949d5ffe00bea54c04c81e1561d88 build-tools.zip'
unzip -q build-tools.zip
mv android-15 build-tools
- name: Copy APK
run: |
set -x
cp mastodon-release-unsigned.apk signed-dummy.apk
cp mastodon-release-unsigned.apk signed-dummy-v1.apk
cp mastodon-release-unsigned.apk signed-dummy-jarsigner.apk
- name: Generate dummy keystore
run: |
set -x
keytool -genkey -keystore ci-ks -alias dummy -keyalg RSA \
-keysize 4096 -sigalg SHA512withRSA -validity 10000 \
-storepass dummy-password -dname CN=dummy
- name: Sign APKs
run: |
set -x
apksigner sign -v --ks ci-ks --ks-key-alias dummy \
--ks-pass pass:dummy-password signed-dummy.apk
apksigner sign -v --ks ci-ks --ks-key-alias dummy \
--ks-pass pass:dummy-password \
--v2-signing-enabled=false --v3-signing-enabled=false signed-dummy-v1.apk
PASS=dummy-password jarsigner -keystore ci-ks -storepass:env PASS \
-sigalg SHA256withRSA -digestalg SHA-256 signed-dummy-jarsigner.apk dummy
- name: Copy signatures (dummy)
run: |
set -x
mkdir meta-dummy
apksigcopier extract signed-dummy.apk meta-dummy
ls -hlA meta-dummy
apksigcopier patch meta-dummy mastodon-release-unsigned.apk patched-dummy.apk
apksigcopier copy signed-dummy.apk mastodon-release-unsigned.apk copied-dummy.apk
apksigcopier copy --v1-only=auto signed-dummy-v1.apk \
mastodon-release-unsigned.apk copied-dummy-v1.apk
apksigcopier copy --v1-only=yes signed-dummy-jarsigner.apk \
mastodon-release-unsigned.apk copied-dummy-jarsigner.apk
- name: Copy signatures (upstream)
run: |
set -x
mkdir meta-upstream
apksigcopier extract mastodon-release.apk meta-upstream
ls -hlA meta-upstream
! test -e meta-upstream/differences.json
! test -e meta-upstream/MANIFEST.MF
zipinfo -l meta-upstream/v1signature.zip
zipinfo -v meta-upstream/v1signature.zip | head
apksigcopier patch meta-upstream mastodon-release-unsigned.apk patched-upstream.apk
apksigcopier copy mastodon-release.apk mastodon-release-unsigned.apk copied-upstream.apk
- name: Copy signatures (upstream, legacy)
run: |
set -x
mkdir meta-upstream-legacy
apksigcopier extract --legacy mastodon-release.apk meta-upstream-legacy
ls -hlA meta-upstream-legacy
cat meta-upstream-legacy/differences.json
test -e meta-upstream-legacy/MANIFEST.MF
! test -e meta-upstream-legacy/v1signature.zip
apksigcopier patch meta-upstream-legacy mastodon-release-unsigned.apk \
patched-upstream-legacy.apk
apksigcopier copy --legacy mastodon-release.apk mastodon-release-unsigned.apk \
copied-upstream-legacy.apk
- name: Compare APKs (dummy)
run: |
set -x
cmp signed-dummy.apk patched-dummy.apk
cmp signed-dummy.apk copied-dummy.apk
cmp signed-dummy-v1.apk copied-dummy-v1.apk
cmp signed-dummy-jarsigner.apk copied-dummy-jarsigner.apk || true
- name: Compare APKs (upstream)
run: |
set -x
cmp mastodon-release.apk patched-upstream.apk
cmp mastodon-release.apk copied-upstream.apk
- name: Compare APKs (upstream, legacy)
run: |
set -x
cmp mastodon-release.apk patched-upstream-legacy.apk
cmp mastodon-release.apk copied-upstream-legacy.apk
- name: Checksums
run: sha512sum *.apk | sort
- name: Verify APKs
run: |
set -x
for apk in mastodon-release.apk signed*.apk patched*.apk copied*.apk; do
if [[ "$apk" == *jarsigner* ]] || [[ "$apk" == *v1* ]]; then
jarsigner -verify -strict "$apk" || test $? = 4
else
apksigner verify --verbose --print-certs "$apk" | grep -v ^WARNING:
fi
done
- name: apksigcopier compare
run: |
set -x
apksigcopier compare mastodon-release.apk patched-upstream.apk
apksigcopier compare mastodon-release.apk copied-upstream.apk
apksigcopier compare mastodon-release.apk --unsigned mastodon-release-unsigned.apk
apksigcopier compare mastodon-release.apk signed-dummy.apk
apksigcopier compare mastodon-release.apk copied-dummy.apk
# copying from an APK v1-signed with signflinger to an APK
# signed with apksigner works, whereas the reverse fails
! apksigcopier compare signed-dummy.apk mastodon-release.apk
! apksigcopier compare copied-dummy.apk mastodon-release.apk
- name: apksigcopier compare (build-tools)
run: |
set -x
export PATH="${PWD}/build-tools:${PATH}"
test "$( command -v apksigner )" = "${PWD}/build-tools/apksigner"
apksigcopier compare mastodon-release.apk patched-upstream.apk
apksigcopier compare mastodon-release.apk copied-upstream.apk
apksigcopier compare mastodon-release.apk --unsigned mastodon-release-unsigned.apk
apksigcopier compare mastodon-release.apk signed-dummy.apk
apksigcopier compare mastodon-release.apk copied-dummy.apk
- name: apksigcopier compare (legacy)
run: |
set -x
apksigcopier compare --legacy mastodon-release.apk patched-upstream.apk
apksigcopier compare --legacy mastodon-release.apk copied-upstream.apk
apksigcopier compare --legacy mastodon-release.apk --unsigned mastodon-release-unsigned.apk
apksigcopier compare --legacy mastodon-release.apk signed-dummy.apk
apksigcopier compare --legacy mastodon-release.apk copied-dummy.apk
- name: Test APKs
run: make test-apks
- name: Test more APKs
run: |
set -x
_dir="${PWD}"
git clone https://github.com/obfusk/test-apks-more.git
cd test-apks-more
git checkout 48d260325fe4c393c4851711348481d2cc024940
git clone -b v0.3.0 https://github.com/obfusk/reproducible-apk-tools.git
./test.sh
export PATH="${_dir}/build-tools:${PATH}"
test "$( command -v apksigner )" = "${_dir}/build-tools/apksigner"
./test.sh