-
Notifications
You must be signed in to change notification settings - Fork 27
223 lines (223 loc) · 9.04 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
name: CI
on: [push, pull_request, workflow_dispatch]
jobs:
build:
runs-on: ubuntu-22.04
strategy:
matrix:
python-version:
- '3.8'
- '3.9'
- '3.10'
- '3.11'
- '3.12'
- '3.13'
# - '3.14.0-alpha - 3.14'
- pypy3.8
- pypy3.9
- pypy3.10
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
submodules: true
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
sudo apt-get update # || sudo apt-get update
# sudo apt-get upgrade -y
sudo apt-get install -y apksigner
python3 -m pip install --upgrade pip
python3 -m pip install flake8 pylint coverage
- name: Install mypy
run: python3 -m pip install mypy
continue-on-error:
${{ contains(matrix.python-version, 'alpha') ||
contains(matrix.python-version, 'pypy') }}
- name: Install
run: make install
- name: Test
run: make test-cli doctest
- name: Lint
run: make lint
continue-on-error:
${{ contains(matrix.python-version, 'alpha') }}
- name: Extra lint
run: make lint-extra
continue-on-error:
${{ contains(matrix.python-version, 'alpha') ||
contains(matrix.python-version, 'pypy') }}
- name: Test coverage
run: make coverage
- name: Cache mastodon build
uses: actions/cache@v4
with:
path: mastodon-release-unsigned.apk
key: v1.1.3-20221121
- name: Cache mastodon download
uses: actions/cache@v4
with:
path: mastodon-release.apk
key: v1.1.3-20221121
- name: Build mastodon
run: |
set -x
if [ ! -e mastodon-release-unsigned.apk ]; then
sudo apt-get install -y openjdk-17-jdk-headless
export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
git clone -b v1.1.3 https://github.com/mastodon/mastodon-android.git
cd mastodon-android
test "$( git rev-parse HEAD )" = 8b40643e6306edadebba2a08f017da7cf1d3bf6f
touch local.properties
./gradlew assembleRelease
mv mastodon/build/outputs/apk/release/mastodon-release-unsigned.apk ../
fi
- name: Download mastodon
run: |
set -x
[ -e mastodon-release.apk ] || wget -O mastodon-release.apk -- \
https://github.com/mastodon/mastodon-android/releases/download/v1.1.3/mastodon-release.apk
sha256sum -c <<< '1ec636336a79ada1a3526323c90bb9fbfe5dc32b2984bb724998b5f47c822165 mastodon-release.apk'
- name: Download build-tools
run: |
set -x
wget -O build-tools.zip -- https://dl.google.com/android/repository/build-tools_r35_linux.zip
sha256sum -c <<< 'bd3a4966912eb8b30ed0d00b0cda6b6543b949d5ffe00bea54c04c81e1561d88 build-tools.zip'
unzip -q build-tools.zip
mv android-15 build-tools
- name: Copy APK
run: |
set -x
cp mastodon-release-unsigned.apk signed-dummy.apk
cp mastodon-release-unsigned.apk signed-dummy-v1.apk
cp mastodon-release-unsigned.apk signed-dummy-jarsigner.apk
- name: Generate dummy keystore
run: |
set -x
keytool -genkey -keystore ci-ks -alias dummy -keyalg RSA \
-keysize 4096 -sigalg SHA512withRSA -validity 10000 \
-storepass dummy-password -dname CN=dummy
- name: Sign APKs
run: |
set -x
apksigner sign -v --ks ci-ks --ks-key-alias dummy \
--ks-pass pass:dummy-password signed-dummy.apk
apksigner sign -v --ks ci-ks --ks-key-alias dummy \
--ks-pass pass:dummy-password \
--v2-signing-enabled=false --v3-signing-enabled=false signed-dummy-v1.apk
PASS=dummy-password jarsigner -keystore ci-ks -storepass:env PASS \
-sigalg SHA256withRSA -digestalg SHA-256 signed-dummy-jarsigner.apk dummy
- name: Copy signatures (dummy)
run: |
set -x
mkdir meta-dummy
apksigcopier extract signed-dummy.apk meta-dummy
ls -hlA meta-dummy
apksigcopier patch meta-dummy mastodon-release-unsigned.apk patched-dummy.apk
apksigcopier copy signed-dummy.apk mastodon-release-unsigned.apk copied-dummy.apk
apksigcopier copy --v1-only=auto signed-dummy-v1.apk \
mastodon-release-unsigned.apk copied-dummy-v1.apk
apksigcopier copy --v1-only=yes signed-dummy-jarsigner.apk \
mastodon-release-unsigned.apk copied-dummy-jarsigner.apk
- name: Copy signatures (upstream)
run: |
set -x
mkdir meta-upstream
apksigcopier extract mastodon-release.apk meta-upstream
ls -hlA meta-upstream
! test -e meta-upstream/differences.json
! test -e meta-upstream/MANIFEST.MF
zipinfo -l meta-upstream/v1signature.zip
zipinfo -v meta-upstream/v1signature.zip | head
apksigcopier patch meta-upstream mastodon-release-unsigned.apk patched-upstream.apk
apksigcopier copy mastodon-release.apk mastodon-release-unsigned.apk copied-upstream.apk
- name: Copy signatures (upstream, legacy)
run: |
set -x
mkdir meta-upstream-legacy
apksigcopier extract --legacy mastodon-release.apk meta-upstream-legacy
ls -hlA meta-upstream-legacy
cat meta-upstream-legacy/differences.json
test -e meta-upstream-legacy/MANIFEST.MF
! test -e meta-upstream-legacy/v1signature.zip
apksigcopier patch meta-upstream-legacy mastodon-release-unsigned.apk \
patched-upstream-legacy.apk
apksigcopier copy --legacy mastodon-release.apk mastodon-release-unsigned.apk \
copied-upstream-legacy.apk
- name: Compare APKs (dummy)
run: |
set -x
cmp signed-dummy.apk patched-dummy.apk
cmp signed-dummy.apk copied-dummy.apk
cmp signed-dummy-v1.apk copied-dummy-v1.apk
cmp signed-dummy-jarsigner.apk copied-dummy-jarsigner.apk || true
- name: Compare APKs (upstream)
run: |
set -x
cmp mastodon-release.apk patched-upstream.apk
cmp mastodon-release.apk copied-upstream.apk
- name: Compare APKs (upstream, legacy)
run: |
set -x
cmp mastodon-release.apk patched-upstream-legacy.apk
cmp mastodon-release.apk copied-upstream-legacy.apk
- name: Checksums
run: sha512sum *.apk | sort
- name: Verify APKs
run: |
set -x
for apk in mastodon-release.apk signed*.apk patched*.apk copied*.apk; do
if [[ "$apk" == *jarsigner* ]] || [[ "$apk" == *v1* ]]; then
jarsigner -verify -strict "$apk" || test $? = 4
else
apksigner verify --verbose --print-certs "$apk" | grep -v ^WARNING:
fi
done
- name: apksigcopier compare
run: |
set -x
apksigcopier compare mastodon-release.apk patched-upstream.apk
apksigcopier compare mastodon-release.apk copied-upstream.apk
apksigcopier compare mastodon-release.apk --unsigned mastodon-release-unsigned.apk
apksigcopier compare mastodon-release.apk signed-dummy.apk
apksigcopier compare mastodon-release.apk copied-dummy.apk
# copying from an APK v1-signed with signflinger to an APK
# signed with apksigner works, whereas the reverse fails
! apksigcopier compare signed-dummy.apk mastodon-release.apk
! apksigcopier compare copied-dummy.apk mastodon-release.apk
- name: apksigcopier compare (build-tools)
run: |
set -x
export PATH="${PWD}/build-tools:${PATH}"
test "$( command -v apksigner )" = "${PWD}/build-tools/apksigner"
apksigcopier compare mastodon-release.apk patched-upstream.apk
apksigcopier compare mastodon-release.apk copied-upstream.apk
apksigcopier compare mastodon-release.apk --unsigned mastodon-release-unsigned.apk
apksigcopier compare mastodon-release.apk signed-dummy.apk
apksigcopier compare mastodon-release.apk copied-dummy.apk
- name: apksigcopier compare (legacy)
run: |
set -x
apksigcopier compare --legacy mastodon-release.apk patched-upstream.apk
apksigcopier compare --legacy mastodon-release.apk copied-upstream.apk
apksigcopier compare --legacy mastodon-release.apk --unsigned mastodon-release-unsigned.apk
apksigcopier compare --legacy mastodon-release.apk signed-dummy.apk
apksigcopier compare --legacy mastodon-release.apk copied-dummy.apk
- name: Test APKs
run: make test-apks
- name: Test more APKs
run: |
set -x
_dir="${PWD}"
git clone https://github.com/obfusk/test-apks-more.git
cd test-apks-more
git checkout 48d260325fe4c393c4851711348481d2cc024940
git clone -b v0.3.0 https://github.com/obfusk/reproducible-apk-tools.git
./test.sh
export PATH="${_dir}/build-tools:${PATH}"
test "$( command -v apksigner )" = "${_dir}/build-tools/apksigner"
./test.sh